• Replies 2 replies
  • Subscribers 136 subscribers
  • Views 390 views
  • Users 0 members are here
Options
Related

Tridion Docs 14.2 STS setup

Akheil Jain

Hi All, we are moving our Tridion Docs 14 auth from ADFS to STS and are running into an issue with "Bad Key". We validated at the cert can encrypt and decrypt tokens, so not sure what we are missing. Here is the detailed error. TIA.

11:45:30.4026	Debug	11	00015	a:UC:Admin	/ISHSTS/account/signin	Trisoft.InfoShare.API25.User.GetMyMetadata()		[MethodEnter(00082)]	
11:45:30.5475	Debug	11	00015	a:UC:Admin	/ISHSTS/account/signin	Trisoft.InfoShare.API25.User.GetMyMetadata()		[MethodExit(00082)]	144.8805ms
11:45:30.5726	Error	11	00015	a:UC:Admin	/ISHSTS/account/signin	Trisoft.Utilities.Logging.Web.Modules.ErrorModule.OnContextError	(httpStatusCode=[null],statusCode=[null],urlReferer=[null])	[]	
11:45:30.5726	Error	11	00015	a:UC:Admin	/ISHSTS/account/signin	Trisoft.Utilities.Logging.Web.Modules.ErrorModule.OnContextError		[]	
System.Security.Cryptography.CryptographicException: Bad Key.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.RSACryptoServiceProvider.EncryptKey(SafeKeyHandle pKeyContext, Byte[] pbKey, Int32 cbKey, Boolean fOAEP, ObjectHandleOnStack ohRetEncryptedKey)
   at System.Security.Cryptography.RSACryptoServiceProvider.Encrypt(Byte[] rgb, Boolean fOAEP)
   at System.Security.Cryptography.CngLightup.OaepSha1Encrypt(RSA rsa, Byte[] data)
   at System.IdentityModel.RsaEncryptionCookieTransform.Encode(Byte[] value)
   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token)
   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken)
   at System.IdentityModel.Services.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken)
   at Thinktecture.IdentityServer.Protocols.AuthenticationHelper.SetSessionToken(String userName, String authenticationMethod, Boolean isPersistent, Int32 ttl, IEnumerable`1 additionalClaims)
   at Thinktecture.IdentityServer.Protocols.AccountControllerBase.SignIn(String userName, String authenticationMethod, String returnUrl, Boolean isPersistent, Int32 ttl, IEnumerable`1 additionalClaims)
   at Thinktecture.IdentityServer.Web.Controllers.AccountController.SignIn(SignInModel model)
   at lambda_method(Closure , ControllerBase , Object[] )
   at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters)
   at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters)
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c.<BeginInvokeSynchronousActionMethod>b__9_0(IAsyncResult asyncResult, ActionInvocation innerInvokeState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_0.<InvokeActionMethodFilterAsynchronouslyRecursive>b__0()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass7_0.<BeginInvokeActionMethodWithFilters>b__1(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_6.<BeginInvokeAction>b__4()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.<BeginInvokeAction>b__1(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.<>c.<BeginExecute>b__151_2(IAsyncResult asyncResult, Controller controller)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
HttpApplication.RecordError => HttpApplication.RaiseOnError => ErrorModule.OnContextError
emoji
Rate translation
×
Suggest better translation
×

  • Hi Akheil

    Not sure if this is the issue but in your web.config file, did you update the thumbprint value under the “TrustedIssuers” section?

    • If you are using ADFS, this should be the thumbprint of the certificate used by the ADFS server to sign tokens.
    • If you are using a Security Token Service (STS) hosted on the Tridion Docs server, the thumbprint should correspond to the certificate bound to port 443 on that server.

     

    This thumbprint should match the one specified earlier in the “serviceCertificate” element of the same web.config file.
    emoji

  • Hi Frank,

    I forgot to mention, we spun up new servers did a fresh Tridion Docs 14SP2 install with STS specified in the input parameters(updated parameters attached), I tried adding the thumbprint to the file you mentioned, but still get the same error in the logs. 

