Friday, October 1, 2010

Wcf: Cannot find a token authenticator

@YaronNaveh

The below is a common error with Wcf clients in security interoperability scenarios:

Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

What does it mean?

When a signed response comes back from the server it has two ways to reference the signing certificate.

Option A (key identifier):


<o:BinarySecurityToken wsu:Id=”uuid-a687c39f-f848-481b-8552-35de5b5a4d51-2”>  
MQ+PASL89QWEQW2367ASDDASjn7812ASDDAS781mFSDJK78…
</o:BinarySecurityToken>  
 
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">  
   
<SignedInfo>  
     
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>  
     
<SignatureMethod Algorithm="...rsa-sha1"></SignatureMethod>  
       …  
   
</SignedInfo>  
   
<SignatureValue>tWTQzQhKg3zJb75P4sUfMPa3...</SignatureValue>  
   
<KeyInfo>  
     
<o:SecurityTokenReference>  
       
<o:KeyIdentifier ValueType="...#X509SubjectKeyIdentifier" EncodingType="...#Base64Binary">gBfL0123lM6cUV5YA4=</wsse:KeyIdentifier> 
     
</o:SecurityTokenReference>  
   
</KeyInfo>  
</Signature> 

Option B (direct reference):

<o:BinarySecurityToken wsu:Id=”uuid-a687c39f-f848-481b-8552-35de5b5a4d51-2”>  
MQ+PASL89QWEQW2367ASDDASjn7812ASDDAS781mFSDJK78…
</o:BinarySecurityToken>  
 
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">  
   
<SignedInfo>  
     
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>  
     
<SignatureMethod Algorithm="...rsa-sha1"></SignatureMethod>  
       …  
   
</SignedInfo>  
   
<SignatureValue>tWTQzQhKg3zJb75P4sUfMPa3...</SignatureValue>  
   
<KeyInfo>  
     
<o:SecurityTokenReference>  
       
<o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-a687c39f-f848-481b-8552-35de5b5a4d51-2"></o:Reference>  
     
</o:SecurityTokenReference>  
   
</KeyInfo>  
</Signature>

The above error means that the response has key identifier but the client is configured to require a direct reference.

How to fix it?

On your client, configure allowSerializedSigningTokenOnReply to true:

<customBinding> 
 
<binding> 
    ...
   
<security allowSerializedSigningTokenOnReply="true" /> 
    ...
  </
binding> 
<customBinding>

An alternative can be to build a custom message encoder which changes the response from option B to A. This is possible since we know what is the certificate (using the reference) so we can create the binary token. Of course this alternative is much harder and in the general case the former should be preferred.

@YaronNaveh

What's next? get this blog rss updates or register for mail updates!

28 comments:

Vinay Bhalerao said...

Hi Yaron,

I am new to WCF and facing some erros while processing my client request. Could you please provide your suggestions.
I am passing a DerivedKeytoken from my client. But the WCF fails with error

Cannot find a token authenticator for the 'System.ServiceModel.Security.Tokens.DerivedKeySecurityToken' token type. Tokens of that type cannot be accepted according to current security settings. at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp; usedTokenAuthenticator)
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteReadingPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.LaxModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader

Request that I am passing through client is



2011-09-15T09:37:46Z2011-09-15T10:07:46ZCN=xxx1111xxxx032XJQeL6nqmBLHN267PSayOtLcpmyEKyKdly9VwOxp1W0=160xxxxxxxx



4

5




I have configured a WCF client which is working correctly. WCF client request which is passing

2011-09-16T05:00:54.326Z2011-09-16T05:05:54.326ZxxxxCN=xxxx1111xxxxxxxxxxxx

Can you please let me know exactly where I am going wrong.
What I have to change, either my client or server configs settings?

Please let me know if you more require more information on the same.
Really appreciate your help.

Thanks,
Vinay

Yaron Naveh (MVP) said...

Hi Vinay

Please sens me an email with this since xml is not presented correctly in comments.

I would need to know if you are the server or client owner, and which ones can be changed. Also if there is a sample working client I need its config and the server config.

Vinay Bhalerao said...

Yes, I have send you the mail. Please check out and let me know.

Vinay Bhalerao said...

Hi Yaron,

Did you get chance to like into this?

Yaron Naveh (MVP) said...

Hi Vinay

Just sent you an answer...

Unknown said...

Yaron Shalom!
Your post was very effective for us and helped us solve an ongoing problem

Thank you

Unknown said...

Hi,

I am having same problem... I am getting type B response back.. and i am not getting why it still fails. Can you please help? I can provide you with response XML is you want.

