You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "niranjana.murthy" <ni...@gmail.com> on 2015/06/11 13:27:09 UTC
Calling kerberosmixed endpoint on ADFS
Hi,
I am trying to get a delegation token (SAML) from microsoft ADFS
invoking kerberosmixed endpoint. Although the request is successfully
generated, ADFS rejects it with the following msg "An error occurred when
verifying security for the message."
Here is the policy for that endpoint
policy.txt <http://cxf.547215.n5.nabble.com/file/n5758202/policy.txt>
Endpoint
"https://server/adfs/services/trust/13/kerberosmixed"
Most likely the signature in the SOAP request is invalid or not accepted by
ADFS. Is there any documentation on how to sign the soap request using
GSS-API kerberos - ticket?
--
View this message in context: http://cxf.547215.n5.nabble.com/Calling-kerberosmixed-endpoint-on-ADFS-tp5758202.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Calling kerberosmixed endpoint on ADFS
Posted by Colm O hEigeartaigh <co...@apache.org>.
This policy does not look right, try removing it:
<KeyValueToken IncludeToken="" Optional="">
<Policy />
</KeyValueToken>
Colm.
On Fri, Jun 12, 2015 at 1:09 PM, niranjana.murthy <
niranjana.billappa@gmail.com> wrote:
> I tried with cxf 3.0.1 and ran into some other errors. I have attached my
> policy file as well. Please suggest.
>
>
> Jun 12, 2015 5:33:54 PM
> org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
> handleNoRegisteredBuilder
> WARNING: No assertion builder for type
> {
> http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication
> registered.
> Jun 12, 2015 5:33:54 PM
> org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
> handleNoRegisteredBuilder
> WARNING: No assertion builder for type
> {http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken
> registered.
> Jun 12, 2015 5:33:54 PM
> org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
> handleNoRegisteredBuilder
> WARNING: No assertion builder for type KeyValueToken registered.
> Jun 12, 2015 5:33:54 PM
> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
> getElementPolicy
> WARNING: Failed to build the policy
> 'CustomBinding_IWSTrust13Async_policy':Invalid Policy
> Jun 12, 2015 5:33:54 PM
> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
> getElementPolicy
> WARNING: Failed to build the policy
> 'IssuedTokenWSTrustBinding_IWSTrust13Async_policy':Invalid Policy
> Jun 12, 2015 5:33:54 PM
> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
> getElementPolicy
> WARNING: Failed to build the policy
> 'IssuedTokenWSTrustBinding_IWSTrust13Async1_policy':Invalid Policy
> Jun 12, 2015 5:33:54 PM
> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
> getElementPolicy
> WARNING: Failed to build the policy
> 'CustomBinding_IWSTrust13Async1_policy':Invalid Policy server-wsdl.wsdl
> <http://cxf.547215.n5.nabble.com/file/n5758256/server-wsdl.wsdl>
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: None of the policy
> alternatives can be satisfied.
> at
>
> org.apache.cxf.ws.policy.EndpointPolicyImpl.chooseAlternative(EndpointPolicyImpl.java:166)
> at
>
> org.apache.cxf.ws.policy.EndpointPolicyImpl.finalizeConfig(EndpointPolicyImpl.java:145)
> at
>
> org.apache.cxf.ws.policy.EndpointPolicyImpl.initialize(EndpointPolicyImpl.java:141)
> at
>
> org.apache.cxf.ws.policy.PolicyEngineImpl.createEndpointPolicyInfo(PolicyEngineImpl.java:584)
> at
>
> org.apache.cxf.ws.policy.PolicyEngineImpl.getEndpointPolicy(PolicyEngineImpl.java:313)
> at
>
> org.apache.cxf.ws.policy.PolicyEngineImpl.getClientEndpointPolicy(PolicyEngineImpl.java:294)
> at
>
> org.apache.cxf.ws.policy.PolicyDataEngineImpl.getClientEndpointPolicy(PolicyDataEngineImpl.java:61)
> at
>
> org.apache.cxf.transport.http.HTTPConduit.updateClientPolicy(HTTPConduit.java:316)
> at
> org.apache.cxf.transport.http.HTTPConduit.getClient(HTTPConduit.java:850)
> at
>
> org.apache.cxf.transport.http.HTTPConduit.configureConduitFromEndpointInfo(HTTPConduit.java:347)
> at
>
> org.apache.cxf.transport.http.HTTPConduit.finalizeConfig(HTTPConduit.java:427)
> at
>
> org.apache.cxf.transport.http.HTTPTransportFactory.getConduit(HTTPTransportFactory.java:242)
> at
>
> org.apache.cxf.binding.soap.SoapTransportFactory.getConduit(SoapTransportFactory.java:222)
> at
>
> org.apache.cxf.binding.soap.SoapTransportFactory.getConduit(SoapTransportFactory.java:229)
> at
>
> org.apache.cxf.endpoint.AbstractConduitSelector.createConduit(AbstractConduitSelector.java:145)
> at
>
> org.apache.cxf.endpoint.AbstractConduitSelector.getSelectedConduit(AbstractConduitSelector.java:107)
> at
>
> org.apache.cxf.endpoint.UpfrontConduitSelector.selectConduit(UpfrontConduitSelector.java:77)
> at
> org.apache.cxf.endpoint.ClientImpl.getConduit(ClientImpl.java:845)
> at
>
> org.apache.cxf.ws.security.trust.AbstractSTSClient.findOperation(AbstractSTSClient.java:681)
> at
>
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:716)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> at
>
> com.mmodal.mmnet.impl.TokenFactoryImpl.getUsernameBasedToken(TokenFactoryImpl.java:269)
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Calling-kerberosmixed-endpoint-on-ADFS-tp5758202p5758256.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Calling kerberosmixed endpoint on ADFS
Posted by "niranjana.murthy" <ni...@gmail.com>.
