Pergunta

I'm trying to obtain a token from ADFS to that I can use it with an on-premise Windows Service Bus installation. I may not have ADFS properly configured because I get the following message:

MSIS3127: The specified request failed.

The code to access the token is as follows:

    string adrecaSTS = "trust/13/usernamemixed";

    WS2007HttpBinding binding = new WS2007HttpBinding();

    binding.Security.Message.EstablishSecurityContext = false;
    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
    binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
    binding.Security.Mode = SecurityMode.TransportWithMessageCredential; //https

    string baseSSLUri = @"https://<myadfs>/adfs/services/";



    WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(baseSSLUri + adrecaSTS));
    trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
    trustChannelFactory.Credentials.UserName.UserName = "username";
    trustChannelFactory.Credentials.UserName.Password = "password";

    WSTrustChannel tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannel();

    //create a token issuance issuance
    RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue);

    //call ADFS STS
    SecurityToken token = tokenClient.Issue(rst);

The endpoint is enabled on ADFS and my client (laptop on separate domain) trusts the certificate from ADFS.

Do I need to set up some kind of trust or something further? This error message is not particularly helpful.

Foi útil?

Solução

See here:

https://github.com/thinktecture/Thinktecture.IdentityServer.v2/blob/master/src/Libraries/Thinktecture.IdentityServer.Protocols/WSFederation/HrdController.cs

The ValidateToken method has most of the code - but you first need to extract the InnerXml from the generic token and turn that into a SAML security token (again using a token handler).

Outras dicas

Found the issue. I was trying to log on as an administrator account. When I used a regular user it worked.

I also had to modify the RequestSecurityToken to have a KeyType of KeyType.Symmetric

I see that you solved your issue, but here is some additional inforamation to potentially help others that might have the same error message but a different cause.

The AD FS error, "MSIS3127...", can have multiple causes. For us, it was caused by one of our relying party claim rules specifying an AD FS attribute store that didn't exist.

In order to debug the error, we checked the Event Viewer on all of the servers running AD FS, and that's where we found the detailed message that called out the attribute store problem. So, if anyone else gets the same error message, then I suggest checking the Event Viewer on AD FS to see if there are additional logs.

Note that AD FS logs to the Event Viewer under the folder/node of Applications and Services Logs => AD FS => Admin

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top