WCF Username Authentication - exception in tutorial

Question

I was doing tutorial from this page: http://msdn.microsoft.com/en-us/library/gg185927.aspx I think I did everything ok but I'm getting this exception:

   `An error occurred when processing the security tokens in the message.`

What I did wrong? I used certificate from sample. Maybe I should create my own certificate? Is there any difference?

I noticed that hard coded credentials slighty differs from this passed in tutorial, so I changed them in Services Identites. Before I did that, I was getting authentication exception, so I think it was ok to change it.

I'm not experienced in any kind of security but I want to finally learn it, so I wish you guys can help me:)

EDIT: I'm not sure if this Realm is ok. I passed http://localhost:7100/Service/Default.aspx there. I'm running it on my local machine and I'm not sure is it the way I should do it. EDIT 2: This is the StackTrace:

Server stack trace: 
at  System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at WcfService.IStringService.Reverse(String value)
at WcfClient.Program.Main(String[] args) in c:\Users\Hador\Downloads\Windows Azure AD Access Control (ACS) Code Samples\C#\Webservice\Acs2UsernameBindingSample\WcfClient\Program.cs:line 53

I have this error at line:

string outputString = stringService.Reverse(userInputString);

Answer 1

It seems as though your problem lays with the Token Encryption Policy, and the security required therein...

"Token Encryption Policy

The Token encryption policy determines whether the tokens that ACS issues for the relying party application are encrypted. To require encryption, select the Require Encryption value.

In ACS, you can configure an encryption policy for SAML 2.0 or SAML 1.1 tokens only. ACS does not support encryption of the SWT or JWT tokens.

ACS encrypts SAML 2.0 and SAML 1.1 tokens using an X.509 certificate containing a public key (.cer file). These encrypted tokens are then decrypted by using a private key possessed by the relying party application. For more information about getting and using encryption certificates, see Certificates and Keys.

Configuring an encryption policy on your ACS-issued tokens is optional. However, an encryption policy must be configured when your relying party application is a web service that is using proof-of-possession tokens over the WS-Trust protocol. This particular scenario does not function properly without encrypted tokens." Taken from here