Skip to main content

Metro 2.0.1 Client with ADFS 2.0 STS and .NET 4.0 WebService

9 replies [Last post]
rsea
Offline
Joined: 2010-07-08

Hi all,

I've been trying to setup a .NET 4.0 Web Service, federated with an ADFS 2.0 STS using WIF and a Java client, using latest Metro build, to talk to this web service. I'm developing in NetBeans 6.9.

After following a number of samples and tutorials, both from Metro site and .net, as well as this thread (http://forums.java.net/jive/thread.jspa?messageID=396540), I'm still unable to have the client get a token from the ADFS2 STS.

The first error showing up after configuring the web service client in NetBeans was:
WSTrustException: WST0042:No matching service with endpoint http://www.w3.org/2005/08/addressing/anonymous found in the Metadata

Apparently this happened because this was the address configured in the wsdl:

http://www.w3.org/2005/08/addressing/anonymous

https://safir.nextway.corp/adfs/services/trust/mex

After changing it to something like “http://safir.nextway.corp/adfs/services/trust/2005/username”, the error changed to:
WARNING: SP0100: Policy assertion Assertion[com.sun.xml.ws.policy.sourcemodel.DefaultPolicyAssertionCreator$DefaultPolicyAssertion] {
assertion data {
namespace = 'http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702'
prefix = 'sp'
local name = 'MustNotSendAmend'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
}
no parameters
no nested policy
} is not supported under SecureConversationToken assertion.
8/Jul/2010 20:17:41 com.sun.xml.ws.security.impl.policy.CertificateRetriever setServerCertInTheSTSConfig
INFO: The certificate found in the server wsdl or by server cert property is valid, so using it
8/Jul/2010 20:17:42 [com.sun.xml.ws.policy.jaxws.PolicyConfigParser] parse
INFO: WSP5018: Loaded WSIT configuration from file: (…) /build/classes/META-INF/wsit-client.xml.
8/Jul/2010 20:17:42 [com.sun.xml.ws.policy.EffectiveAlternativeSelector] selectAlternatives
WARNING: WSP0075: Policy assertion "{http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication" was evaluated as "UNKNOWN".
8/Jul/2010 20:17:42 [com.sun.xml.ws.policy.EffectiveAlternativeSelector] selectAlternatives
WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "PARTIALLY_SUPPORTED".
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message.

After that I looked at what was going through the wire and found this:
POST /adfs/services/trust/2005/username HTTP/1.1 Accept: application/soap+xml, multipart/related Content-Type: application/soap+xml; charset=utf-8;action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" User-Agent: JAX-WS RI 2.2.1-hudson-28- Host: safir.nextway.corp Connection: keep-alive Content-Length: 4034

http://safir.nextway.corp/adfs/services/trust/2005/username
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

http://www.w3.org/2005/08/addressing/anonymous

uuid:929f7a1a-e4ad-4d3a-aa10-b02706640d5a

http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue

http://safir.nextway.corp/DownloadWS/Service1.svc

MIIDCDCCAfCgAwIBAgIQW9zNLdUjaJ9LIpn05EAlmzANBgkqhkiG9w0BAQUFADAoMSYwJAYDVQQDEx1EZWZhdWx0QXBwbGljYXRpb25DZXJ0aWZpY2F0ZTAeFw0xMDA3MDgxNDAyMzhaFw0xMTA3MDgyMDAyMzhaMCgxJjAkBgNVBAMTHURlZmF1bHRBcHBsaWNhdGlvbkNlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/EBK25JjpD5PMDAxNjH4tqb8eRnyC6K49PSFAcx6VZNDpJEBXzjUWaM2X25R/r9ixEa8V5posa1L8hzgFc/zxFUbZ5vBF4/cIVDeQQrdHG1QiL81+8m0X5FR03ZzrRUFFPA1IbWMCcni3f3PMc40nwD5rjNGvrLPs6S9Lo5iUMKB3UFvl2ywD6d3ltnz+Eo2FZ4zxVxQ7DJ6BrBkANoQXUUn0GGWnZUDDRm+Yz6uUaIrlKhQ1v8H+HQwH2dHsnobIiHUx0D0MXD6MWh9qyKYt6MpCfT577kt5IlC4zRPqo2jsUPFipMZ2vEDvnmh4oUue1Xew1wioGKIi2ybkmLqQIDAQABoy4wLDALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFOp/vwMPmr99C0jVFlqf/vRPGaaCMA0GCSqGSIb3DQEBBQUAA4IBAQCXMyhfAfnEeww9FRUUMBNrDzjWIAlcO1wpe+cHpBeK6BAvjVo0G5/30SB0z3XTj7R+u5GMWppWh6WuTZWaXku44cFz+bi3R616dLt1WO9sEnAqQ1McxAy/uH/ju3uFIcxLnU7c2Ke4RcEzqdmhOMbqwjEiCk8XVuWGU4AxCi+1vzftq3NgPii4pXbU4404cqdAEpTUkK9nJ71JWJtLnWcxz0SABj3Zt3E3jsg7VVAe07vhLbbI6Xy0JLgmBmL5om/9ebwUp/orhxQUXznzIa4wbfvUwngaZS4UmQ6x4qpl/8c51dYrl2YTUCRlT/eg+Tl8Ar7G01vd26+siYDtGNpR

