WIF STS ID3242: The security token could not be authenticated or authorized

Question

I'm getting the following error in my client application when it tries to authenticate to my service:

ID3242: The security token could not be authenticated or authorized

Here is the configuration of the client:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
  <ws2007HttpBinding>
    <binding name="stsBinding">
      <security mode="Message">
        <message clientCredentialType="UserName"
          establishSecurityContext="false"
          negotiateServiceCredential="true"/>
      </security>
    </binding>
  </ws2007HttpBinding>
  <ws2007FederationHttpBinding>
    <binding name="echoClaimsBinding">
      <security mode="Message">
        <message>
          <claimTypeRequirements>
            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false"/>
          </claimTypeRequirements>
          <issuer address="http://localhost:17240/STS.svc"
                  bindingConfiguration="stsBinding"
                  binding="ws2007HttpBinding">
            <identity>
              <dns value="WCFSTS"/>
            </identity>
          </issuer>
          <issuerMetadata address="http://localhost:17240/STS.svc/Mex"></issuerMetadata>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
</bindings>
<behaviors>
  <endpointBehaviors>
    <behavior name="echoClaimsBehavior">
      <clientCredentials>
        <serviceCertificate>
          <defaultCertificate
            findValue="CN=WCFSTS"
            storeLocation="LocalMachine"
            storeName="My"
            x509FindType="FindBySubjectDistinguishedName"/>
          <authentication
            revocationMode="NoCheck"
            certificateValidationMode="None"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<client>
  <endpoint address="http://localhost:1438/EchoClaims.svc/EchoClaims"
            binding="ws2007FederationHttpBinding"
            bindingConfiguration="echoClaimsBinding"
            contract="TestService.IEchoClaims"
            name="WS2007FederationHttpBinding_IEchoClaims"
            behaviorConfiguration="echoClaimsBehavior">
    <identity>
      <dns value="WCFServer"/>
    </identity>
  </endpoint>
</client>
</system.serviceModel>
</configuration>

Here is the configuration of the service

<?xml version="1.0"?>
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>

<system.web>
<compilation debug="true" targetFramework="4.0">
  <assemblies>
    <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
  </assemblies>
</compilation>
</system.web>

<system.serviceModel>
<services>
  <service name="WcfService1.EchoClaims"
           behaviorConfiguration="echoClaimsBehavior">

    <endpoint address=""
              contract="WcfService1.IEchoClaims"
              binding="ws2007FederationHttpBinding"
              bindingConfiguration="echoClaimsBinding"></endpoint>
    <endpoint address="mex"
           binding="mexHttpBinding"
           contract="IMetadataExchange" />
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="echoClaimsBehavior">

      <serviceMetadata httpGetEnabled="true" />
      <serviceCredentials>           
        <serviceCertificate 
          findValue="CN=WCFServer" 
          storeLocation="LocalMachine" 
          storeName="My" 
          x509FindType="FindBySubjectDistinguishedName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

<bindings>
  <ws2007FederationHttpBinding>
    <binding name="echoClaimsBinding">
      <security mode="Message">
        <message negotiateServiceCredential="true">
          <!--<issuerMetadata address="http://localhost:17240/STS.svc/mex" />-->
          <claimTypeRequirements>
            <!--Following are the claims offered by STS 'http://localhost:17240/STS.svc'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />               
          </claimTypeRequirements>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
</bindings>
<diagnostics>
  <messageLogging logEntireMessage="true"
                  logMessagesAtServiceLevel="true"
                  logMessagesAtTransportLevel="true"></messageLogging>
</diagnostics>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<microsoft.identityModel>
<service>
  <audienceUris mode="Never"/>        
  <issuerNameRegistry type="WcfService1.CustomIssuerNameRegistry, WcfService1"/>        
</service>
</microsoft.identityModel>
<system.diagnostics>
<sources>
  <source name="System.ServiceModel" switchValue="Warning, Error, ActivityTracing"
       propagateActivity="true">
    <listeners>
      <add name="ServiceModelTraceListener"/>
    </listeners>
  </source>
</sources>
<sharedListeners>
  <add initializeData="ecb_tracelog.svclog"
                type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
    <filter type="" />
  </add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
</configuration>

Please let me know if anyone has an idea of how to determine why authentication is failing. I have Geneva STS tracing on verbose, but it's not giving me any messages about why the certificate isn't being authenticated.

Answer 1

In a similar situation, this forum post by Dominick Baier suggests that the web service rejects the token, so tracing at the STS would not show any problem.

He suggests to check this web service's <microsoft.identityModel><service><securityTokenHandlers><securityTokenHandlerConfiguration><audienceUris> section in its web.config, and to switch on the Microsoft.IdentityModel trace source in that same file.

Answer 2

In my case, turning tracing on revealed one more exception that was thrown before

ID3242: The security token could not be authenticated or authorized

Use this to turn on tracing on the WCF side:

<system.diagnostics>
<sources>
  <source name="Microsoft.IdentityModel" switchValue="Verbose">
    <listeners>
      <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="D:\Logs\rie\RIE_Trace.log" />
    </listeners>
  </source>
</sources>
<trace autoflush="true" />

Again, in my case, the trace files revealed the following exception:

ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris. Audience: http://some.th.ing/

Turns out the audienceUri was not correct in the WCF Web.config.

Hope this helps