locked
Does anyone know how to create a custom WCF ClaimedAwareService using ADFS? RRS feed

  • Question

  • Does anyone know how to create a custom WCF ClaimedAwareService using ADFS?

    I created a simple ClaimedAwareService from VS2010, Add STS reference, and create a relying party trust on ADFS.   When I run the service, the service create this error.  I can't resolve the issue after I search for solutions.  Does any

    Server Error in '/SecureWCFService' Application.


    The provided URI scheme 'https' is invalid; expected 'http'.
    Parameter name: context.ListenUriBaseAddress

    Description:

    An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

    Exception Details: System.ArgumentException: The provided URI scheme 'https' is invalid; expected 'http'.
    Parameter name: context.ListenUriBaseAddress

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.


    Stack Trace:

    [ArgumentException: The provided URI scheme 'https' is invalid; expected 'http'.
    Parameter name: context.ListenUriBaseAddress]
       System.ServiceModel.Channels.TransportChannelListener..ctor(TransportBindingElement bindingElement, BindingContext context, MessageEncoderFactory defaultMessageEncoderFactory, HostNameComparisonMode hostNameComparisonMode) +16404606
       System.ServiceModel.Channels.HttpChannelListener..ctor(HttpTransportBindingElement bindingElement, BindingContext context) +215
       System.ServiceModel.Channels.HttpTransportBindingElement.BuildChannelListener(BindingContext context) +131
       System.ServiceModel.Channels.DatagramChannelDemuxer`2..ctor(BindingContext context) +110
       System.ServiceModel.Channels.ChannelDemuxer.GetTypedDemuxer(Type channelType, BindingContext context) +313
       System.ServiceModel.Channels.ChannelDemuxer.BuildChannelListener(BindingContext context, ChannelDemuxerFilter filter) +61
       System.ServiceModel.Channels.ChannelBuilder.BuildChannelListener() +73
       System.ServiceModel.Channels.ChannelBuilder.BuildChannelListener(MessageFilter filter, Int32 priority) +177
       System.ServiceModel.Security.SecuritySessionServerSettings.CreateInnerChannelListener() +297
       System.ServiceModel.Channels.SecurityChannelListener`1.InitializeListener(ChannelBuilder channelBuilder) +103
       System.ServiceModel.Channels.SymmetricSecurityBindingElement.BuildChannelListenerCore(BindingContext context) +1901
       System.ServiceModel.Channels.SecurityBindingElement.BuildChannelListener(BindingContext context) +353
       System.ServiceModel.Channels.Binding.BuildChannelListener(Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters) +166
       System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession) +16574294
       System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result) +583
       System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost) +2020
       System.ServiceModel.ServiceHostBase.InitializeRuntime() +82
       System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout) +64
       System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) +789
       System.ServiceModel.HostingManager.ActivateService(String normalizedVirtualPath) +255
       System.ServiceModel.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath) +1172
    
    [ServiceActivationException: The service '/SecureWCFService/Service.svc' cannot be activated due to an exception during compilation.  The exception message is: The provided URI scheme 'https' is invalid; expected 'http'.
    Parameter name: context.ListenUriBaseAddress.]
       System.Runtime.AsyncResult.End(IAsyncResult result) +901424
       System.ServiceModel.Activation.HostedHttpRequestAsyncResult.End(IAsyncResult result) +178382
       System.Web.AsyncEventExecutionStep.OnAsyncEventCompletion(IAsyncResult ar) +107
    Tuesday, September 25, 2012 5:24 PM

All replies

  • Hi,

    can you please provide your configuration file for your service?

    Looks like a configuration error.

    Greetings,

    Pavlos

    Tuesday, October 2, 2012 11:39 AM
  • I followed the same steps and am getting the same error message. Any help would be appreciated.

    Here's my service's web.config:

