Skip to main content

Metro 2.0.1 Client with ADFS 2.0 STS and .NET 4.0 WebService

9 replies [Last post]
Joined: 2010-07-08

Hi all,

I've been trying to setup a .NET 4.0 Web Service, federated with an ADFS 2.0 STS using WIF and a Java client, using latest Metro build, to talk to this web service. I'm developing in NetBeans 6.9.

After following a number of samples and tutorials, both from Metro site and .net, as well as this thread (, I'm still unable to have the client get a token from the ADFS2 STS.

The first error showing up after configuring the web service client in NetBeans was:
WSTrustException: WST0042:No matching service with endpoint found in the Metadata

Apparently this happened because this was the address configured in the wsdl:


After changing it to something like “http://safir.nextway.corp/adfs/services/trust/2005/username”, the error changed to:
WARNING: SP0100: Policy assertion Assertion[$DefaultPolicyAssertion] {
assertion data {
namespace = ''
prefix = 'sp'
local name = 'MustNotSendAmend'
value = 'null'
optional = 'false'
ignorable = 'false'
no attributes
no parameters
no nested policy
} is not supported under SecureConversationToken assertion.
8/Jul/2010 20:17:41 setServerCertInTheSTSConfig
INFO: The certificate found in the server wsdl or by server cert property is valid, so using it
8/Jul/2010 20:17:42 [] parse
INFO: WSP5018: Loaded WSIT configuration from file: (…) /build/classes/META-INF/wsit-client.xml.
8/Jul/2010 20:17:42 [] selectAlternatives
WARNING: WSP0075: Policy assertion "{}NegotiateAuthentication" was evaluated as "UNKNOWN".
8/Jul/2010 20:17:42 [] selectAlternatives
WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "PARTIALLY_SUPPORTED".
Exception in thread "main" An error occurred when verifying security for the message.

After that I looked at what was going through the wire and found this:
POST /adfs/services/trust/2005/username HTTP/1.1 Accept: application/soap+xml, multipart/related Content-Type: application/soap+xml; charset=utf-8;action="" User-Agent: JAX-WS RI 2.2.1-hudson-28- Host: safir.nextway.corp Connection: keep-alive Content-Length: 4034






HTTP/1.1 500 Internal Server Error
Content-Length: 644 Content-Type: application/soap+xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Thu, 08 Jul 2010 19:23:12 GMT



An error occurred when verifying security for the message.

I’ve noticed there was no information about the username and password, even though I configured it in wsit-client.xml for the policy used by STS.
Anyone had any success in using Metro with ADFS2?

Thanks in advance.

Just added the complete request xml

Message was edited by: rsea

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Joined: 2005-11-02

It is working with Metro client and ADFS 2.0 STS. Check out this thread for more details:

In your case, the security is not enabled on the client side. Likely
there is a mis-match in the policy of the STS endpoint you pointed to.

To help you out, Can you post the STS wsdl with the security policy in it?

Joined: 2010-07-08

Thanks for the reply. Here are the WSDL files for STS and WService.

Joined: 2005-11-02

The version of the ws-securitypolicy used for your STS endpoint and service are different.

To resolve it use the STS endpoint "http://safir.nextway.corp/adfs/services/trust/13/username"

Joined: 2010-07-08

Thanks again for the reply.

I can now get a token from ADFS2. However, the client now fails with the following error:
[i]SEVERE: WSS1701: Sign operation failed.
java.lang.IllegalArgumentException: Empty key[/i]

This happens apparently because in line 296 of [i]WSTrustClientContractImpl[/i], keySize is 0. This is due to the fact that both RST and RSTR have keySize = 0.
Shouldn't this be 256 as stated in service wsdl?

I've also attached the wsit-client files i'm using.

Joined: 2005-11-02

The RSTR doesn't contain KeySize as usually it should.

In this case, there is a bug in Metro 2.0.1 to handle it.

So 2 options:

1. Use 2005/07 version:

Choose Version Compatibility to be .Net 3.0/Metro 1.0 when you build and configure
your service and use the STS endpoint "“http://safir.nextway.corp/adfs/services/trust/2005/username"


2. Upgrade Metro to the current Metro 2.1 where the bug is fixed.

Joined: 2010-07-08

Thanks, now it's working.

Best regards.

Joined: 2009-07-06

Can you please share the working code and blog link.

Joined: 2005-11-02
Joined: 2014-04-30

I am looking for code sample for using Metro with ADFS as STS. The links in this thread do not work. Could anyone please point me to a working example..? Thanks a lot !