Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Does anyone know how to create a custom WCF ClaimedAwareService using ADFS? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Does anyone know how to create a custom WCF ClaimedAwareService using ADFS?

    I created a simple ClaimedAwareService from VS2010, Add STS reference, and create a relying party trust on ADFS.   When I run the service, the service create this error.  I can't resolve the issue after I search for solutions.  Does any

    Server Error in '/SecureWCFService' Application.

    The provided URI scheme 'https' is invalid; expected 'http'.
    Parameter name: context.ListenUriBaseAddress

    Description:

    An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ArgumentException: The provided URI scheme 'https' is invalid; expected 'http'.
    Parameter name: context.ListenUriBaseAddress

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


    Stack Trace: 

    [ArgumentException: The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: context.ListenUriBaseAddress]
   System.ServiceModel.Channels.TransportChannelListener..ctor(TransportBindingElement bindingElement, BindingContext context, MessageEncoderFactory defaultMessageEncoderFactory, HostNameComparisonMode hostNameComparisonMode) +16404606
   System.ServiceModel.Channels.HttpChannelListener..ctor(HttpTransportBindingElement bindingElement, BindingContext context) +215
   System.ServiceModel.Channels.HttpTransportBindingElement.BuildChannelListener(BindingContext context) +131
   System.ServiceModel.Channels.DatagramChannelDemuxer`2..ctor(BindingContext context) +110
   System.ServiceModel.Channels.ChannelDemuxer.GetTypedDemuxer(Type channelType, BindingContext context) +313
   System.ServiceModel.Channels.ChannelDemuxer.BuildChannelListener(BindingContext context, ChannelDemuxerFilter filter) +61
   System.ServiceModel.Channels.ChannelBuilder.BuildChannelListener() +73
   System.ServiceModel.Channels.ChannelBuilder.BuildChannelListener(MessageFilter filter, Int32 priority) +177
   System.ServiceModel.Security.SecuritySessionServerSettings.CreateInnerChannelListener() +297
   System.ServiceModel.Channels.SecurityChannelListener`1.InitializeListener(ChannelBuilder channelBuilder) +103
   System.ServiceModel.Channels.SymmetricSecurityBindingElement.BuildChannelListenerCore(BindingContext context) +1901
   System.ServiceModel.Channels.SecurityBindingElement.BuildChannelListener(BindingContext context) +353
   System.ServiceModel.Channels.Binding.BuildChannelListener(Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters) +166
   System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession) +16574294
   System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result) +583
   System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost) +2020
   System.ServiceModel.ServiceHostBase.InitializeRuntime() +82
   System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +64
   System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +789
   System.ServiceModel.HostingManager.ActivateService(String normalizedVirtualPath) +255
   System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath) +1172

[ServiceActivationException: The service '/SecureWCFService/Service.svc' cannot be activated due to an exception during compilation.  The exception message is: The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: context.ListenUriBaseAddress.]
   System.Runtime.AsyncResult.End(IAsyncResult result) +901424
   System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +178382
   System.Web.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar) +107
    Tuesday, September 25, 2012 5:24 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    can you please provide your configuration file for your service?

    Looks like a configuration error.

    Greetings,

    Pavlos

    Tuesday, October 2, 2012 11:39 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    I followed the same steps and am getting the same error message. Any help would be appreciated.

    Here's my service's web.config:

    <?xml version="1.0"?>
<!--
    Note: As an alternative to hand editing this file you can use the 
    web admin tool to configure settings for your application. Use
    the Website->Asp.Net Configuration option in Visual Studio.
    A full list of settings and comments can be found in 
    machine.config.comments usually located in 
    \Windows\Microsoft.Net\Framework\v2.x\Config 
-->
<configuration>
  <configSections>
    <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
  </configSections>
  <appSettings>
    <add key="FederationMetadataLocation" value="https://sts.mco-p.atct.ionharris.com/FederationMetadata/2007-06/FederationMetadata.xml" />
  </appSettings>
  <connectionStrings />
  <location path="FederationMetadata">
    <system.web>
      <authorization>
        <allow users="*" />
      </authorization>
    </system.web>
  </location>
  <system.web>
    <!--
          Set compilation debug="true" to insert debugging 
          symbols into the compiled page. Because this 
          affects performance, set this value to true only 
          during development.
      -->
    <compilation debug="true" targetFramework="4.0">
      <assemblies>
        <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
      </assemblies>
    </compilation>
    <!--
          The <authentication> section enables configuration 
          of the security authentication mode used by 
          ASP.NET to identify an incoming user. 
      -->
    <authentication mode="Windows" />
    <!--
          The <customErrors> section enables configuration 
          of what to do if/when an unhandled error occurs 
          during the execution of a request. Specifically, 
          it enables developers to configure html error pages 
          to be displayed in place of a error stack trace.