THanks,
JIgs

Yaron Naveh (MVP) said...

Try setting allowSerializedSigningTokenOnReply="true"

Unknown said...

Hi Yaron,

Thanks for this post. It helped me resolve a similar issue on my service. However I wonder how do you come up with such pieces of resolution. :)
Is it mostly experience or does reading WCF related material/books help in becoming aware about such nuances?

Thanks for the help!

Unknown said...

Hi Yaron,

Thanks for this post. It helped me resolve a similar issue on my service. However I wonder how do you come up with such pieces of resolution. :)
Is it mostly experience or does reading WCF related material/books help in becoming aware about such nuances?

Thanks for the help!

Yaron Naveh (MVP) said...

Hi Unknown

I have worked in an environment where I need to integrate with many web services of other vendors using security. Each time something went wrong I read about it, experienced with it, hacked it... So it's mostly many hours I've put into the matter.

suvasmita said...

Hi,
Initially I was getting error as -
The identity check failed for the outgoing message. The expected identity is 'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint)

I added allowSerializedSigningTokenOnReply="true" in my config .

But now getting the error as -
The X.509 certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.


I have set certificateValidationMode="None"

but no use. Plz help

Yaron Naveh (MVP) said...

please send me your full config

Gao Ling said...

Hi, What if the server side got this error? Any idea how to fix it?

Yaron Naveh (MVP) said...

Hi Gao

The same rules apply - make sure the binding and certificates match. Also, if your server is calling another web service, then it is actually in the client role here.

Gao Ling said...

Hi Yaron,
I already set allowSerializedSigningTokenOnReply to true, but still have the same error. For client's public key, just need to add it into Windows Certificate Store, no need to configure it in WCF, right?
Really don't know what to do now...

Yaron Naveh (MVP) said...

Do you control both service and client? In this case make sure they use the same binding, and also just temporarly use the same private certificate for both (and the same public). If this works this will prove that there is a certificates issue.

Unknown said...

Yaron I want to ask you an another question. If I do not use any certificate and use message security , the soap that is transferred between client and server is encrypted. If there is no certificate how these messages encrypted and decrypted. And the other question, I don't know when I use message security and mutual authentication If wcf service encrypt soap with certificates or encrypt soap like below first question. I am in, I am not sure If I am using certificates while encrypt the soap

Yaron Naveh (MVP) said...

Hi Omer - you can send me the SOAP and I will tell you where the encryption comes from.

cold said...

Hi, I'm having the same error with my service and got stack with it also 3 day. I did a lot of research that bring me here.

Server stack trace:
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)


Event Viewer says:

MessageSecurityException: Cannot find a token authenticator for the 'System.ServiceModel.Security.Tokens.DerivedKeySecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.


I don't know who's the culprit. Is it the STS provider, certificate or the service it self.

Thanks,
Jr

Yaron Naveh (MVP) said...

Hi JR

You use an STS, it can take some time to find the right configuration in such scenarios.
To work methodically you need to first have a sample working soap request/response from a working client. this includes client-sts and client-server messages. then compare what a working client sends to what you send. you might even want to set up a temporary STS and server in WCF just to test your client and the end to end comparison of messgaes.

Right now it seems you binding to the STS does not match the incoming response, so try to get that response using WCF logging (or Fiddler) and send it to me as well as your config.

cold said...

Thanks for the reply Yaron. I'll try it and let you know.

cold said...

Hi Yaron,

I emailed you of what I got base on fiddler and my observation. I tried to post but I exceed the limit of characters.

Thanks,
Jr

Anonymous said...

Hi Yaron,

My question is opposite this.

In my case SAML request is generated with ADFS and send it to access WCF. It showing following error.

"Cannot read KeyIdentifierClause from element 'Reference' with namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'. Custom KeyIdentifierClauses require custom SecurityTokenSerializers, please refer to the SDK for examples."

SecurityTokenReference tag :-





Is there any methods to resolve this in WCF end ?

I would appreciate your comment.

Regards,
Madura

Yaron Naveh (MVP) said...

Sorry Madura I have not encountered this issue. Try to read about CustomTokenSerializers.

Unknown said...

Hi Yaron.

I run in similar issue you described and i did post the problem on stackoverflow (http://stackoverflow.com/questions/34533963/wcf-client-failes-to-authenticate-java-web-service-cannot-find-a-token-authenti). If you would have any additional idea I will be more than grateful. Right now i started to build Custom Message Encoder but this will be more workaround then a solution.