    <?xml version="1.0"?>
    <!--
        Note: As an alternative to hand editing this file you can use the 
        web admin tool to configure settings for your application. Use
        the Website->Asp.Net Configuration option in Visual Studio.
        A full list of settings and comments can be found in 
        machine.config.comments usually located in 
        \Windows\Microsoft.Net\Framework\v2.x\Config 
    -->
    <configuration>
      <configSections>
        <section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
      </configSections>
      <appSettings>
        <add key="FederationMetadataLocation" value="https://sts.mco-p.atct.ionharris.com/FederationMetadata/2007-06/FederationMetadata.xml" />
      </appSettings>
      <connectionStrings />
      <location path="FederationMetadata">
        <system.web>
          <authorization>
            <allow users="*" />
          </authorization>
        </system.web>
      </location>
      <system.web>
        <!--
              Set compilation debug="true" to insert debugging 
              symbols into the compiled page. Because this 
              affects performance, set this value to true only 
              during development.
          -->
        <compilation debug="true" targetFramework="4.0">
          <assemblies>
            <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
          </assemblies>
        </compilation>
        <!--
              The <authentication> section enables configuration 
              of the security authentication mode used by 
              ASP.NET to identify an incoming user. 
          -->
        <authentication mode="Windows" />
        <!--
              The <customErrors> section enables configuration 
              of what to do if/when an unhandled error occurs 
              during the execution of a request. Specifically, 
              it enables developers to configure html error pages 
              to be displayed in place of a error stack trace.
    
          <customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
              <error statusCode="403" redirect="NoAccess.htm" />
              <error statusCode="404" redirect="FileNotFound.htm" />
          </customErrors>
          -->
        <pages>
          <controls>
            <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
          </controls>
        </pages>
      </system.web>
      <system.web.extensions>
        <scripting>
          <webServices>
            <!--
              Uncomment this section to enable the authentication service. Include 
              requireSSL="true" if appropriate.
            -->
            <!--
            <authenticationService enabled="true" requireSSL = "true|false"/>
            -->
            <!--
              Uncomment these lines to enable the profile service, and to choose the 
              profile properties that can be retrieved and modified in ASP.NET AJAX 
              applications.
            -->
            <!--
            <profileService enabled="true"
                            readAccessProperties="propertyname1,propertyname2"
                            writeAccessProperties="propertyname1,propertyname2" />
            -->
            <!--
              Uncomment this section to enable the role service.
            -->
            <!--
            <roleService enabled="true"/>
            -->
          </webServices>
          <!--
            <scriptResourceHandler enableCompression="true" enableCaching="true" />
            -->
        </scripting>
      </system.web.extensions>
      <system.serviceModel>
        <services>
          <service name="ClaimsAwareWCFService1.Service" behaviorConfiguration="ClaimsAwareWCFService1.ServiceBehavior">
            <endpoint address="https://win01.mco-p.atct.ionharris.com:55443/SecurityTestWCF/" binding="ws2007FederationHttpBinding" contract="ClaimsAwareWCFService1.IService" bindingConfiguration="ClaimsAwareWCFService1.IService_ws2007FederationHttpBinding" />
            <!-- Service Endpoints -->
            <!--Commented out by FedUtil-->
            <!--<endpoint address="" binding="wsHttpBinding" contract="ClaimsAwareWCFService1.IService"><!- - 
                Upon deployment, the following identity element should be removed or replaced to reflect the 
                identity under which the deployed service runs.  If removed, WCF will infer an appropriate identity 
              automatically.
              - -><identity><dns value="localhost" /></identity></endpoint>-->
            <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
          </service>
        </services>
        <behaviors>
          <serviceBehaviors>
            <behavior name="ClaimsAwareWCFService1.ServiceBehavior">
              <!-- Behavior extension to make the service claims aware -->
              <federatedServiceHostConfiguration name="ClaimsAwareWCFService1.Service" />
              <!-- To avoid disclosing metadata information, set the value below to false and remove the metadata endpoint above before deployment -->
              <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
              <!-- To receive exception details in faults for debugging purposes, set the value below to true.  Set to false before deployment to avoid disclosing exception information -->
              <serviceDebug includeExceptionDetailInFaults="false" />
              <serviceCredentials>
                <!--Certificate added by FedUtil.  Subject='CN=DefaultApplicationCertificate', Issuer='CN=DefaultApplicationCertificate'.-->
                <serviceCertificate findValue="C339FC540A09AE055CBC2AF18D0AFA83321B9D44" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
              </serviceCredentials>
            </behavior>
          </serviceBehaviors>
        </behaviors>
        <extensions>
          <behaviorExtensions>
            <!-- This behavior extension will enable the service host to be Claims aware -->
            <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
          </behaviorExtensions>
        </extensions>
        <bindings>
          <ws2007FederationHttpBinding>
            <binding name="ClaimsAwareWCFService1.IService_ws2007FederationHttpBinding">
              <security mode="Message">
                <message>
                  <issuerMetadata address="https://sts.mco-p.atct.ionharris.com/adfs/services/trust/mex" />
                  <claimTypeRequirements>
                    <!--Following are the claims offered by STS 'http://sts.mco-p.atct.ionharris.com/adfs/services/trust'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
                    <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
                    <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
                    <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/claims/CommonName" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/claims/EmailAddress" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/claims/Group" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/claims/UPN" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" isOptional="true" />-->
                    <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" isOptional="true" />-->
                    <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" isOptional="true" />-->
                    <!--<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" isOptional="true" />-->
                    <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" isOptional="true" />-->
                    <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" isOptional="true" />-->
                    <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" isOptional="true" />-->
                    <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" isOptional="true" />-->
                    <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" isOptional="true" />-->
                    <!--<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" isOptional="true" />-->
                  </claimTypeRequirements>
                </message>
              </security>
            </binding>
          </ws2007FederationHttpBinding>
        </bindings>
      </system.serviceModel>
      <!-- 
      Uncomment the lines below to enable WIF tracing to: WIFTrace.e2e. 
      Open the trace file using the SvcTraceViewer.exe tool (shipped with the WCF SDK available from Microsoft) or a xml viewer.
      Refer to MSDN if you wish to add WCF tracing.
      -->
      <!--<system.diagnostics>
        <sources>
          <source name="Microsoft.IdentityModel" switchValue="Verbose">
            <listeners>
              <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="WIFTrace.e2e" />
            </listeners>
          </source>
        </sources>
        <trace autoflush="true" />
      </system.diagnostics>-->
      <microsoft.identityModel>
        <service name="ClaimsAwareWCFService1.Service">
          <audienceUris>
            <add value="https://win01.mco-p.atct.ionharris.com:55443/SecurityTestWCF/" />
          </audienceUris>
          <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
            <trustedIssuers>
              <add thumbprint="11A9A9535F818EE93DE8FACC78488BEF4921F462" name="http://sts.mco-p.atct.ionharris.com/adfs/services/trust" />
            </trustedIssuers>
          </issuerNameRegistry>
        </service>
      </microsoft.identityModel>
    </configuration>