      <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
          <error statusCode="403" redirect="NoAccess.htm" />
          <error statusCode="404" redirect="FileNotFound.htm" />
      </customErrors>
      -->
    <pages>
      <controls>
        <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
      </controls>
    </pages>
  </system.web>
  <system.web.extensions>
    <scripting>
      <webServices>
        <!--
          Uncomment this section to enable the authentication service. Include 
          requireSSL="true" if appropriate.
        -->
        <!--
        <authenticationService enabled="true" requireSSL = "true|false"/>
        -->
        <!--
          Uncomment these lines to enable the profile service, and to choose the 
          profile properties that can be retrieved and modified in ASP.NET AJAX 
          applications.
        -->
        <!--
        <profileService enabled="true"
                        readAccessProperties="propertyname1,propertyname2"
                        writeAccessProperties="propertyname1,propertyname2" />
        -->
        <!--
          Uncomment this section to enable the role service.
        -->
        <!--
        <roleService enabled="true"/>
        -->
      </webServices>
      <!--
        <scriptResourceHandler enableCompression="true" enableCaching="true" />
        -->
    </scripting>
  </system.web.extensions>
  <system.serviceModel>
    <services>
      <service name="ClaimsAwareWCFService1.Service" behaviorConfiguration="ClaimsAwareWCFService1.ServiceBehavior">
        <endpoint address="https://win01.mco-p.atct.ionharris.com:55443/SecurityTestWCF/" binding="ws2007FederationHttpBinding" contract="ClaimsAwareWCFService1.IService" bindingConfiguration="ClaimsAwareWCFService1.IService_ws2007FederationHttpBinding" />
        <!-- Service Endpoints -->
        <!--Commented out by FedUtil-->
        <!--<endpoint address="" binding="wsHttpBinding" contract="ClaimsAwareWCFService1.IService"><!- - 
            Upon deployment, the following identity element should be removed or replaced to reflect the 
            identity under which the deployed service runs.  If removed, WCF will infer an appropriate identity 
          automatically.
          - -><identity><dns value="localhost" /></identity></endpoint>-->
        <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
      </service>
    </services>
    <behaviors>
      <serviceBehaviors>
        <behavior name="ClaimsAwareWCFService1.ServiceBehavior">
          <!-- Behavior extension to make the service claims aware -->
          <federatedServiceHostConfiguration name="ClaimsAwareWCFService1.Service" />
          <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
          <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
          <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
          <serviceDebug includeExceptionDetailInFaults="false" />
          <serviceCredentials>
            <!--Certificate added by FedUtil.  Subject='CN=DefaultApplicationCertificate', Issuer='CN=DefaultApplicationCertificate'.-->
            <serviceCertificate findValue="C339FC540A09AE055CBC2AF18D0AFA83321B9D44" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
          </serviceCredentials>
        </behavior>
      </serviceBehaviors>
    </behaviors>
    <extensions>
      <behaviorExtensions>
        <!-- This behavior extension will enable the service host to be Claims aware -->
        <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </behaviorExtensions>
    </extensions>
    <bindings>
      <ws2007FederationHttpBinding>
        <binding name="ClaimsAwareWCFService1.IService_ws2007FederationHttpBinding">
          <security mode="Message">
            <message>
              <issuerMetadata address="https://sts.mco-p.atct.ionharris.com/adfs/services/trust/mex" />
              <claimTypeRequirements>
                <!--Following are the claims offered by STS 'http://sts.mco-p.atct.ionharris.com/adfs/services/trust'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
                <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
                <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
                <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/claims/CommonName" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/claims/EmailAddress" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/claims/Group" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/claims/UPN" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" isOptional="true" />-->
                <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" isOptional="true" />-->
                <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" isOptional="true" />-->
                <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" isOptional="true" />-->
                <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" isOptional="true" />-->
                <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" isOptional="true" />-->
                <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" isOptional="true" />-->
                <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" isOptional="true" />-->
                <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" isOptional="true" />-->
                <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" isOptional="true" />-->
              </claimTypeRequirements>
            </message>
          </security>
        </binding>
      </ws2007FederationHttpBinding>
    </bindings>
  </system.serviceModel>
  <!-- 
  Uncomment the lines below to enable WIF tracing to: WIFTrace.e2e. 
  Open the trace file using the SvcTraceViewer.exe tool (shipped with the WCF SDK available from Microsoft) or a xml viewer.
  Refer to MSDN if you wish to add WCF tracing.
  -->
  <!--<system.diagnostics>
    <sources>
      <source name="Microsoft.IdentityModel" switchValue="Verbose">
        <listeners>
          <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="WIFTrace.e2e" />
        </listeners>
      </source>
    </sources>
    <trace autoflush="true" />
  </system.diagnostics>-->
  <microsoft.identityModel>
    <service name="ClaimsAwareWCFService1.Service">
      <audienceUris>
        <add value="https://win01.mco-p.atct.ionharris.com:55443/SecurityTestWCF/" />
      </audienceUris>
      <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <trustedIssuers>
          <add thumbprint="11A9A9535F818EE93DE8FACC78488BEF4921F462" name="http://sts.mco-p.atct.ionharris.com/adfs/services/trust" />
        </trustedIssuers>
      </issuerNameRegistry>
    </service>
  </microsoft.identityModel>
</configuration>

