4

I am receiving the following error from my WCF Client. "The address of the security token issuer is not specified. An explicit issuer address must be specified in the binding for target 'http://site.com/TLAPI.svc' or the local issuer address must be configured in the credentials."

I am trying to connect to a SharePoint Service Application. I have added the service reference which generated the client class below. Here is my code thus far:

TipAndLeadAPIContractClient client = new TipAndLeadAPIContractClient(@"CustomBinding_ITipAndLeadAPIContract", @"http://site.com/TLAPI.svc");
client.ChannelFactory.Credentials.SupportInteractive = false;
client.ClientCredentials.UserName.UserName = "user";
client.ClientCredentials.UserName.Password = "password";
client.ConvertToTLForm(@"C:\Clients\ServiceApplication\CAP\capsample1.xml", "tl_library", "http://site/");

Here is my client side binding configuration:

 <binding name="CustomBinding_ITipAndLeadAPIContract">
                <security defaultAlgorithmSuite="Default" authenticationMode="IssuedToken"
                    requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true"
                    keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                    messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
                    requireSignatureConfirmation="false">
                    <issuedTokenParameters keyType="SymmetricKey" tokenType="" />
                    <localClientSettings cacheCookies="true" detectReplays="true"
                        replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
                        replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
                        sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
                        timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
                    <localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
                        maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
                        negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
                        sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
                        reconnectTransportOnFailure="true" maxPendingSessions="128"
                        maxCachedCookies="1000" timestampValidityDuration="00:05:00" />
                    <secureConversationBootstrap />
                </security>
                <binaryMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                    maxSessionSize="2048">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                </binaryMessageEncoding>
                <httpTransport manualAddressing="false" maxBufferPoolSize="524288"
                    maxReceivedMessageSize="65536" allowCookies="false" authenticationScheme="Anonymous"
                    bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
                    keepAliveEnabled="true" maxBufferSize="65536" proxyAuthenticationScheme="Anonymous"
                    realm="" transferMode="Buffered" unsafeConnectionNtlmAuthentication="false"
                    useDefaultWebProxy="true" />
            </binding>

And here is my Service Application binding configuration:

        <binding name="CalcServiceHttpBinding">

      <security authenticationMode="IssuedToken" allowInsecureTransport="true" />

      <binaryMessageEncoding>

        <readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152" />
      </binaryMessageEncoding>
      <httpTransport maxReceivedMessageSize="2162688" authenticationScheme="Ntlm" useDefaultWebProxy="false" />
    </binding>

Thanks in advance.

Meyer Denney
  • 796
  • 1
  • 11
  • 34

1 Answers1

4

The binding is setup with an IssuedToken credential type:

<issuedTokenParameters keyType="SymmetricKey" tokenType="" />

First, I'm not sure why your tokenType attribute is blank. This should be set to the type of token that is going to be negotiated, such as a SAML token which would be tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" for example.

Next node has a child node called <issuer> which allows you to specify the address of an secure token server (STS) that the client should use to negotiate the token. The exception that you're getting is telling you that this specifically is not configured. An <issuer> element might look like this.

<issuer address="https://someserver/SomeSTS" binding="<some binding type>" bindingConfiguration="<some binding configuration for the STS>" />

In addition to the address you'll want to specify the binding type that should be used along with any custom configuration that you might need to be able to talk with the STS.

Drew Marsh
  • 33,111
  • 3
  • 82
  • 100
  • Do you have any good sites or literature on how to create a Secure Token Server? – Meyer Denney Oct 11 '11 at 23:35
  • 1
    There's a pretty good article here[1] on MSDN detailing how to use the "Geneva" framework to build a custom STS. Sure is a lot easier than what it used to be without "Geneva", so I suggest going that route. [1] http://msdn.microsoft.com/en-us/magazine/dd347547.aspx – Drew Marsh Oct 11 '11 at 23:40
  • There isn't a more updated version of that? It is from 2008 and a lot of the assemblies are out of date. When I reference the newer assemblies, I have modify the code a lot and get a lot of build errors. – Meyer Denney Oct 12 '11 at 16:26
  • 1
    You can find tons of info via the Identity Management hub on MSDN: http://msdn.microsoft.com/en-us/security/aa570351.aspx – Drew Marsh Oct 12 '11 at 16:44
  • Is it completely necessary to have a STS for this WCF Client? Is there another, simpler route perhaps? I am running into a deadline time crunch =/ – Meyer Denney Oct 12 '11 at 17:09
  • 1
    Whether or not you are using an STS is determined by the services you are talking to. If the service is defined as taking tokens then there has to be an STS out there already that the service is meant to work with. You should not, as the person writing the client, have to worry about implementing an STS of your own. If you own the service and you don't want to use issued tokens, then just change the security scheme for the service to UsernameOverTransport or something. – Drew Marsh Oct 12 '11 at 18:13