    Wednesday, October 3, 2012 3:49 PM
  • Hello,

    I think I can identify some problems in your configuration. Firstly, it seems like you are hosting your service over SSL, in which case you cannot use <security mode="Message">. Try instead to use <security Mode="Transport"> or <security Mode="TransportWithMessageCredential">.

    Secondly, you should change your mex endpoint to: binding=mexHttpsBinding instead of mexHttpBinding.

    Please try these and tell me if it helped.

    Greetings,

    Pavlos


    Please mark this reply as answer if it helps you find a resolution to your problem.

    • Proposed as answer by NinjaNichols Wednesday, October 3, 2012 5:00 PM
    Wednesday, October 3, 2012 4:32 PM
  • @Pavlos That solved it. Thanks!
    Wednesday, October 3, 2012 4:59 PM
  • After created the WCF ClaimedAwareService.  I created a Silverlight 4.0 compoment to consume the WCF Service.   When I compiled the SilverLight Compoment, I received the following errors:

    1. Is that mean the 'WS2007FederationHttpBinding_IService' doesn't support SilverLight 4?

    Warning 1 Custom tool warning: Endpoint 'WS2007FederationHttpBinding_IService' at address 'https://test.xyz.com/CRMWCFService/Service.svc' is not compatible with Silverlight 4. Skipping... E:\Projects\AgForecastEdit\Service References\WCFClaimedAwareServiceService\Reference.svcmap 1 1 BudgetModule

    Warning 2 Custom tool warning: No endpoints compatible with Silverlight 4 were found. The generated client class will not be usable unless endpoint information is provided via the constructor. E:\Projects\AgForecastEdit\Service References\WCFClaimedAwareServiceService\Reference.svcmap 1 1 BudgetModule

    2.  Is there an sample how I can create a SilverLight compoment to consume the WCF ClaimedAwareService?

    Wednesday, October 3, 2012 8:42 PM
  • Hi,

    no, this kind of binding is definitely not supported OOB in Silverlight (not even in version 5).

    I think there are some quite good samples for Silverlight and Claims aware services here.

    These samples use some kind of workarounds to parse/create SAML Tokens etc etc.

    But I should warn you, this is not an easy task, prepare yourself for some heavy reading...

    Greetings,

    Pavlos


    Please mark this reply as answer if it helps you find a resolution to your problem.

    Wednesday, October 3, 2012 8:53 PM