tag:blogger.com,1999:blog-1482776199578137808.post7736336662279141250..comments2024-03-12T11:12:59.606+02:00Comments on Yaron Naveh's Web Services 2.0 Blog: Wcf: Cannot find a token authenticatorYaron Naveh (MVP)http://www.blogger.com/profile/11793800386245798442noreply@blogger.comBlogger28125tag:blogger.com,1999:blog-1482776199578137808.post-56221079452785130082017-10-06T13:37:06.569+03:002017-10-06T13:37:06.569+03:00Hi Plzzzz help me I am getting error The server ca...Hi Plzzzz help me I am getting error The server cannot service the request because the media type is unsupportedAnonymoushttps://www.blogger.com/profile/07698515809219515937noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-18205751926637350952016-09-21T12:54:15.379+03:002016-09-21T12:54:15.379+03:00hello,
I have spent many hours to run my client ...hello, <br /><br />I have spent many hours to run my client to consume webservices, but I get nothing.<br />I don't know what to do. I have examples of the request and response.<br /><br />I'm using as a client Dynamics AX 2012, which uses a library c#.<br />in my code I assign a private certificate to "ClientCertificate" <br /><br />Now, after going through many other errors, the error I get is:<br /> Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings<br /><br />The client service is configured as follows:<br /><br />app.config<br /><br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /><br /><br /><br />This is my request example from the service's admin:<br /><br /><br /><br /><br />MIIEpDCCBA2gAwIBAgIEPLPTKTANBgkqhkiG9w0BAQUFAD<br />A2MQswCQYDVQQGEwJFUzENMAsGA1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIEN<br />BMB4XDTA5MDkyOTEyMTkxOVoXDTEzMDkyOTEyMTkxOVowggEdMQswCQYDVQQGEwJFUzENMAsG<br />A1UEChMERk5NVDEYMBYGA1UECxMPRk5NVCBDbGFzZSAyIENBMREwDwYDVQQLEwhQdWJsaWNvc<br />zESMBAGA1UECxMJNTAwMDcwMDE1MYG9MIG6BgNVBAMTgbJERVNDUklQQ0lPTiBGSVJNQSBFTE<br />VDVFJPTklDQSBERSBMQSBBRE1JTklTVFJBQ0lPTiBQUkVTVVBVRVNUQVJJQSBDT04gU0VSVkl<br />DSU8gREUgU0VMTEFETyBERSBUSUVNUE8gLSBFTlRJREFEIElOVEVSVkVOQ0lPTiBHRU5FUkFM<br />IERFIExBIEFETUlOSVNUUkFDSU9OIERFTCBFU1RBRE8gLSBDSUYgUzI4MjYwMTVGMIGfMA0GC<br />SqGSIb3DQEBAQUAA4GNADCBiQKBgQDEiBRtf4n2KSabqoldQbT2E+mF/LS6PmAJWFoOUT3Xvp<br />8UxYptb9/YK93ykPj5NYLcsXeh8L9SRWbFSnozoiATZoECDnrcMd054DdPrNVYLTZNhZ9Y2U9<br />JqJpnIWR+a64Mo3iiMk/KBkI2jo3QIuaCjvPK+k6LQCwTIaRvnHGRxwIDAQABo4IB1DCCAdAw<br />gdgGA1UdEQSB0DCBzaSByjCBxzEYMBYGCSsGAQQBrGYBDxMJUzI4MjYwMTVGMUMwQQYJKwYBB<br />AGsZgEOEzRJTlRFUlZFTkNJT04gR0VORVJBTCBERSBMQSBBRE1JTklTVFJBQ0lPTiBERUwgRV<br />NUQURPMWYwZAYJKwYBBAGsZgEIE1dGSVJNQSBFTEVDVFJPTklDQSBERSBMQSBBRE1JTklTVFJ<br />BQ0lPTiBQUkVTVVBVRVNUQVJJQSBDT04gU0VSVklDSU8gREUgU0VMTEFETyBERSBUSUVNUE8w<br />CQYDVR0TBAIwADArBgNVHRAEJDAigA8yMDA5MDkyOTEyMTkxOVqBDzIwMTMwOTI5MTIxOTE5W<br />jALBgNVHQ8EBAMCBaAwEQYJYIZIAYb4QgEBBAQDAgWgMB0GA1UdDgQWBBTStmUzGHncSmDG1J<br />xoSVooTOfe5DAfBgNVHSMEGDAWgBRAmnZEl3QHxKwUyx6NTzpFfDDXYTBbBgNVHR8EVDBSMFC<br />gTqBMpEowSDELMAkGA1UEBhMCRVMxDTALBgNVBAoTBEZOTVQxGDAWBgNVBAsTD0ZOTVQgQ2xh<br />c2UgMiBDQTEQMA4GA1UEAxMHQ1JMNjMzMzANBgkqhkiG9w0BAQUFAAOBgQAqMsoZapJH6Ly9L<br />0I1cW+XQWtn2oYNAcpzMJlpscqjNBtLuzPT4D6Jh42gmlOmS3cughRZuYx1mf+Gz8Sk4o9h7<br />d/Vc9fS1I6qgUkmwCZKHiwgJ4tS1Mv3gKMZ+8ulc8JErYo661ql3GVmLsfdH5g3eWyC5rBEcC<br />jkHSKO0qDhzg==<br /><br /><br /><br /><br /><br /><br /><br /><br /><br />vfoQe7yobzrB5LzQZ/HD4B2F1BY=<br /><br /><br /><br />HOZFzxAsMAH8BDbuXOHekl+yyLXfodmPka5727t3LDFSkbxICkL92<br />wy6dSbWyU07zK/dhfLl2a4c<br />33FcvOxAtYAEvQVRLcQM3VU9+L2SX9NReQaGTPPmtBb8UAWeH5m56<br />nM9uxT7yIwfO424+lNEYEeo<br />1pYC+0DBI6WcN4LRgV4=<br /><br /><br /><br /><br /><br /><br /><br /><br />2013-02-04T14:26:24.586Z<br />2013-02-04T14:31:24.586Z<br /><br /><br /><br /><br /><br /><br /><br /><br /><br />any help would be very gratefulUnknownhttps://www.blogger.com/profile/03727793638438157529noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-87232704726976998682015-12-31T15:08:06.145+02:002015-12-31T15:08:06.145+02:00Hi Yaron.
I run in similar issue you described a...Hi Yaron. <br /><br />I run in similar issue you described and i did post the problem on stackoverflow (http://stackoverflow.com/questions/34533963/wcf-client-failes-to-authenticate-java-web-service-cannot-find-a-token-authenti). If you would have any additional idea I will be more than grateful. Right now i started to build Custom Message Encoder but this will be more workaround then a solution. Anonymoushttps://www.blogger.com/profile/11990413704428253757noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-35843133766608409972015-09-18T18:01:13.898+03:002015-09-18T18:01:13.898+03:00Sorry Madura I have not encountered this issue. Tr...Sorry Madura I have not encountered this issue. Try to read about CustomTokenSerializers.Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-3662070204677747092015-09-17T09:48:54.797+03:002015-09-17T09:48:54.797+03:00Hi Yaron,
My question is opposite this.
