Error: Using WS Trust Message Username security endpoint to protect WCF Service

[VijayGaddam]

allen/dominick, I have a asp.net website protected by IdentityServer STS using WS Federation binding. this web application calls a WCF service which is also protected by same STS using the WS Trust message security endpoint of STS. below is the WCF Service config

when calling WCF service in the usual way using the default proxy created by svcutil gives me the following error:

Client cannot determine the Service Principal Name based on the identity in the target address 'http://xyz/Idsrv/issue/wstrust/message/username for the purpose of SspiNegotiation/Kerberos. The target address identity must be a UPN identity (like acmedomain\alice) or SPN identity (like host/bobs-machine)

here is my wcf config and website config

[VijayGaddam]

allen/dominick, what will be the endpoint identity for the ws trust message username security endpoint of Idsrv STS http://xyz/Idsrv/issue/wstrust/message/username. Isn't that the app pool identity of IIS under which the Idsrv is running uder?

[VijayGaddam]

I decided not use the default configuration created by the svcutil and following the code from samples MVC and WCF. I modified the code to use message security instead of transportWithMessageCredential and able to get the token back from STS with appliesTo value set to WCF service url xyz.svc. when used this token to call WCF service got the following error; "Derived Key Token cannot derive key from the secret."

I added the WCF service server certificate public key as the encryption key in the wcf service relyingparty configuration.

[leastprivilege]

Never had that error before. Start from scratch using the sample.

[VijayGaddam]

Thanks Dominick, i got it working when i set the keytype to symmetric.

However, since the backend service is protected by the same STS as web front end and need the same claims, what are my options for my web app front end to get the token to call the backend wcf, Since user gets authenticated at STS before landing on the web app front end, my web app don't have the password of the user to get the token for backend wcf service from STS.

Is there a way i can get symmetric key token for backend wcf service based on the bearer token i have in hand for my front end web app?

[leastprivilege]

Sounds like you want to use identity delegation. Check the WIF docs.

[VijayGaddam]

Hi Domonick. All is well now after i found this link http://leastprivilege.com/2011/05/24/requesting-delegation-actas-tokens-using-wstrustchannel-as-opposed-to-configuration-madness/ Looks like i can also cache the delegated token to use if for further calls to the same service. Do you think it is a bad idea?

on a seperate note, since we are a US based company, our management prefers to contract with a US based company or individual professionals who can offer 24 hour consulting services on this product. I don't know all the legal issues they are concerned about but that is what stopping them from giving us a green light to proceed with the product. we developers feel comfortable and think it is an awesome product but management's concerns need to be alleviated before we get a green light.

what are the options do we have? also my management has been trying to contact thinktecture via email for the same reason but haven't got any response.

I apologize if this is not the right place or right question to ask you.

[brockallen]

@VijayGaddam -- Please email office@thintecture.com for questions related to consulting services. Thanks.

[VijayGaddam]

Hi Allen, we did email couple of times but no response.

[brockallen]

Yes, I replied to a few emails today so hopefully one of them was it :)