none
kerberos delegation + FIM 2010 workflow approval programatically RRS feed

  • Question

  • I am trying to do a FIM approval workflow programatically. If i do not apply kerberos token, the approval goes through without a problem. Once i apply kerberos credentials to the web service i get the following error message:

    System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed. at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState) --- End of inner exception stack trace --- Server stack trace: at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout) at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown at [0]: at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) at Microsoft.ResourceManagement.Client.WsTransfer.IResourceFactory.Create(Message request) at Microsoft.ResourceManagement.Client.WsTransfer.WsTransferFactoryClient.<>c__DisplayClass1.<create></create>b__0(IResourceFactory channel) at Microsoft.ResourceManagement.Client.ClientBaseExtension.CallChannelMethod[TChannel](ClientBase`1 client, Func`2 method) at Microsoft.ResourceManagement.Client.WsTransfer.WsTransferFactoryClient.Create(Message request) at Microsoft.ResourceManagement.Client.WsTransfer.WsTransferFactoryClient.Approve(RmApproval approval, Boolean isApproved) at Microsoft.ResourceManagement.Client.DefaultClient.Approve(RmApproval approval, Boolean isApproved, String approvalConfiguration) at Microsoft.ResourceManagement.Client.DefaultClient.Approve(RmApproval approval, Boolean isApproved) at Extranet.UserManagement.umUser.setDualAuth(String messageGuid, Boolean dualAuth, String reason)

    Please Help?

    Wednesday, July 25, 2012 9:07 PM

All replies

  • I think You should start with general infrastructure troubleshooting for kerberos in your infrastructure to check if it works correctly or not. 
    Thursday, July 26, 2012 8:00 AM
  • It looks like you're trying to use the FIM Client on CodePlex (http://fim2010client.codeplex.com/) to approve a request.

    You might have more luck posting your issue to that CodePlex project.


    CraigMartin – Edgile, Inc. – http://identitytrench.com

    Thursday, July 26, 2012 4:20 PM