• Replies 2 replies
  • Subscribers 136 subscribers
  • Views 391 views
  • Users 0 members are here
Options
Related

Tridion Docs 14.2 STS setup

Akheil Jain

Hi All, we are moving our Tridion Docs 14 auth from ADFS to STS and are running into an issue with "Bad Key". We validated at the cert can encrypt and decrypt tokens, so not sure what we are missing. Here is the detailed error. TIA.

11:45:30.4026	Debug	11	00015	a:UC:Admin	/ISHSTS/account/signin	Trisoft.InfoShare.API25.User.GetMyMetadata()		[MethodEnter(00082)]	
11:45:30.5475	Debug	11	00015	a:UC:Admin	/ISHSTS/account/signin	Trisoft.InfoShare.API25.User.GetMyMetadata()		[MethodExit(00082)]	144.8805ms
11:45:30.5726	Error	11	00015	a:UC:Admin	/ISHSTS/account/signin	Trisoft.Utilities.Logging.Web.Modules.ErrorModule.OnContextError	(httpStatusCode=[null],statusCode=[null],urlReferer=[null])	[]	
11:45:30.5726	Error	11	00015	a:UC:Admin	/ISHSTS/account/signin	Trisoft.Utilities.Logging.Web.Modules.ErrorModule.OnContextError		[]	
System.Security.Cryptography.CryptographicException: Bad Key.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.RSACryptoServiceProvider.EncryptKey(SafeKeyHandle pKeyContext, Byte[] pbKey, Int32 cbKey, Boolean fOAEP, ObjectHandleOnStack ohRetEncryptedKey)
   at System.Security.Cryptography.RSACryptoServiceProvider.Encrypt(Byte[] rgb, Boolean fOAEP)
   at System.Security.Cryptography.CngLightup.OaepSha1Encrypt(RSA rsa, Byte[] data)
   at System.IdentityModel.RsaEncryptionCookieTransform.Encode(Byte[] value)
   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token)
   at System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken)
   at System.IdentityModel.Services.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken)
   at Thinktecture.IdentityServer.Protocols.AuthenticationHelper.SetSessionToken(String userName, String authenticationMethod, Boolean isPersistent, Int32 ttl, IEnumerable`1 additionalClaims)
   at Thinktecture.IdentityServer.Protocols.AccountControllerBase.SignIn(String userName, String authenticationMethod, String returnUrl, Boolean isPersistent, Int32 ttl, IEnumerable`1 additionalClaims)
   at Thinktecture.IdentityServer.Web.Controllers.AccountController.SignIn(SignInModel model)
   at lambda_method(Closure , ControllerBase , Object[] )
   at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters)
   at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters)
   at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c.<BeginInvokeSynchronousActionMethod>b__9_0(IAsyncResult asyncResult, ActionInvocation innerInvokeState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_0.<InvokeActionMethodFilterAsynchronouslyRecursive>b__0()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.AsyncInvocationWithFilters.<>c__DisplayClass11_2.<InvokeActionMethodFilterAsynchronouslyRecursive>b__2()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass7_0.<BeginInvokeActionMethodWithFilters>b__1(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_6.<BeginInvokeAction>b__4()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.<BeginInvokeAction>b__1(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.<>c.<BeginExecuteCore>b__152_1(IAsyncResult asyncResult, ExecuteCoreState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.<>c.<BeginExecute>b__151_2(IAsyncResult asyncResult, Controller controller)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.<>c.<BeginProcessRequest>b__20_1(IAsyncResult asyncResult, ProcessRequestState innerState)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult)
   at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase`1.End()
   at System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult)
   at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
HttpApplication.RecordError => HttpApplication.RaiseOnError => ErrorModule.OnContextError
emoji
Rate translation
×
Suggest better translation
×
Parents

  • Hi Frank,

    I forgot to mention, we spun up new servers did a fresh Tridion Docs 14SP2 install with STS specified in the input parameters(updated parameters attached), I tried adding the thumbprint to the file you mentioned, but still get the same error in the logs. 