In my c...Hi Yaron,<br /><br />My question is opposite this.<br /> <br />In my case SAML request is generated with ADFS and send it to access WCF. It showing following error.<br /> <br /><i>"Cannot read KeyIdentifierClause from element 'Reference' with namespace 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'. Custom KeyIdentifierClauses require custom SecurityTokenSerializers, please refer to the SDK for examples."</i><br /> <br />SecurityTokenReference tag :-<br /> <br /><br /><br /><br /> <br />Is there any methods to resolve this in WCF end ?<br /><br />I would appreciate your comment. <br /><br />Regards,<br />MaduraAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-38834957162746717692014-09-29T13:37:40.362+03:002014-09-29T13:37:40.362+03:00Hi Yaron,
I emailed you of what I got base on fid...Hi Yaron,<br /><br />I emailed you of what I got base on fiddler and my observation. I tried to post but I exceed the limit of characters.<br /><br />Thanks,<br />Jrcoldhttps://www.blogger.com/profile/15740965611275100051noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-86666573309505111642014-09-27T20:52:45.777+03:002014-09-27T20:52:45.777+03:00Thanks for the reply Yaron. I'll try it and le...Thanks for the reply Yaron. I'll try it and let you know.coldhttps://www.blogger.com/profile/15740965611275100051noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-80493375044117952562014-09-26T14:49:05.451+03:002014-09-26T14:49:05.451+03:00Hi JR
You use an STS, it can take some time to fi...Hi JR<br /><br />You use an STS, it can take some time to find the right configuration in such scenarios.<br />To work methodically you need to first have a sample working soap request/response from a working client. this includes client-sts and client-server messages. then compare what a working client sends to what you send. you might even want to set up a temporary STS and server in WCF just to test your client and the end to end comparison of messgaes.<br /><br />Right now it seems you binding to the STS does not match the incoming response, so try to get that response using WCF logging (or Fiddler) and send it to me as well as your config.<br /><br />Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-49965705405519887022014-09-26T14:43:21.717+03:002014-09-26T14:43:21.717+03:00Hi, I'm having the same error with my service ...Hi, I'm having the same error with my service and got stack with it also 3 day. I did a lot of research that bring me here. <br /><br />Server stack trace: <br /> at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)<br /> at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)<br /> at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)<br /> at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)<br /> at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)<br /> at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)<br /> at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)<br /> at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)<br /> at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)<br /> at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)<br /> at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)<br /> at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)<br /> at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)<br /> at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)<br /><br /><br />Event Viewer says:<br /><br />MessageSecurityException: Cannot find a token authenticator for the 'System.ServiceModel.Security.Tokens.DerivedKeySecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.<br /><br /><br />I don't know who's the culprit. Is it the STS provider, certificate or the service it self.<br /><br />Thanks,<br />Jrcoldhttps://www.blogger.com/profile/15740965611275100051noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-91762425464917982212014-09-04T15:33:30.365+03:002014-09-04T15:33:30.365+03:00Hi Omer - you can send me the SOAP and I will tell...Hi Omer - you can send me the SOAP and I will tell you where the encryption comes from.Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-34892210213993520672014-09-04T00:24:09.208+03:002014-09-04T00:24:09.208+03:00Yaron I want to ask you an another question. If I ...Yaron I want to ask you an another question. If I do not use any certificate and use message security , the soap that is transferred between client and server is encrypted. If there is no certificate how these messages encrypted and decrypted. And the other question, I don't know when I use message security and mutual authentication If wcf service encrypt soap with certificates or encrypt soap like below first question. I am in, I am not sure If I am using certificates while encrypt the soap Anonymoushttps://www.blogger.com/profile/03866464960467639080noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-46780309989884172252014-06-24T20:37:50.051+03:002014-06-24T20:37:50.051+03:00Do you control both service and client? In this ca...Do you control both service and client? In this case make sure they use the same binding, and also just temporarly use the same private certificate for both (and the same public). If this works this will prove that there is a certificates issue.Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-49197403700646044972014-06-24T13:16:08.816+03:002014-06-24T13:16:08.816+03:00Hi Yaron,