    <param name="issuercertificatevalidationmode">

<currentvalue>ChainTrust</currentvalue>

<defaultvalue>PeerOrChainTrust</defaultvalue>

<description>The validation mode specified here will decide how the application to application communication validates service certificates. The allowed options are: ChainTrust, PeerTrust, PeerOrChainTrust or None. By setting the mode to None, any certificate will be accepted.</description>

<validate>certificatevalidationmode</validate>

</param>


<param name="issuerwstrustbindingtype">

<currentvalue>UserNameMixed</currentvalue>

<defaultvalue>WindowsMixed</defaultvalue>

<description>Specify the binding type that is required by the end point of the WS-Trust issuer. Two valid binding types are UserNameMixed and WindowsMixed. When specifying UserNameMixed the matching input parameters issueractorusername and issueractorpassword must be set. When specifying WindowsMixed the matching input parameters issueractorusername and issueractorpassword must be empty as the principal of the service user (osuser) will be used as credentials.</description>

<validate>wstrustbindingtype</validate>

</param>

<param name="issuerwstrustendpointurl">

<currentvalue>https://psdla01d-hlw-23.portal.webmd.com/ISHSTS/issue/wstrust/mixed/username</currentvalue>

<defaultvalue>https://MECDVTRI17BLD.global.sdl.corp/ISHSTS/issue/wstrust/mixed/username</defaultvalue>

<description>The WS-Trust endpoint for the Security Token Service that provides the functionality to issue tokens as specified by the issuerwstrustbindingtype. When using the built-in STS, use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mixed/username when issuerwstrustbindingtype is UserNameMixed resulting in for example https://example.com/ISHSTS/issue/wstrust/mixed/username or when issuerwstrustbindingtype is WindowsMixed use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mixed/windows.</description>

<validate/>

</param>


<param name="issuerwstrustmexurl">

<currentvalue>https://psdla01d-hlw-23.portal.webmd.com/ISHSTS/issue/wstrust/mex</currentvalue>

<defaultvalue>https://MECDVTRI17BLD.global.sdl.corp/ISHSTS/issue/wstrust/mex</defaultvalue>

<description>The WS-Trust metadata address for the Security Token Service. Optionally when using the built-in STS you should use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mex resulting in for example https://example.com/ISHSTS/issue/wstrust/mex</description>

<validate/>

</param>


<param name="issuerwsfederationendpointurl">

<currentvalue>https://psdla01d-hlw-23.portal.webmd.com/ISHSTS/issue/wsfed</currentvalue>

<defaultvalue>https://MECDVTRI17BLD.global.sdl.corp/ISHSTS/issue/wsfed</defaultvalue>

<description>The WS-Federation endpoint for the Security Token Service that provides the functionality to issue tokens for browsers (Passive Profile). Optionally when using the built-in STS you should use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wsfed resulting in for example https://example.com/ISHSTS/issue/wsfed</description>

<validate/>

</param>
<param name="issuerwsfederationid">

<currentvalue>http://sdl.com/trisoft/services/trust</currentvalue>

<defaultvalue>http://sdl.com/trisoft/services/trust</defaultvalue>

<description>The WS-Federation identifier for the Security Token Service that provides the functionality to issue tokens for browsers (Passive Profile).</description>

<validate/>

</param>
<param name="authenticationtype">

<currentvalue>UsernamePassword</currentvalue>

<defaultvalue>Windows</defaultvalue>

<description>Specify the authentication type</description>

<validate/>

</param>


<param name="infosharestswindowsauthenticationenabled">

<currentvalue>False</currentvalue>

<defaultvalue>True</defaultvalue>

<description>Specify if the infosharests web site will enable IIS windows authentication</description>

<validate/>

</param>
<param name="issuerwstrustendpointurl_normalized">

<currentvalue>https://psdla01d-hlw-23/ISHSTS/issue/wstrust/mixed/username</currentvalue>

<defaultvalue>https://psdla01d-hlw-23/ISHSTS/issue/wstrust/mixed/username</defaultvalue>

<description>Indicates the ws trust endpoint. When using InfoShareSTS(same hostname as installation) then it is replaced with localhost</description>

<validate/>

</param>
    emoji