none
Problem while configuring FBA using LDAP in SharePoint 2010 "The security token username and password could not be validated"

    Question

  • Hi,

    I am trying to configure Form Based authentication in SharePoint 2010 with LDAP. I have used following blog for reference:

    http://blogs.msdn.com/b/sridhara/archive/2010/01/07/setting-up-fba-claims-in-sharepoint-2010-with-active-directory-membership-provider.aspx

    Central Administration web.config Settings

    First the connection string:

    <connectionStrings>

        <add name="adconn" connectionString="LDAP://domain.com" />

    </connectionStrings>

     And then the provider:

    <membership defaultProvider="LdapMember">

          <providers>

            <add name="LdapMember"

                 type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

                 connectionStringName="adconn"

                 enableSearchMethods="true"

                 attributeMapUsername="sAMAccountName" 

                 />

          </providers>

    </membership>

    Web Application web.config Settings

    First the connection string:

    <connectionStrings>

        <add name="adconn" connectionString="LDAP://domain.com" />

    </connectionStrings>

     And then the provider:

    <membership defaultProvider="i">

          <providers>

            <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />

            <add name="LdapMember"

                 type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

                 connectionStringName="adconn"

                 enableSearchMethods="true"

                 attributeMapUsername="sAMAccountName"              

                  />

          </providers>

    </membership>

    STS Application web.config Settings

    <connectionStrings>

        <add name="adconn" connectionString="LDAP://domain.com" />

    </connectionStrings>

      <system.web>

        <membership defaultProvider="LdapMember">

          <providers>

            <add name="LdapMember"

                 type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"

                 connectionStringName="adconn"

                 enableSearchMethods="true"

                 attributeMapUsername="sAMAccountName"              

                />

          </providers>

        </membership>

      </system.web>

    I have tested the “domain.com” with ldp tool and it is correct. While adding users in “User Policy” of the web application in central admin, the user is not being retrieved from Forms auth but only from Active Directory.

    Also, I am getting this error when trying to login using my domain\username and NT Password to the FBA site collection.

    SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).      

    Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)     at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)     at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)      dcdb66f1-0812-4034-a58f-be0062cf9691

    An exception occurred when trying to issue security token: The security token username and password could not be validated..  dcdb66f1-0812-4034-a58f-be0062cf9691

    Wednesday, March 14, 2012 3:47 PM

Answers

All replies

  • Hi,

    In addition to above requirement, is it possible to authenticate using email address and NT Password instead of NT ID in SharePoint 2010 default log in page? What additional changes will be required?

    Thanks in advance!

    Regards

    Lost Translator


    Thursday, March 15, 2012 6:32 AM
  • could you please try LDAP connection string connectionString="LDAP://domain.com/DC=domain,DC=com"?

    Friday, March 16, 2012 6:52 AM
  • To use email address as login name,please try attributeMapUsername="theFieldWhereYourEmailAddress".  please refer to http://msdn.microsoft.com/en-us/library/ff650308.aspx#paght000026_configurationattributes.

    You can use tools such as ADSIEdit to find out the field name where email address is stored.

    Friday, March 16, 2012 7:58 AM
  • Thanks GuYuming. Tried connectionString="LDAP://domain.com/DC=domain,DC=com" as well. No luck.

    Once it start working I will try email attribute as well. Thanks again for your response.

    Regards

    LostTranslator

    Friday, March 16, 2012 8:46 AM
  • Hi,

    Another update. When i try to access the "http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc" security token web service, I get this error message:

    An ExceptionDetail, likely created by IncludeExceptionDetailInFaults=true, whose value is:
    System.InvalidOperationException: An exception was thrown in a call to a policy export extension.
    Extension: System.ServiceModel.Channels.TransportSecurityBindingElement
    Error: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface. ----> System.InvalidOperationException: Security policy export failed. The binding contains a TransportSecurityBindingElement but no transport binding element that implements ITransportTokenAssertionProvider. Policy export for such a binding is not supported. Make sure the transport binding element in the binding implements the ITransportTokenAssertionProvider interface.
       at System.ServiceModel.Channels.TransportSecurityBindingElement.System.ServiceModel.Description.IPolicyExportExtension.ExportPolicy(MetadataExporter exporter, PolicyConversionContext policyContext)
       at System.ServiceModel.Description.MetadataExporter.ExportPolicy(ServiceEndpoint endpoint)
       --- End of inner ExceptionDetail stack trace ---
       at System.ServiceModel.Description.MetadataExporter.ExportPolicy(ServiceEndpoint endpoint)
       at System.ServiceModel.Description.WsdlExporter.ExportEndpoint(ServiceEndpoint endpoint, XmlQualifiedName wsdlServiceQName)
       at System.ServiceModel.Description.WsdlExporter.ExportEndpoints(IEnumerable`1 endpoints, XmlQualifiedName wsdlServiceQName)
       at System.ServiceModel.Description.ServiceMetadataBehavior.MetadataExtensionInitializer.GenerateMetadata()
       at System.ServiceModel.Description.ServiceMetadataExtension.EnsureInitialized()
       at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.InitializationData.InitializeFrom(ServiceMetadataExtension extension)
       at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.GetInitData()
       at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.TryHandleDocumentationRequest(Message httpGetRequest, String[] queries, Message& replyMessage)
       at System.ServiceModel.Description.ServiceMetadataExtension.HttpGetImpl.ProcessHttpRequest(Message httpGetRequest)
       at SyncInvokeGet(Object , Object[] , Object[] )
       at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]& outputs)
       at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc& rpc)
       at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc& rpc)
       at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc& rpc)
       at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)

    Would this help to figure out the problem?

    thanks in advance!

    Friday, March 16, 2012 12:32 PM
  • Thanks for your response Lhan Han. STS web.config has default setting and has not been changed.

    Also SSL is not being used. Here is the STS web.config:

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
      <system.serviceModel>


        <!-- Behavior List: -->
        <behaviors>
          <serviceBehaviors>
            <behavior name="SecurityTokenServiceBehavior" >
              <!-- The serviceMetadata behavior allows one to enable metadata (endpoints, bindings, services) publishing.
                   This configuration enables publishing of such data over HTTP GET.
                   This does not include metadata about the STS itself such as Claim Types, Keys and other elements to establish a trust.
              -->
              <serviceMetadata httpGetEnabled="true" />
              <serviceDebug includeExceptionDetailInFaults="true" />
              <!-- Default WCF throttling limits are too low -->
              <serviceThrottling maxConcurrentCalls="65536" maxConcurrentSessions="65536" maxConcurrentInstances="65536" />


            </behavior>
          </serviceBehaviors>
        </behaviors>


        <!-- Service List: -->
        <services>
          <service name="Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract"
                   behaviorConfiguration="SecurityTokenServiceBehavior" >
            <!-- This is the HTTP endpoint that supports clients requesing tokens. This endpoint uses the default 
                 standard ws2007HttpBinding which requires that clients authenticate using their Windows credentials. -->
            <endpoint
              address=""
              binding="customBinding"
              bindingConfiguration="spStsBinding"
              contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />


            <!-- This is the HTTP endpoint that supports clients requesting service tokens. -->
            <endpoint
              name ="ActAs"
              address="actas"
              binding="customBinding"
              bindingConfiguration="spStsActAsBinding"
              contract="Microsoft.IdentityModel.Protocols.WSTrust.IWSTrust13SyncContract" />


            <!-- This is the HTTP endpoint that supports IMetadataExchange. -->
            <endpoint address="mex"
                      binding="mexHttpBinding"
                      contract="IMetadataExchange" />
          </service>
          <service name="Microsoft.SharePoint.Administration.Claims.SPWindowsTokenCacheService">
            <endpoint address=""
                      binding="customBinding"
                      bindingConfiguration="SPWindowsTokenCacheServiceHttpsBinding"
                      contract="Microsoft.SharePoint.Administration.Claims.ISPWindowsTokenCacheServiceContract" />
          </service>
        </services>