    <param name="issuercertificatevalidationmode">

<currentvalue>ChainTrust</currentvalue>

<defaultvalue>PeerOrChainTrust</defaultvalue>

<description>The validation mode specified here will decide how the application to application communication validates service certificates. The allowed options are: ChainTrust, PeerTrust, PeerOrChainTrust or None. By setting the mode to None, any certificate will be accepted.</description>

<validate>certificatevalidationmode</validate>

</param>


<param name="issuerwstrustbindingtype">

<currentvalue>UserNameMixed</currentvalue>

<defaultvalue>WindowsMixed</defaultvalue>

<description>Specify the binding type that is required by the end point of the WS-Trust issuer. Two valid binding types are UserNameMixed and WindowsMixed. When specifying UserNameMixed the matching input parameters issueractorusername and issueractorpassword must be set. When specifying WindowsMixed the matching input parameters issueractorusername and issueractorpassword must be empty as the principal of the service user (osuser) will be used as credentials.</description>

<validate>wstrustbindingtype</validate>

</param>

<param name="issuerwstrustendpointurl">

<currentvalue>https://psdla01d-hlw-23.portal.webmd.com/ISHSTS/issue/wstrust/mixed/username</currentvalue>

<defaultvalue>https://MECDVTRI17BLD.global.sdl.corp/ISHSTS/issue/wstrust/mixed/username</defaultvalue>

<description>The WS-Trust endpoint for the Security Token Service that provides the functionality to issue tokens as specified by the issuerwstrustbindingtype. When using the built-in STS, use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mixed/username when issuerwstrustbindingtype is UserNameMixed resulting in for example https://example.com/ISHSTS/issue/wstrust/mixed/username or when issuerwstrustbindingtype is WindowsMixed use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mixed/windows.</description>

<validate/>

</param>


<param name="issuerwstrustmexurl">

<currentvalue>https://psdla01d-hlw-23.portal.webmd.com/ISHSTS/issue/wstrust/mex</currentvalue>

<defaultvalue>https://MECDVTRI17BLD.global.sdl.corp/ISHSTS/issue/wstrust/mex</defaultvalue>

<description>The WS-Trust metadata address for the Security Token Service. Optionally when using the built-in STS you should use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mex resulting in for example https://example.com/ISHSTS/issue/wstrust/mex</description>

<validate/>

</param>


<param name="issuerwsfederationendpointurl">

<currentvalue>https://psdla01d-hlw-23.portal.webmd.com/ISHSTS/issue/wsfed</currentvalue>

<defaultvalue>https://MECDVTRI17BLD.global.sdl.corp/ISHSTS/issue/wsfed</defaultvalue>

<description>The WS-Federation endpoint for the Security Token Service that provides the functionality to issue tokens for browsers (Passive Profile). Optionally when using the built-in STS you should use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wsfed resulting in for example https://example.com/ISHSTS/issue/wsfed</description>

<validate/>

</param>
<param name="issuerwsfederationid">

<currentvalue>http://sdl.com/trisoft/services/trust</currentvalue>

<defaultvalue>http://sdl.com/trisoft/services/trust</defaultvalue>

<description>The WS-Federation identifier for the Security Token Service that provides the functionality to issue tokens for browsers (Passive Profile).</description>

<validate/>

</param>
<param name="authenticationtype">

<currentvalue>UsernamePassword</currentvalue>

<defaultvalue>Windows</defaultvalue>

<description>Specify the authentication type</description>

<validate/>

</param>


<param name="infosharestswindowsauthenticationenabled">

<currentvalue>False</currentvalue>

<defaultvalue>True</defaultvalue>

<description>Specify if the infosharests web site will enable IIS windows authentication</description>

<validate/>

</param>
<param name="issuerwstrustendpointurl_normalized">

<currentvalue>https://psdla01d-hlw-23/ISHSTS/issue/wstrust/mixed/username</currentvalue>

<defaultvalue>https://psdla01d-hlw-23/ISHSTS/issue/wstrust/mixed/username</defaultvalue>

<description>Indicates the ws trust endpoint. When using InfoShareSTS(same hostname as installation) then it is replaced with localhost</description>

<validate/>

</param>
    emoji
Reply

  • Hi Frank,

    I forgot to mention, we spun up new servers did a fresh Tridion Docs 14SP2 install with STS specified in the input parameters(updated parameters attached), I tried adding the thumbprint to the file you mentioned, but still get the same error in the logs. 

