There was a failure making a WS-Trust exchange with an external application. Could not retrieve token from identity provider.

Apr 28, 2008 at 7:23 PM
Edited Apr 28, 2008 at 7:24 PM
I am receiving this error when attempting to validate a card against the sts. Not quite sure where to go from here. I'll be researching the issue online but if anyone has run across the same issue your help would be appreciated.

Thanks
Jeremy

Event Type: Error
Event Source: CardSpace 3.0.0.0
Event Category: General
Event ID: 273
Date: 4/28/2008
Time: 1:40:42 PM
User: VIRTUALJEREMY\Jeremy
Computer: VIRTUALJEREMY
Description:
There was a failure making a WS-Trust exchange with an external application. Could not retrieve token from identity provider.

Inner Exception: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
Inner Exception: An error occurred when verifying security for the message.


Additional Information:
Microsoft.InfoCards.TrustExchangeException: Could not retrieve token from identity provider. ---> System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
--- End of inner exception stack trace ---

Server stack trace:
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at 0:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.InfoCards.RemoteTokenFactory.ISts.ProcessRequestSecurityTokenFeb2005(Message rstMessage)
at Microsoft.InfoCards.RemoteTokenFactory.ProduceToken(InfoCard card, TokenCreationParameter parameter, TokenFactoryCredential credential, InfoCardPolicy policy, Boolean discloseOptional)
--- End of inner exception stack trace ---

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Coordinator
Apr 28, 2008 at 10:16 PM
OK first thing to try is turning on the inner exception stuff; in your config file make sure the following setting is true in the config giles

<serviceDebug includeExceptionDetailInFaults="true" />

The fact that you're seeing an unsecured error shows that it's come from WCF and you're not getting into the SharpSTS code yet.

You may also want to switch on tracing; with the system.serviceModel settings add the following

<!-- add trace logging -->
<diagnostics wmiProviderEnabled="false">
<messageLogging
logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"
maxMessagesToLog="3000"
/>
</diagnostics>

Then add the following complete section before </configuration>

<!-- define trace logging -->
<system.diagnostics>
<trace autoflush="true" />

<sources>
<source name="System.ServiceModel"
switchValue="Information, ActivityTracing"
propagateActivity="true" >
<listeners>
<add name="xml"/>
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging">
<listeners>
<add name="xml"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add name="xml"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="CommandLineSTS.svclog" />
</sharedListeners>
</system.diagnostics>

If you have the .net framework SDK installed it has the Service Trace Viewer, which you can use to load CommandLineSTS.svclog and see if you can get more information that way. It's probably certificate problems.


Apr 29, 2008 at 7:28 PM
I added the debugging and tracing sections to the config then tried again. I never saw that it reached the server so i do not believe it helped much. I did however manage to get it working from another computer i had previously been using as the STS hosts. So my guess is like you said that it's something to do with the certificate, which very well may be fixed upon us issuing our own certificate. Speaking of issuing a certificates, how would we go about issuing a high assurance certificate for our STS. Does IIS have the ability to do this, do we use verisign or someone of that nature?

Thanks
Jeremy


blowdart wrote:
OK first thing to try is turning on the inner exception stuff; in your config file make sure the following setting is true in the config giles

<serviceDebug includeExceptionDetailInFaults="true" />

The fact that you're seeing an unsecured error shows that it's come from WCF and you're not getting into the SharpSTS code yet.

You may also want to switch on tracing; with the system.serviceModel settings add the following

<!-- add trace logging -->
<diagnostics wmiProviderEnabled="false">
<messageLogging
logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"
maxMessagesToLog="3000"
/>
</diagnostics>

Then add the following complete section before </configuration>

<!-- define trace logging -->
<system.diagnostics>
<trace autoflush="true" />

<sources>
<source name="System.ServiceModel"
switchValue="Information, ActivityTracing"
propagateActivity="true" >
<listeners>
<add name="xml"/>
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging">
<listeners>
<add name="xml"/>
</listeners>
</source>
</sources>
<sharedListeners>
<add name="xml"
type="System.Diagnostics.XmlWriterTraceListener"
initializeData="CommandLineSTS.svclog" />
</sharedListeners>
</system.diagnostics>

If you have the .net framework SDK installed it has the Service Trace Viewer, which you can use to load CommandLineSTS.svclog and see if you can get more information that way. It's probably certificate problems.




Coordinator
Apr 30, 2008 at 2:59 AM
Ah right; it could be a number of things. Self issued certs are painful :)

If you're hosting in IIS then try to load an https:// url on your server and see what happens. If you get certificate errors make sure you add the certificate of the server to the trusted certificate store. If you're wanting to test from multiple machines it might be easier to install certificate services somewhere and issue them "properly", trusting your cert server root certificate on all machines.

And no, you cannot issue an EV certificate yourself, that needs to be purchased.
Sep 30, 2008 at 3:01 AM
BlowDart - thanks so much for your post about dagnostics. I had no idea you could get such detailed logging out of WCF. This an invaluable piece of knowledge that someone at Microsoft should have already told people about.