WIF STS and SSL Termination

Jun 4, 2012 at 5:12 PM

I am looking into deploying brokered authentication (with a custom sts using wif) into an environment that utilizes SSL Termination on a load balancer. I have not been able to find a solution to this problem.

 

Can anyone tell me if WIF can be used in an environment that uses "SSL Termination" or "SSL Offloading" where a network device handles the ssl and translates external https traffic into internal http traffic. I can't find much information on this environment. 

I will still be deploying certificates for the token signing and encryption but the server will be hosting on an http transport. I have tried using a custom binding with allowsInsecureTransport set and also tried ClearUsernameBinding based on this rather old thread http://social.msdn.microsoft.com/Forums/no/Geneva/thread/a2101075-be17-4c22-8ba6-215e371a2fc4.

 

I can't seem to fool IWsTrustFeb2005SecurityTokenService into thinking he is secure. Here is my latest error: "The request message must be protected. This is required by an operation of the contract ('IWsTrustFeb2005SecurityTokenService','http://tempuri.org/'). The protection must be provided by the binding ('ClearUsernameBinding','http://tempuri.org/').

Thanks,

Jeff

Coordinator
Jun 4, 2012 at 5:14 PM

For WCF you need a custom binding where you use the xxxOverTransport authentication mode, but set 'AllowInsecureConnection' to true.

At least thats how I remember it...;)

Jun 4, 2012 at 10:16 PM

Dominick,

 

Thanks for the reply. I tried the following config for the STS: 

 

<services>
      <service 
        name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract"
        behaviorConfiguration="IssuerBehavior" >
        <endpoint 
          address="" 
          binding="customBinding" 
          bindingConfiguration="AllowInsecureTransportBinding"
          contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />

        <endpoint address="mex" binding="customBinding" bindingConfiguration="AllowInsecureTransportBinding"
          contract="IMetadataExchange" />
      </service>
    </services>
    
    <bindings>
      <customBinding>
        <binding name="AllowInsecureTransportBinding">
          <textMessageEncoding/>
          <security 
            authenticationMode="UserNameOverTransport" 
            allowInsecureTransport="true"
	    enableUnsecuredResponse="true">
          </security>
          <httpTransport/>
        </binding>    
      </customBinding>

    </bindings>

    <behaviors>    
      <serviceBehaviors>
        <behavior name="IssuerBehavior">
          <serviceThrottling maxConcurrentCalls="10000" maxConcurrentSessions="10000" maxConcurrentInstances="10000"/>
          <serviceCredentials>
            <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" findValue="CN=cert"/>
          </serviceCredentials>
          <serviceMetadata httpGetEnabled="true"/>
          <serviceDebug includeExceptionDetailInFaults="false"/>
        </behavior>
      </serviceBehaviors>
    </behaviors>

I have verified that my custom authentication code in the STS is being called and returning correctly. On the client side I am getting the following error:

{"The message with Action 'http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue' cannot be processed at the receiver, due to a ContractFilter mismatch at the EndpointDispatcher. This may be because of either a contract mismatch (mismatched Actions between sender and receiver) or a binding/security mismatch between the sender and the receiver.  Check that sender and receiver have the same contract and the same binding (including security requirements, e.g. Message, Transport, None)."}

Here is the client config:

<system.serviceModel>
        <bindings>
            <ws2007FederationHttpBinding>
                <binding name="WS2007FederationHttpBinding_MyService" closeTimeout="00:01:00"
                    openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
                    bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
                    maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
                    messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true">
                    <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
                        maxBytesPerRead="4096" maxNameTableCharCount="16384" />
                    <reliableSession ordered="true" inactivityTimeout="00:10:00"
                        enabled="false" />
                    <security mode="Message">
                        <message algorithmSuite="Default" establishSecurityContext="false"
                            issuedKeyType="SymmetricKey" negotiateServiceCredential="true">
                          <issuer address="https://server/TokenService.svc" binding="customBinding" bindingConfiguration="AllowInsecureTransportBinding" />
                            <issuerMetadata address="https://server/TokenService.svc/mex" />
                            <tokenRequestParameters>
                                <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                                    <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                                    <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
                                    <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
                                    <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
                                    <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
                                    <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                                    <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                                </trust:SecondaryParameters>
                            </tokenRequestParameters>
                        </message>
                    </security>
                </binding>
            </ws2007FederationHttpBinding>

          <customBinding>
            <binding name="AllowInsecureTransportBinding">
              <textMessageEncoding/>
              <security
                authenticationMode="UserNameOverTransport"
                allowInsecureTransport="true"
                enableUnsecuredResponse="true">
              </security>
              <httpsTransport/>
            </binding>
          </customBinding>
        </bindings>
        <client>
            <endpoint address="https://server/service.svc"
                binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_MyService"
                contract="Services.IQAAutomation" name="WS2007FederationHttpBinding_MyService">
                <identity>
                    <certificate encodedValue="ENCODED VALUE" />
                </identity>
            </endpoint>
        </client>
    </system.serviceModel>

 

I can't seem to figure out how to get around the ContractFilter mismatch. The WCF logs don't provide much info about the error.

 

Thanks for any help you can provide.

Jeff