        <!-- Binding List: -->
        <bindings>
          <customBinding>
            <binding
              name="spStsBinding">
              <binaryMessageEncoding>
                <readerQuotas
                  maxStringContentLength="1048576"
                  maxArrayLength="2097152"/>
              </binaryMessageEncoding>
              <httpTransport
                maxReceivedMessageSize="2162688"
                authenticationScheme="Negotiate"
                useDefaultWebProxy="false" />
            </binding>
            <binding
              name="spStsActAsBinding">
              <security
                authenticationMode="SspiNegotiatedOverTransport"
                allowInsecureTransport="true"
                defaultAlgorithmSuite="Basic256Sha256"
                messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12" />
              <binaryMessageEncoding>
                <readerQuotas
                  maxStringContentLength="1048576"
                  maxArrayLength="2097152"/>
              </binaryMessageEncoding>
              <httpTransport
                maxReceivedMessageSize="2162688"
                authenticationScheme="Negotiate"
                useDefaultWebProxy="false"/>
            </binding>
            <binding name="SPWindowsTokenCacheServiceHttpsBinding">
              <security authenticationMode="IssuedTokenOverTransport" />
              <textMessageEncoding>
                <readerQuotas maxStringContentLength="1048576" maxArrayLength="2097152"/>
              </textMessageEncoding>
              <httpsTransport maxReceivedMessageSize="2162688" authenticationScheme="Anonymous" useDefaultWebProxy="false" />
            </binding>
          </customBinding>
        </bindings>
      </system.serviceModel>
      <system.webServer>
        <security>
          <authentication>
            <anonymousAuthentication enabled="true" />
            <windowsAuthentication enabled="true">
              <providers>
                <clear />
                <add value="Negotiate" />
                <add value="NTLM" />
              </providers>
            </windowsAuthentication>
          </authentication>
        </security>
        <modules>
          <add name="WindowsAuthenticationModule" />
        </modules>
      </system.webServer>
      <system.net>
        <connectionManagement>
          <add address="*" maxconnection="10000" />
        </connectionManagement>
      </system.net>








      <connectionStrings>
        <add name="adconn" connectionString="LDAP://domain.com/DC=domain,DC=com" />
      </connectionStrings>


      <system.web>
        <membership defaultProvider="LdapMember">
          <providers>
            <add name="LdapMember"
                 type="System.Web.Security.ActiveDirectoryMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
                 connectionStringName="adconn"
                 enableSearchMethods="true"
                 attributeMapUsername="userPrincipalName"               
                />
          </providers>
        </membership>
      </system.web>
    </configuration>

    Regards

    Manisha

    Tuesday, March 20, 2012 7:02 AM
  • We're having the same issue.  Appears to be an issue with securitytokenserviceapplication in SharePoint Web Services sites as it fails when accessing that service (as you had mentioned): http://<your localhost>/SecurityTokenServiceApplication/securitytoken.svc

    Any updates?

    Thank you

    Monday, April 09, 2012 12:54 AM
  • you may enable WCF tracing with svcconfigeditor and view trace log with svctraceviewer (http://blogs.msdn.com/b/madhuponduru/archive/2006/05/18/601458.aspx)

    Or, did you get the same error detail as lost.translator86 described above? where did you get the error detail? In the ULS log?

    Monday, April 09, 2012 1:49 AM
  • if you mean the same error message as above, please refer to http://blogs.msdn.com/b/distributedservices/archive/2010/05/13/wcf-and-intermediate-devices.aspx:

    There is a hotfix(http://support.microsoft.com/kb/971831) available for .net framework 3.5 SP1 that adds an AllowInsecureTransport property in the SecurityBindingElement class that allows mixed-mode secured messages to be sent over an unsecured transport such as HTTP.

    There is however one aspect that doesn’t work using the approach above and that is the wsdl support. Browsing to the service with wsdl enabled throws the following exception.

                    NOTE: This binding works fine at runtime, clients can invoke it and it works fine, the only problem is with generating the wsdl for the service.

    Monday, April 09, 2012 2:03 AM