Friday, October 1, 2010

Wcf: Cannot find a token authenticator

@YaronNaveh

The below is a common error with Wcf clients in security interoperability scenarios:

Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

What does it mean?

When a signed response comes back from the server it has two ways to reference the signing certificate.

Option A (key identifier):


<o:BinarySecurityToken wsu:Id=”uuid-a687c39f-f848-481b-8552-35de5b5a4d51-2”>  
MQ+PASL89QWEQW2367ASDDASjn7812ASDDAS781mFSDJK78…
</o:BinarySecurityToken>  
 
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">  
   
<SignedInfo>  
     
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>  
     
<SignatureMethod Algorithm="...rsa-sha1"></SignatureMethod>  
       …  
   
</SignedInfo>  
   
<SignatureValue>tWTQzQhKg3zJb75P4sUfMPa3...</SignatureValue>  
   
<KeyInfo>  
     
<o:SecurityTokenReference>  
       
<o:KeyIdentifier ValueType="...#X509SubjectKeyIdentifier" EncodingType="...#Base64Binary">gBfL0123lM6cUV5YA4=</wsse:KeyIdentifier> 
     
</o:SecurityTokenReference>  
   
</KeyInfo>  
</Signature> 

Option B (direct reference):

<o:BinarySecurityToken wsu:Id=”uuid-a687c39f-f848-481b-8552-35de5b5a4d51-2”>  
MQ+PASL89QWEQW2367ASDDASjn7812ASDDAS781mFSDJK78…
</o:BinarySecurityToken>  
 
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">  
   
<SignedInfo>  
     
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>  
     
<SignatureMethod Algorithm="...rsa-sha1"></SignatureMethod>  
       …  
   
</SignedInfo>  
   
<SignatureValue>tWTQzQhKg3zJb75P4sUfMPa3...</SignatureValue>  
   
<KeyInfo>  
     
<o:SecurityTokenReference>  
       
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-a687c39f-f848-481b-8552-35de5b5a4d51-2"></o:Reference>  
     
</o:SecurityTokenReference>  
   
</KeyInfo>  
</Signature>

The above error means that the response has key identifier but the client is configured to require a direct reference.

How to fix it?

On your client, configure allowSerializedSigningTokenOnReply to true:

<customBinding> 
 
<binding> 
    ...
   
<security allowSerializedSigningTokenOnReply="true" /> 
    ...
  </
binding> 
<customBinding>

An alternative can be to build a custom message encoder which changes the response from option B to A. This is possible since we know what is the certificate (using the reference) so we can create the binary token. Of course this alternative is much harder and in the general case the former should be preferred.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

19 comments:

Vinay Bhalerao said...

Hi Yaron,

I am new to WCF and facing some erros while processing my client request. Could you please provide your suggestions.
I am passing a DerivedKeytoken from my client. But the WCF fails with error

Cannot find a token authenticator for the 'System.ServiceModel.Security.Tokens.DerivedKeySecurityToken' token type. Tokens of that type cannot be accepted according to current security settings. at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteReadingPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.LaxModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader

Request that I am passing through client is



2011-09-15T09:37:46Z2011-09-15T10:07:46ZCN=xxx1111xxxx032XJQeL6nqmBLHN267PSayOtLcpmyEKyKdly9VwOxp1W0=160xxxxxxxx



4

5




I have configured a WCF client which is working correctly. WCF client request which is passing

2011-09-16T05:00:54.326Z2011-09-16T05:05:54.326ZxxxxCN=xxxx1111xxxxxxxxxxxx

Can you please let me know exactly where I am going wrong.
What I have to change, either my client or server configs settings?

Please let me know if you more require more information on the same.
Really appreciate your help.

Thanks,
Vinay

Yaron Naveh (MVP) said...

Hi Vinay

Please sens me an email with this since xml is not presented correctly in comments.

I would need to know if you are the server or client owner, and which ones can be changed. Also if there is a sample working client I need its config and the server config.

Vinay Bhalerao said...

Yes, I have send you the mail. Please check out and let me know.

Vinay Bhalerao said...

Hi Yaron,

Did you get chance to like into this?

Yaron Naveh (MVP) said...

Hi Vinay

Just sent you an answer...

Unknown said...

Yaron Shalom!
Your post was very effective for us and helped us solve an ongoing problem

Thank you

Jigar Dalal said...

Hi,

I am having same problem... I am getting type B response back.. and i am not getting why it still fails. Can you please help? I can provide you with response XML is you want.

THanks,
JIgs

Yaron Naveh (MVP) said...

Try setting allowSerializedSigningTokenOnReply="true"

Unknown said...

Hi Yaron,

Thanks for this post. It helped me resolve a similar issue on my service. However I wonder how do you come up with such pieces of resolution. :)
Is it mostly experience or does reading WCF related material/books help in becoming aware about such nuances?

Thanks for the help!

Unknown said...

Hi Yaron,

Thanks for this post. It helped me resolve a similar issue on my service. However I wonder how do you come up with such pieces of resolution. :)
Is it mostly experience or does reading WCF related material/books help in becoming aware about such nuances?

Thanks for the help!

Yaron Naveh (MVP) said...

Hi Unknown

I have worked in an environment where I need to integrate with many web services of other vendors using security. Each time something went wrong I read about it, experienced with it, hacked it... So it's mostly many hours I've put into the matter.

suvasmita said...

Hi,
Initially I was getting error as -
The identity check failed for the outgoing message. The expected identity is 'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint)

I added allowSerializedSigningTokenOnReply="true" in my config .

But now getting the error as -
The X.509 certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.


I have set certificateValidationMode="None"

but no use. Plz help

Yaron Naveh (MVP) said...

please send me your full config

Gao Ling said...

Hi, What if the server side got this error? Any idea how to fix it?

Yaron Naveh (MVP) said...

Hi Gao

The same rules apply - make sure the binding and certificates match. Also, if your server is calling another web service, then it is actually in the client role here.

Gao Ling said...

Hi Yaron,
I already set allowSerializedSigningTokenOnReply to true, but still have the same error. For client's public key, just need to add it into Windows Certificate Store, no need to configure it in WCF, right?
Really don't know what to do now...

Yaron Naveh (MVP) said...

Do you control both service and client? In this case make sure they use the same binding, and also just temporarly use the same private certificate for both (and the same public). If this works this will prove that there is a certificates issue.

Omer Kara said...

Yaron I want to ask you an another question. If I do not use any certificate and use message security , the soap that is transferred between client and server is encrypted. If there is no certificate how these messages encrypted and decrypted. And the other question, I don't know when I use message security and mutual authentication If wcf service encrypt soap with certificates or encrypt soap like below first question. I am in, I am not sure If I am using certificates while encrypt the soap

Yaron Naveh (MVP) said...

Hi Omer - you can send me the SOAP and I will tell you where the encryption comes from.