5

I have created a Security Token Service (STS), an service with a reference to the STS and an example desktop application.

This works as expected when using Windows authentication and Message security, a token is retrieved from the STS and the service method is called successfully. The service returns a string containing the current users identity, which returns my AD username.

I have a requirement however to authenticate against a database rather than AD. I have tried creating a CustomUserNameValidator (in the STS, is this the correct place?) and referencing it in the web.config. I then provide the credentials as shown below.

SampleServiceReference.SampleServiceClient client = new SampleServiceReference.SampleServiceClient(); client.ClientCredentials.UserName.UserName = "alex"; client.ClientCredentials.UserName.Password = "pass";

I believe the certificates are set up correctly (all using 'localhost'), however I receive the following exception when calling the service:

System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.

Whatever I try seems to fail. Is what I am describing even possible? Does the service client also pass the client credentials through to the STS, or am I completely misunderstanding what is happening here?

This stackoverflow question is similar, however I have checked the audience URL and it seems ok. WIF STS ID3242

Has anyone got any advice on how I can achieve custom authentication when using a STS?

Community
  • 1
  • 1
Alex
  • 811
  • 2
  • 11
  • 23
  • Now that I've resolved my problem I thought I'd update this in case anyone else is having similar issues. A CustomUserNameValidator isn't what I needed, instead it was a CustomNamePasswordValidatorSecurityTokenHandler that implemented either UserNameSecurityTokenHandler or WindowsUserNameSecurityTokenHandler. Take a look at example 4 from the solution here http://claimsid.codeplex.com – Alex May 13 '11 at 10:23

2 Answers2

2

Have a look at StarterSTS.

The full source code is provided and it authenticates against the standard aspnetdb roles based SQL DB. There are a number of videos to help you get it up and running.

This project was then turned into ASP MVC - IdentityServer. This isn't quite as mature wrt the help files etc.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thanks for the links, I've come across StarterSTS already. It's a great example of how to use a STS with membership and profile providers, however I don't believe it contains a sample of securing a WCF service using STS and username/password credentials - which seems to be my problem. – Alex May 11 '11 at 21:47
  • Just had a look at IdentityServer, this looks promising and might solve my problem. http://identityserver.codeplex.com/SourceControl/changeset/view/57233#1154163 – Alex May 11 '11 at 21:51
  • Yeah - 90 % of the documentation in this area is around the passive rather than the active profile. I presume you started off with the WCF STS templates in VS 2010? (the ones that come with the WIF SDK). – rbrayb May 11 '11 at 23:40
2

Update: the code samples referenced below are not available anymore (Codeplex doesn't exist). The book download does and it is here: https://www.microsoft.com/en-us/download/details.aspx?id=28362

There's a simple example of what you need here: http://claimsid.codeplex.com

Look at either sample 8 or 4.

Small clarification though. The username/password authentication is on the STS, not on your service. Your service will authenticate with a security token obtained from the STS.

Eugenio Pace
  • 14,094
  • 1
  • 34
  • 43
  • Thanks a lot! Example 4 is exactly what I spent all day yesterday implementing, so this confirms that what I have done is correct. Wish I'd found it earlier! – Alex May 13 '11 at 10:13
  • Thanks for answering this question. However, please give a summary of the link you posted. Links may vanish or (in my case) not be permitted access behind a company firewall. – mzuther Jun 24 '22 at 10:14