Unknown said...

hello,

I have spent many hours to run my client to consume webservices, but I get nothing.
I don't know what to do. I have examples of the request and response.

I'm using as a client Dynamics AX 2012, which uses a library c#.
in my code I assign a private certificate to "ClientCertificate"

Now, after going through many other errors, the error I get is:
Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings

The client service is configured as follows:

app.config























This is my request example from the service's admin:




MIIEpDCCBA2gAwIBAgIEPLPTKTANBgkqhkiG9w0BAQUFAD
A2MQswCQYDVQQGEwJFUzENMAsGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIEN
BMB4XDTA5MDkyOTEyMTkxOVoXDTEzMDkyOTEyMTkxOVowggEdMQswCQYDVQQGEwJFUzENMAsG
A1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIENBMREwDwYDVQQLEwhQdWJsaWNvc
zESMBAGA1UECxMJNTAwMDcwMDE1MYG9MIG6BgNVBAMTgbJERVNDUklQQ0lPTiBGSVJNQSBFTE
VDVFJPTklDQSBERSBMQSBBRE1JTklTVFJBQ0lPTiBQUkVTVVBVRVNUQVJJQSBDT04gU0VSVkl
DSU8gREUgU0VMTEFETyBERSBUSUVNUE8gLSBFTlRJREFEIElOVEVSVkVOQ0lPTiBHRU5FUkFM
IERFIExBIEFETUlOSVNUUkFDSU9OIERFTCBFU1RBRE8gLSBDSUYgUzI4MjYwMTVGMIGfMA0GC
SqGSIb3DQEBAQUAA4GNADCBiQKBgQDEiBRtf4n2KSabqoldQbT2E+mF/LS6PmAJWFoOUT3Xvp
8UxYptb9/YK93ykPj5NYLcsXeh8L9SRWbFSnozoiATZoECDnrcMd054DdPrNVYLTZNhZ9Y2U9
JqJpnIWR+a64Mo3iiMk/KBkI2jo3QIuaCjvPK+k6LQCwTIaRvnHGRxwIDAQABo4IB1DCCAdAw
gdgGA1UdEQSB0DCBzaSByjCBxzEYMBYGCSsGAQQBrGYBDxMJUzI4MjYwMTVGMUMwQQYJKwYBB
AGsZgEOEzRJTlRFUlZFTkNJT04gR0VORVJBTCBERSBMQSBBRE1JTklTVFJBQ0lPTiBERUwgRV
NUQURPMWYwZAYJKwYBBAGsZgEIE1dGSVJNQSBFTEVDVFJPTklDQSBERSBMQSBBRE1JTklTVFJ
BQ0lPTiBQUkVTVVBVRVNUQVJJQSBDT04gU0VSVklDSU8gREUgU0VMTEFETyBERSBUSUVNUE8w
CQYDVR0TBAIwADArBgNVHRAEJDAigA8yMDA5MDkyOTEyMTkxOVqBDzIwMTMwOTI5MTIxOTE5W
jALBgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBTStmUzGHncSmDG1J
xoSVooTOfe5DAfBgNVHSMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDXYTBbBgNVHR8EVDBSMFC
gTqBMpEowSDELMAkGA1UEBhMCRVMxDTALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0ZOTVQgQ2xh
c2UgMiBDQTEQMA4GA1UEAxMHQ1JMNjMzMzANBgkqhkiG9w0BAQUFAAOBgQAqMsoZapJH6Ly9L
0I1cW+XQWtn2oYNAcpzMJlpscqjNBtLuzPT4D6Jh42gmlOmS3cughRZuYx1mf+Gz8Sk4o9h7
d/Vc9fS1I6qgUkmwCZKHiwgJ4tS1Mv3gKMZ+8ulc8JErYo661ql3GVmLsfdH5g3eWyC5rBEcC
jkHSKO0qDhzg==









vfoQe7yobzrB5LzQZ/HD4B2F1BY=



HOZFzxAsMAH8BDbuXOHekl+yyLXfodmPka5727t3LDFSkbxICkL92
wy6dSbWyU07zK/dhfLl2a4c
33FcvOxAtYAEvQVRLcQM3VU9+L2SX9NReQaGTPPmtBb8UAWeH5m56
nM9uxT7yIwfO424+lNEYEeo
1pYC+0DBI6WcN4LRgV4=








2013-02-04T14:26:24.586Z
2013-02-04T14:31:24.586Z









any help would be very grateful

Unknown said...

Hi Plzzzz help me I am getting error The server cannot service the request because the media type is unsupported