ID4291: The security token ‘Microsoft.IdentityModel.Tokens.SessionSecurityToken’ is not scoped to the current endpoint

Issue:

ID4291: The security token ‘Microsoft.IdentityModel.Tokens.SessionSecurityToken’ is not scoped to the current endpoint

My Web.Config:
<cookieHandler requireSsl=”false” path=”/” />

Environment:

Windows, ASPNet, IdentityModel, STS

Resolution:

The issue is due to root path error. Please check all apps’ web.config and make sure all web.configs have same path value under identity model section.

Step-by-step instructions:-

  1. Open web.config of an application in edit mode
  2. Search for “cookiehandler”
  3. Remove  path=”/” from cookie handler attribute:
    <cookieHandler requireSsl=”false” />
  4. Save web.config and try again.

 

How to Configure Web Services in Load Balancer with WCF Test Client?

Issue:

I have web services that hosted on farm environment with load balancer (LB) and SSL terminated on web services. Meaning web service running on port 80 only without certificate, SSL is handle in LB. I can’t get it to work with wsHttpBinding. How can I get wsHttpBinding to work with load balancer on port 80?

Flow:

LB (SSL) -> Apps (Node A/B) -> LB (SSL) -> Web Services (Node A/B on Port 80)

Environment:

Windows 10, Microsoft WCF Test Client version 12.0.*, IIS on Windows Server 2012 R2, Load Balancer

Resolution:

Since LB terminate the SSL at LB lever, web service needs to be host as http (port 80), not https. To do that, here are settings for WCF server and client.

Step-by-step instructions:-

  1. WCF Server Settings
     <system.serviceModel>
    <services>
    <service behaviorConfiguration="ServiceBehavior" name="My.Ns.WcfService">
    <clear />
    <endpoint address=""
    binding="wsHttpBinding"
    bindingConfiguration="wsHttpBinding_IWcfService"
    name="IWcfServiceEndpoint"
    bindingNamespace="https://my.domain.com/App/WcfService.svc"
    contract="My.Ns.IWcfService" >
    <identity>
    <dns value="localhost" />
    </identity>
    </endpoint>
    <endpoint address="basic"
    binding="basicHttpBinding"
    bindingConfiguration="basicHttpBinding_IWcfService"
    name="basicHttpBinding"
    bindingNamespace="https://my.domain.com/App/WcfService.svc"
    contract="My.Ns.IWcfService" >
    <identity>
    <dns value="localhost" />
    </identity>
    </endpoint>
    <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" />
    </service>
    </services>
    <protocolMapping>
    <add scheme="http" binding="wsHttpBinding" bindingConfiguration="wsHttpBinding_IWcfService" />
    </protocolMapping>
    <bindings>
    <wsHttpBinding>
    <binding name="wsHttpBinding_IWcfService" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
    <readerQuotas maxDepth="32" maxStringContentLength="5242880" maxArrayLength="2147483646" maxBytesPerRead="4096" maxNameTableCharCount="5242880"/>
    <security mode="None">
    <transport clientCredentialType="None"/>
    </security>
    </binding>
    </wsHttpBinding>
    <basicHttpBinding>
    <binding name="basicHttpBinding_IWcfService" maxBufferPoolSize="2147483647" maxReceivedMessageSize="2147483647">
    <readerQuotas maxDepth="32" maxStringContentLength="5242880" maxArrayLength="2147483646" maxBytesPerRead="4096" maxNameTableCharCount="5242880" />
    <security mode="None" />
    </binding>
    </basicHttpBinding>
    </bindings>
    </system.serviceModel>
  2. WCF Client Settings
     <system.serviceModel>
    <bindings>
    <basicHttpBinding>
    <binding name="basicHttpBinding" />
    </basicHttpBinding>
    <wsHttpBinding>
    <binding name="wsHttpBinding">
    <security mode="Transport">
    <transport clientCredentialType="None" />
    </security>
    </binding>
    </wsHttpBinding>
    </bindings>
    <client>
    <endpoint address="https://my.domain.com/App/WcfService.svc"
    binding="wsHttpBinding" bindingConfiguration="wsHttpBinding"
    contract="MyServiceRef.IWcfService" name="wsHttpBinding">
    <identity>
    <dns value="localhost" />
    </identity>
    </endpoint>
    <endpoint address="http://my.domain.com/App/WcfService.svc/basic"
    binding="basicHttpBinding" bindingConfiguration="basicHttpBinding"
    contract="MyServiceRef.IWcfService" name="basicHttpBinding" />
    </client>
    </system.serviceModel>
  3. To test service in WCF Test Client (C:\Program Files (x86)\Microsoft Visual Studio\2017\Enterprise\Common7\IDE\WcfTestClient.exe)
    1. Add service by clicking on File, Add Service
    2. Enter service URL with https, ex., https://my.domain.com/app/wcfservice.svc
    3. Right click on Config File and select Edit with SvcConfigEditor
    4. Change https to http since service is running on port 80
    5. Change security to none
    6. Click on File, Save, File, Exit, and Reload.
    7. (Alternative) Edit Client.dll.config file directly and change https to http and security to none as shown below:

    8. Test your method

Troubleshoot:

  1. If you get an address no match error, make sure your service method have [ServiceBehavior(AddressFilterMode = AddressFilterMode.Any)] added

Reference:

Sample Client.dll.config file for WCF Test Client

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.serviceModel>
        <bindings>
            <basicHttpBinding>
                <binding name="basicHttpBinding" sendTimeout="00:05:00" />
            </basicHttpBinding>
            <wsHttpBinding>
                <binding name="IWcfServiceEndpoint" sendTimeout="00:05:00">
                    <security mode="None" />
                </binding>
            </wsHttpBinding>
        </bindings>
        <client>
            <endpoint address="http://my.domain.com/app/WcfService.svc"
                binding="wsHttpBinding" bindingConfiguration="IWcfServiceEndpoint"
                contract="IWcfService" name="IWcfServiceEndpoint">
                <identity>
                    <dns value="localhost" />
                </identity>
            </endpoint>
            <endpoint address="http://my.domain.com/app/WcfService.svc/basic"
                binding="basicHttpBinding" bindingConfiguration="basicHttpBinding"
                contract="IWcfService" name="basicHttpBinding" />
        </client>
    </system.serviceModel>
</configuration>