I already set allowSerializedSigningToke...Hi Yaron,<br />I already set allowSerializedSigningTokenOnReply to true, but still have the same error. For client's public key, just need to add it into Windows Certificate Store, no need to configure it in WCF, right?<br />Really don't know what to do now...Gao Linghttps://www.blogger.com/profile/12315177866951082865noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-38069406207834088302014-06-24T12:01:36.624+03:002014-06-24T12:01:36.624+03:00Hi Gao
The same rules apply - make sure the bindi...Hi Gao<br /><br />The same rules apply - make sure the binding and certificates match. Also, if your server is calling another web service, then it is actually in the client role here.Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-55544755512170896442014-06-24T10:34:52.344+03:002014-06-24T10:34:52.344+03:00Hi, What if the server side got this error? Any id...Hi, What if the server side got this error? Any idea how to fix it?Gao Linghttps://www.blogger.com/profile/12315177866951082865noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-3311058988923713572013-09-13T14:13:28.920+03:002013-09-13T14:13:28.920+03:00please send me your full configplease send me your full configYaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-51005325680595397652013-09-13T12:52:05.996+03:002013-09-13T12:52:05.996+03:00Hi,
Initially I was getting error as -
The identi...Hi,<br />Initially I was getting error as -<br /> The identity check failed for the outgoing message. The expected identity is 'identity(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint)<br /><br />I added allowSerializedSigningTokenOnReply="true" in my config .<br /><br />But now getting the error as -<br />The X.509 certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate. <br /><br /><br />I have set certificateValidationMode="None" <br /><br />but no use. Plz helpsuvasmitahttps://www.blogger.com/profile/04131432865743899732noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-49497463819605809412013-08-08T19:46:25.864+03:002013-08-08T19:46:25.864+03:00Hi Unknown
I have worked in an environment where ...Hi Unknown<br /><br />I have worked in an environment where I need to integrate with many web services of other vendors using security. Each time something went wrong I read about it, experienced with it, hacked it... So it's mostly many hours I've put into the matter.Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-54940307739408847412013-08-08T18:13:37.017+03:002013-08-08T18:13:37.017+03:00Hi Yaron,
Thanks for this post. It helped me reso...Hi Yaron,<br /><br />Thanks for this post. It helped me resolve a similar issue on my service. However I wonder how do you come up with such pieces of resolution. :)<br />Is it mostly experience or does reading WCF related material/books help in becoming aware about such nuances?<br /><br />Thanks for the help!Unknownhttps://www.blogger.com/profile/05843843143558317831noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-12457022079538807092013-08-08T18:12:51.917+03:002013-08-08T18:12:51.917+03:00Hi Yaron,
Thanks for this post. It helped me reso...Hi Yaron,<br /><br />Thanks for this post. It helped me resolve a similar issue on my service. However I wonder how do you come up with such pieces of resolution. :)<br />Is it mostly experience or does reading WCF related material/books help in becoming aware about such nuances?<br /><br />Thanks for the help!Unknownhttps://www.blogger.com/profile/05843843143558317831noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-81405952797601352552013-05-22T16:07:08.528+03:002013-05-22T16:07:08.528+03:00Try setting allowSerializedSigningTokenOnReply=&qu...Try setting allowSerializedSigningTokenOnReply="true"Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-31825614725244769432013-05-22T02:41:45.423+03:002013-05-22T02:41:45.423+03:00Hi,
I am having same problem... I am getting type...Hi,<br /><br />I am having same problem... I am getting type B response back.. and i am not getting why it still fails. Can you please help? I can provide you with response XML is you want.<br /><br />THanks,<br />JIgsAnonymoushttps://www.blogger.com/profile/00573622693973489268noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-59572036451791086502012-10-24T08:55:25.627+02:002012-10-24T08:55:25.627+02:00Yaron Shalom!
Your post was very effective for us ...Yaron Shalom!<br />Your post was very effective for us and helped us solve an ongoing problem<br /><br />Thank youUnknownhttps://www.blogger.com/profile/11218087002787208395noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-83068220871907335372011-09-21T17:47:48.894+03:002011-09-21T17:47:48.894+03:00Hi Vinay
Just sent you an answer...Hi Vinay<br /><br />Just sent you an answer...Yaron Naveh (MVP)https://www.blogger.com/profile/11793800386245798442noreply@blogger.comtag:blogger.com,1999:blog-1482776199578137808.post-77269698958214763382011-09-21T09:00:09.032+03:002011-09-21T09:00:09.032+03:00Hi Yaron,
Did you get chance to like into this?Hi Yaron,<br /><br />Did you get chance to like into this?Vinay Bhaleraonoreply@blogger.com