Wsfed endpoint = 401 errors when called from AS

[JohnPenn-PCG]

I'm trying to get AuthorizationServer to correctly show the IdSrv login page so that I can actually login to AS and use it. I'm a little new to this area of .Net development so I'm still in the learning process but I think I've misconfigured something basic here.

I cannot get past the following error:

HTTP Error 401.0 - Unauthorized You do not have permission to view this directory or page. Requested URL https://localhost:443/IdSrv/issue/wsfed?wa=wsignin1.0&wtrealm=urn%3aidentityserver

I have IdSrv setup as its own IdP, based on instructions I found for issue 484. Here are my IdSrv settings:

Site ID: urn:identityserver All protocols enabled RP Realm: urn:identityserver RP redirect url: https://localhost/IdSrv/issue/hrd IP wsfed endpoint: https://localhost/IdSrv/issue/wsfed

AS config: wsFederation issuer: https://localhost/IdSrv/issue/wsfed wsFederation realm: urn:authorizationserver

IdSrv source version 2.5 AS source version ? (latest as of 2014-9-17)

IdSrv is at https://localhost/IdSrv and runs in its own app pool. AS is at https://localhost/AuthSrv and runs in its own app pool.

Any assistance/hints would be appreciated. Let me know if I should provide more info as to my config.

[brockallen]

Your user needs to be in the "IdentityServerUsers" role to have the permission to have the token issued for them.

[JohnPenn-PCG]

I have a user named "authadmin" which is in the IdentityServerUsers role. That is the only user in the AuthorizationServerAdministrators table. I'm still getting the same error. Is there something else I can try?

[brockallen]

No, I meant in IdentityServer itself -- for users to be allowed to use IdentityServer and get tokens they have to be in the IdentityServerUser role.

The AuthorizationServerAdministrators table is for AuthorizationServer to know which users from the STS can configure AuthorizationServer.

[JohnPenn-PCG]

OK, that's how I configured the user in IdentityServer:

This is the user that is in the AuthorizationServerAdministrators table.

[brockallen]

Hmmm, ok then... we're back to square one. Looking again at your question, these values look strange to me:

RP redirect url: https://localhost/IdSrv/issue/hrd IP wsfed endpoint: https://localhost/IdSrv/issue/wsfed

Are you using HRD? Why if the RP's return URL the hrd endpoint?

[JohnPenn-PCG]

Yes I am using HRD.

I followed your screencaps from issue 484 - in the RP config for IdSrv, you have the hrd endpoint specified for the Redirect URL:

[JohnPenn-PCG]

I have some new information based on additional evaluation & testing.

On a hunch, I downloaded the distributable version of IdSrv 2.5 and deployed it locally. The only change I made was to the connection strings to point to my existing IdSrv databases.

Now, when I try to run AS, I get the IdSrv login prompt! However when I enter the "authadmin" credentials I get the following error within AS:

"ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key."

So it looks like I have some more work to do with encryption cert configs somewhere...?

As to why the distributable version of IdSrv works and the source version does not, I can only think of 2 possibilities:

1) An update to one or more NuGet packages contained a breaking change 2) The IdSrv source & distributable codebases are out-of-sync

My money is on #1 :)

[JohnPenn-PCG]

More good news - if I remove the encryption cert from the AS & IdSrv RP's, then I can login to AS successfully - no more ID4022 errors. :)

Also, possibility #1 above doesn't seem to be the case. I compared all of the packages.config's between the source version that is broken and the distributable version that works, and they are identical.

[JohnPenn-PCG]

I have found the reason why the IdSrv source was not working as expected so I will close this ticket.

In the web.config for IdSrv, the authentication mode was changed from "Forms" to "Windows" (I honestly do not remember making that change, there would have been no reason for me to do so, but there it is nonetheless). When I changed it back to Forms I was able to login to AS while running the IdSrv source in VS2012.

Thanks Brock and Dominick.