http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
256
http://www.w3.org/2001/04/xmlenc#aes256-cbc
http://www.w3.org/2001/10/xml-exc-c14n#
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p

3sXrciHXdQmYTHrLpYH/Gkn3+H5esHQgK1pW3KcVQ4A=

http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1

HTTP/1.1 500 Internal Server Error
Content-Length: 644 Content-Type: application/soap+xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 08 Jul 2010 19:23:12 GMT

http://www.w3.org/2005/08/addressing/soap/fault
uuid:929f7a1a-e4ad-4d3a-aa10-b02706640d5a

s:Sender

a:InvalidSecurity

An error occurred when verifying security for the message.

I’ve noticed there was no information about the username and password, even though I configured it in wsit-client.xml for the policy used by STS.
Anyone had any success in using Metro with ADFS2?

Thanks in advance.

Just added the complete request xml

Message was edited by: rsea

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jdg6688
Offline
Joined: 2005-11-02

It is working with Metro client and ADFS 2.0 STS. Check out this thread for more details:

http://forums.java.net/jive/thread.jspa?messageID=396540

In your case, the security is not enabled on the client side. Likely
there is a mis-match in the policy of the STS endpoint you pointed to.

To help you out, Can you post the STS wsdl with the security policy in it?

rsea
Offline
Joined: 2010-07-08

Thanks for the reply. Here are the WSDL files for STS and WService.

jdg6688
Offline
Joined: 2005-11-02

The version of the ws-securitypolicy used for your STS endpoint and service are different.

To resolve it use the STS endpoint "http://safir.nextway.corp/adfs/services/trust/13/username"
instead

rsea
Offline
Joined: 2010-07-08

Thanks again for the reply.

I can now get a token from ADFS2. However, the client now fails with the following error:
[i]SEVERE: WSS1701: Sign operation failed.
java.lang.IllegalArgumentException: Empty key[/i]

This happens apparently because in line 296 of [i]WSTrustClientContractImpl[/i], keySize is 0. This is due to the fact that both RST and RSTR have keySize = 0.
Shouldn't this be 256 as stated in service wsdl?

I've also attached the wsit-client files i'm using.

jdg6688
Offline
Joined: 2005-11-02

The RSTR doesn't contain KeySize as usually it should.

In this case, there is a bug in Metro 2.0.1 to handle it.

So 2 options:

1. Use 2005/07 version:

Choose Version Compatibility to be .Net 3.0/Metro 1.0 when you build and configure
your service and use the STS endpoint "“http://safir.nextway.corp/adfs/services/trust/2005/username"

or

2. Upgrade Metro to the current Metro 2.1 where the bug is fixed.

rsea
Offline
Joined: 2010-07-08

Thanks, now it's working.

Best regards.

sivagurut
Offline
Joined: 2009-07-06

Can you please share the working code and blog link.

jdg6688
Offline
Joined: 2005-11-02
Vinuta
Offline
Joined: 2014-04-30

I am looking for code sample for using Metro with ADFS as STS. The links in this thread do not work. Could anyone please point me to a working example..? Thanks a lot !