I have a WCF service under .NET 4.0 that uses WIF 3.5 and the ws2007FederationHttpBinding binding. Currently it is running (successfully) as a self-hosted service, but I would prefer it to run under IIS7.5 . However I can't get it to work.
I haven't got in-depth knowledge or experience with this, so I set about this by simply copying the configuration that works for the self-hosting to the web.config.
They're nearly identical except for the addition of behaviors\servicebehaviors\behavior\serviceCredentials\serviceCertificate which seems to be required in the case of IIS hosting but not for self-hosting (I don't know why).
The client configuration is identical as well for both service setups (apart from the endpoint address).
Testing the self-hosted and IIS hosted services happens on the same machine and I've tried the IIS hosted service with the VS development server, IIS Express and regular IIS.
The client is on this same machine.
The STS is on another machine.
There are 3 (x509) certificates involved. A certificate for the service and a signing certificate used by the STS, both under a self-signed root certificate. The DefaultAppPool (where the web service is hosted) has access to both certificates. As far as I can tell, there is no SSL involved.
I can get the IIS hosted service running and I can request the meta-data. The error occurs when I make an actual request. The client-side error seems pretty generic:
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.
An error occurred when verifying security for the message.
The svc trace log for the client says pretty much the same.
The server error doesn't throw an error, but the svc log reveals this:
The X.509 certificate CN=sts.public.example.com chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation for the certificate.
System.IdentityModel.Selectors.X509CertificateChain.Build(X509Certificate2 certificate)
System.IdentityModel.Selectors.X509CertificateValidator.ChainTrustValidator.Validate(X509Certificate2 certificate)
System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
System.IdentityModel.Selectors.SamlSecurityTokenAuthenticator.ResolveClaimSet(SecurityToken token)
System.IdentityModel.Selectors.SamlSecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator& usedTokenAuthenticator)
System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
System.ServiceModel.Security.ReceiveSecurityHeader.ProcessEncryptedData(EncryptedData encryptedData, TimeSpan timeout, Int32 position, Boolean eagerMode, Boolean& primarySignatureFound)
System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
System.ServiceModel.Security.MessageSecurityProtocol.ProcessSecurityHeader(ReceiveSecurityHeader securityHeader, Message& message, SecurityToken requiredSigningToken, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
System.ServiceModel.Security.SymmetricSecurityProtocol.VerifyIncomingMessageCore(Message& message, String actor, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
System.ServiceModel.Security.MessageSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
sts.public.example.com is the signing certificate of the STS. I don't know where to put this certificateValidationMode and why it should be any different for IIS.
There is a custom issuerNameRegistry and claimsAuthorizationManager for the Identity Model and serviceAuthorizationManager for the service behavior, but none even get hit before the error. So maybe the error occurs when the server receives the signed token from the client and IIS itself somehow fails to verify the certificate (wild random guesses).
I would give you the config files and code samples, but it's all quite a lot since I don't know what exactly is relevant and what not, but if any clarification is desired, I'll add it as soon as possible.
I've tried turning off certificateValidation and revocation checking wherever I could and fiddled with many settings I barely understand, fruitlessly. This post seemed hopeful for a moment, but I don't really see where the suggested solution would fit in and given the date it might very well no longer be relevant.
It would be enormously helpful if anyone could point me in the direction of the solution and/or explain the differences in setup/configuration requirements between self-hosted and IIS hosted services.