    Wednesday, October 3, 2012 3:49 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hello,

    I think I can identify some problems in your configuration. Firstly, it seems like you are hosting your service over SSL, in which case you cannot use <security mode="Message">. Try instead to use <security Mode="Transport"> or <security Mode="TransportWithMessageCredential">.

    Secondly, you should change your mex endpoint to: binding=mexHttpsBinding instead of mexHttpBinding.

    Please try these and tell me if it helped.

    Greetings,

    Pavlos

    Please mark this reply as answer if it helps you find a resolution to your problem.

    • Proposed as answer by NinjaNichols Wednesday, October 3, 2012 5:00 PM
    Wednesday, October 3, 2012 4:32 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    @Pavlos That solved it. Thanks!
    Wednesday, October 3, 2012 4:59 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    After created the WCF ClaimedAwareService.  I created a Silverlight 4.0 compoment to consume the WCF Service.   When I compiled the SilverLight Compoment, I received the following errors:

    1. Is that mean the 'WS2007FederationHttpBinding_IService' doesn't support SilverLight 4?

    Warning 1 Custom tool warning: Endpoint 'WS2007FederationHttpBinding_IService' at address 'https://test.xyz.com/CRMWCFService/Service.svc' is not compatible with Silverlight 4. Skipping... E:\Projects\AgForecastEdit\Service References\WCFClaimedAwareServiceService\Reference.svcmap 1 1 BudgetModule

    Warning 2 Custom tool warning: No endpoints compatible with Silverlight 4 were found. The generated client class will not be usable unless endpoint information is provided via the constructor. E:\Projects\AgForecastEdit\Service References\WCFClaimedAwareServiceService\Reference.svcmap 1 1 BudgetModule

    2.  Is there an sample how I can create a SilverLight compoment to consume the WCF ClaimedAwareService?

    Wednesday, October 3, 2012 8:42 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    no, this kind of binding is definitely not supported OOB in Silverlight (not even in version 5).

    I think there are some quite good samples for Silverlight and Claims aware services here.

    These samples use some kind of workarounds to parse/create SAML Tokens etc etc.

    But I should warn you, this is not an easy task, prepare yourself for some heavy reading...

    Greetings,

    Pavlos

    Please mark this reply as answer if it helps you find a resolution to your problem.

    Wednesday, October 3, 2012 8:53 PM