    <param name="issuercertificatevalidationmode">

<currentvalue>ChainTrust</currentvalue>

<defaultvalue>PeerOrChainTrust</defaultvalue>

<description>The validation mode specified here will decide how the application to application communication validates service certificates. The allowed options are: ChainTrust, PeerTrust, PeerOrChainTrust or None. By setting the mode to None, any certificate will be accepted.</description>

<validate>certificatevalidationmode</validate>

</param>


<param name="issuerwstrustbindingtype">

<currentvalue>UserNameMixed</currentvalue>

<defaultvalue>WindowsMixed</defaultvalue>

<description>Specify the binding type that is required by the end point of the WS-Trust issuer. Two valid binding types are UserNameMixed and WindowsMixed. When specifying UserNameMixed the matching input parameters issueractorusername and issueractorpassword must be set. When specifying WindowsMixed the matching input parameters issueractorusername and issueractorpassword must be empty as the principal of the service user (osuser) will be used as credentials.</description>

<validate>wstrustbindingtype</validate>

</param>

<param name="issuerwstrustendpointurl">

<currentvalue>https://psdla01d-hlw-23.portal.webmd.com/ISHSTS/issue/wstrust/mixed/username</currentvalue>

<defaultvalue>https://MECDVTRI17BLD.global.sdl.corp/ISHSTS/issue/wstrust/mixed/username</defaultvalue>

<description>The WS-Trust endpoint for the Security Token Service that provides the functionality to issue tokens as specified by the issuerwstrustbindingtype. When using the built-in STS, use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mixed/username when issuerwstrustbindingtype is UserNameMixed resulting in for example https://example.com/ISHSTS/issue/wstrust/mixed/username or when issuerwstrustbindingtype is WindowsMixed use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mixed/windows.</description>

<validate/>

</param>


<param name="issuerwstrustmexurl">

<currentvalue>https://psdla01d-hlw-23.portal.webmd.com/ISHSTS/issue/wstrust/mex</currentvalue>

<defaultvalue>https://MECDVTRI17BLD.global.sdl.corp/ISHSTS/issue/wstrust/mex</defaultvalue>

<description>The WS-Trust metadata address for the Security Token Service. Optionally when using the built-in STS you should use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wstrust/mex resulting in for example https://example.com/ISHSTS/issue/wstrust/mex</description>

<validate/>

</param>


<param name="issuerwsfederationendpointurl">

<currentvalue>https://psdla01d-hlw-23.portal.webmd.com/ISHSTS/issue/wsfed</currentvalue>

<defaultvalue>https://MECDVTRI17BLD.global.sdl.corp/ISHSTS/issue/wsfed</defaultvalue>

<description>The WS-Federation endpoint for the Security Token Service that provides the functionality to issue tokens for browsers (Passive Profile). Optionally when using the built-in STS you should use the value of BASEURL/INFOSHARESTSWEBAPPNAME/issue/wsfed resulting in for example https://example.com/ISHSTS/issue/wsfed</description>

<validate/>

</param>
<param name="issuerwsfederationid">

<currentvalue>http://sdl.com/trisoft/services/trust</currentvalue>

<defaultvalue>http://sdl.com/trisoft/services/trust</defaultvalue>

<description>The WS-Federation identifier for the Security Token Service that provides the functionality to issue tokens for browsers (Passive Profile).</description>

<validate/>

</param>
<param name="authenticationtype">

<currentvalue>UsernamePassword</currentvalue>

<defaultvalue>Windows</defaultvalue>

<description>Specify the authentication type</description>

<validate/>

</param>


<param name="infosharestswindowsauthenticationenabled">

<currentvalue>False</currentvalue>

<defaultvalue>True</defaultvalue>

<description>Specify if the infosharests web site will enable IIS windows authentication</description>

<validate/>

</param>
<param name="issuerwstrustendpointurl_normalized">

<currentvalue>https://psdla01d-hlw-23/ISHSTS/issue/wstrust/mixed/username</currentvalue>

<defaultvalue>https://psdla01d-hlw-23/ISHSTS/issue/wstrust/mixed/username</defaultvalue>

<description>Indicates the ws trust endpoint. When using InfoShareSTS(same hostname as installation) then it is replaced with localhost</description>

<validate/>

</param>
    emoji
Children
No Data