Friday, October 1, 2010

Wcf: Cannot find a token authenticator

The below is a common error with Wcf clients in security interoperability scenarios:

Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

What does it mean?

When a signed response comes back from the server it has two ways to reference the signing certificate.

Option A (key identifier):


<o:BinarySecurityToken wsu:Id=”uuid-a687c39f-f848-481b-8552-35de5b5a4d51-2”>  
MQ+PASL89QWEQW2367ASDDASjn7812ASDDAS781mFSDJK78…</o:BinarySecurityToken>  
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">  
    <SignedInfo>  
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>  
      <SignatureMethod Algorithm="...rsa-sha1"></SignatureMethod>  
       …  
    </SignedInfo>  
    <SignatureValue>tWTQzQhKg3zJb75P4sUfMPa3...</SignatureValue>  
    <KeyInfo>  
      <o:SecurityTokenReference>  
        <o:KeyIdentifier ValueType="...#X509SubjectKeyIdentifier" EncodingType="...#Base64Binary">gBfL0123lM6cUV5YA4=</wsse:KeyIdentifier> 
      </o:SecurityTokenReference>  
    </KeyInfo>  
</Signature> 

Option B (direct reference):

<o:BinarySecurityToken wsu:Id=”uuid-a687c39f-f848-481b-8552-35de5b5a4d51-2”>  
MQ+PASL89QWEQW2367ASDDASjn7812ASDDAS781mFSDJK78…</o:BinarySecurityToken>  
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">  
    <SignedInfo>  
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>  
      <SignatureMethod Algorithm="...rsa-sha1"></SignatureMethod>  
       …  
    </SignedInfo>  
    <SignatureValue>tWTQzQhKg3zJb75P4sUfMPa3...</SignatureValue>  
    <KeyInfo>  
      <o:SecurityTokenReference>  
        <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-a687c39f-f848-481b-8552-35de5b5a4d51-2"></o:Reference>  
      </o:SecurityTokenReference>  
    </KeyInfo>  
</Signature>

The above error means that the response has key identifier but the client is configured to require a direct reference.

How to fix it?

On your client, configure allowSerializedSigningTokenOnReply to true:

<customBinding> 
  <binding> 
    ...
    <security allowSerializedSigningTokenOnReply="true" /> 
    ...
  </binding> 
<customBinding>

An alternative can be to build a custom message encoder which changes the response from option B to A. This is possible since we know what is the certificate (using the reference) so we can create the binary token. Of course this alternative is much harder and in the general case the former should be preferred.

What's next? get this blog rss updates or register for mail updates!
Labels:

8 comments:

Vinay Bhalerao said...

Hi Yaron,

I am new to WCF and facing some erros while processing my client request. Could you please provide your suggestions.
I am passing a DerivedKeytoken from my client. But the WCF fails with error

Cannot find a token authenticator for the 'System.ServiceModel.Security.Tokens.DerivedKeySecurityToken' token type. Tokens of that type cannot be accepted according to current security settings. at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteReadingPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.LaxModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader

Request that I am passing through client is



2011-09-15T09:37:46Z2011-09-15T10:07:46ZCN=xxx1111xxxx032XJQeL6nqmBLHN267PSayOtLcpmyEKyKdly9VwOxp1W0=160xxxxxxxx



4

5




I have configured a WCF client which is working correctly. WCF client request which is passing

2011-09-16T05:00:54.326Z2011-09-16T05:05:54.326ZxxxxCN=xxxx1111xxxxxxxxxxxx

Can you please let me know exactly where I am going wrong.
What I have to change, either my client or server configs settings?

Please let me know if you more require more information on the same.
Really appreciate your help.

Thanks,
Vinay

September 16, 2011 at 10:37 AM
Yaron Naveh (MVP) said...

Hi Vinay

Please sens me an email with this since xml is not presented correctly in comments.

I would need to know if you are the server or client owner, and which ones can be changed. Also if there is a sample working client I need its config and the server config.

September 16, 2011 at 12:08 PM
Vinay Bhalerao said...

Yes, I have send you the mail. Please check out and let me know.

September 19, 2011 at 10:18 AM
Vinay Bhalerao said...

Hi Yaron,

Did you get chance to like into this?

September 21, 2011 at 9:00 AM
Yaron Naveh (MVP) said...

Hi Vinay

Just sent you an answer...

September 21, 2011 at 5:47 PM
Unknown said...

Yaron Shalom!
Your post was very effective for us and helped us solve an ongoing problem

Thank you

October 24, 2012 at 8:55 AM
Jigar Dalal said...

Hi,

I am having same problem... I am getting type B response back.. and i am not getting why it still fails. Can you please help? I can provide you with response XML is you want.

THanks,
JIgs

May 22, 2013 at 2:41 AM
Yaron Naveh (MVP) said...

Try setting allowSerializedSigningTokenOnReply="true"

May 22, 2013 at 4:07 PM

Post a Comment

Subscribe to: Post Comments (Atom)