Symptoms

During a federation passive request to a WIF-protected web application, WIF throws an exception on the web server. When WIF tracing is enabled, the following exception is found in the service trace:

<

<ExceptionType>System.Security.Cryptography.CryptographicException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>

<Message>ID6018: Digest verification failed for reference '#_1d261dc4-e81e-47d0-abd3-a0c737939e55'.</Message>

<StackTrace>

at Microsoft.IdentityModel.Protocols.XmlSignature.Reference.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource)

at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource)

at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.EnsureDigestValidity(String id, Object resolvedXmlSource)

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()

at System.Xml.XmlReader.ReadEndElement()

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)

at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)

at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)

at System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception error)

at System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)

at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)

at System.Web.HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr)

at System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)

</StackTrace>

<ExceptionString>System.Security.Cryptography.CryptographicException: ID6018: Digest verification failed for reference '#_1d261dc4-e81e-47d0-abd3-a0c737939e55'.</ExceptionString>

</

 

 

Exception>

 

<ExceptionType>System.Security.Cryptography.CryptographicException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>

<Message>ID6018: Digest verification failed for reference '#_1d261dc4-e81e-47d0-abd3-a0c737939e55'.</Message>

<StackTrace>

at Microsoft.IdentityModel.Protocols.XmlSignature.Reference.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource)

at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource)

at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.EnsureDigestValidity(String id, Object resolvedXmlSource)

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()

at System.Xml.XmlReader.ReadEndElement()

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)

at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)

at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)

at System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception error)

at System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)

at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)

at System.Web.HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr)

at System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)

</StackTrace>

<ExceptionString>System.Security.Cryptography.CryptographicException: ID6018: Digest verification failed for reference '#_1d261dc4-e81e-47d0-abd3-a0c737939e55'.</ExceptionString>

</

 

 

Exception>

Exception>

<ExceptionType>System.Security.Cryptography.CryptographicException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>

<Message>ID6018: Digest verification failed for reference '#_1d261dc4-e81e-47d0-abd3-a0c737939e55'.</Message>

<StackTrace>

at Microsoft.IdentityModel.Protocols.XmlSignature.Reference.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource)

at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource)

at Microsoft.IdentityModel.Protocols.XmlSignature.SignedInfo.EnsureDigestValidity(String id, Object resolvedXmlSource)

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()

at System.Xml.XmlReader.ReadEndElement()

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)

at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)

at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)

at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)

at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)

at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)

at System.Web.HttpApplication.ApplicationStepManager.ResumeSteps(Exception error)

at System.Web.HttpApplication.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)

at System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr)

at System.Web.HttpRuntime.ProcessRequestNoDemand(HttpWorkerRequest wr)

at System.Web.Hosting.ISAPIRuntime.ProcessRequest(IntPtr ecb, Int32 iWRType)

</StackTrace>

<ExceptionString>System.Security.Cryptography.CryptographicException: ID6018: Digest verification failed for reference '#_1d261dc4-e81e-47d0-abd3-a0c737939e55'.</ExceptionString>

</

 

 

 

Exception>

Note: The reference number will change each time the exception is thrown. The reference number changes because it correlates with the SAML assertion ID coming from the STS. The SAML assertion ID is unique to each assertion.

Cause

Something is happening to the SAML assertion in transit. When WIF receives a signed SAML assertion, it computes a digest of the assertion and compares its digest to the digest that was sent with the assertion. In this case, the digests do not match because something about the assertion changed after the STS signed it and before WIF parsed it.

In my specific case, the WIF-protected web application was published via ISA Server. The ISA publishing rule was configured to "Apply Link Translation to this rule" located on the Link Translation tab of the publishing rule.

Resolution

1. Eliminate the entity in the middle who is modifying the assertion

2. Modify the actions performed by the entity in the middle

Option 2 was the resolution in my case. Specifically, we disabled "Apply Link Translation to this rule" in ISA Server.

More Information

Link Translation Concepts in ISA Server 2006 - http://technet.microsoft.com/en-us/library/bb794742.aspx