I tried with cxf 3.0.1 and ran into some other errors. I have attached my
policy file as well. Please suggest.
Jun 12, 2015 5:33:54 PM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder
WARNING: No assertion builder for type
{http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication
registered.
Jun 12, 2015 5:33:54 PM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder
WARNING: No assertion builder for type
{http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken registered.
Jun 12, 2015 5:33:54 PM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder
WARNING: No assertion builder for type KeyValueToken registered.
Jun 12, 2015 5:33:54 PM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'CustomBinding_IWSTrust13Async_policy':Invalid Policy
Jun 12, 2015 5:33:54 PM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'IssuedTokenWSTrustBinding_IWSTrust13Async_policy':Invalid Policy
Jun 12, 2015 5:33:54 PM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'IssuedTokenWSTrustBinding_IWSTrust13Async1_policy':Invalid Policy
Jun 12, 2015 5:33:54 PM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'CustomBinding_IWSTrust13Async1_policy':Invalid Policy server-wsdl.wsdl
<http://cxf.547215.n5.nabble.com/file/n5758256/server-wsdl.wsdl>
Caused by: org.apache.cxf.ws.policy.PolicyException: None of the policy
alternatives can be satisfied.
at
org.apache.cxf.ws.policy.EndpointPolicyImpl.chooseAlternative(EndpointPolicyImpl.java:166)
at
org.apache.cxf.ws.policy.EndpointPolicyImpl.finalizeConfig(EndpointPolicyImpl.java:145)
at
org.apache.cxf.ws.policy.EndpointPolicyImpl.initialize(EndpointPolicyImpl.java:141)
at
org.apache.cxf.ws.policy.PolicyEngineImpl.createEndpointPolicyInfo(PolicyEngineImpl.java:584)
at
org.apache.cxf.ws.policy.PolicyEngineImpl.getEndpointPolicy(PolicyEngineImpl.java:313)
at
org.apache.cxf.ws.policy.PolicyEngineImpl.getClientEndpointPolicy(PolicyEngineImpl.java:294)
at
org.apache.cxf.ws.policy.PolicyDataEngineImpl.getClientEndpointPolicy(PolicyDataEngineImpl.java:61)
at
org.apache.cxf.transport.http.HTTPConduit.updateClientPolicy(HTTPConduit.java:316)
at
org.apache.cxf.transport.http.HTTPConduit.getClient(HTTPConduit.java:850)
at
org.apache.cxf.transport.http.HTTPConduit.configureConduitFromEndpointInfo(HTTPConduit.java:347)
at
org.apache.cxf.transport.http.HTTPConduit.finalizeConfig(HTTPConduit.java:427)
at
org.apache.cxf.transport.http.HTTPTransportFactory.getConduit(HTTPTransportFactory.java:242)
at
org.apache.cxf.binding.soap.SoapTransportFactory.getConduit(SoapTransportFactory.java:222)
at
org.apache.cxf.binding.soap.SoapTransportFactory.getConduit(SoapTransportFactory.java:229)
at
org.apache.cxf.endpoint.AbstractConduitSelector.createConduit(AbstractConduitSelector.java:145)
at
org.apache.cxf.endpoint.AbstractConduitSelector.getSelectedConduit(AbstractConduitSelector.java:107)
at
org.apache.cxf.endpoint.UpfrontConduitSelector.selectConduit(UpfrontConduitSelector.java:77)
at org.apache.cxf.endpoint.ClientImpl.getConduit(ClientImpl.java:845)
at
org.apache.cxf.ws.security.trust.AbstractSTSClient.findOperation(AbstractSTSClient.java:681)
at
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:716)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
at
com.mmodal.mmnet.impl.TokenFactoryImpl.getUsernameBasedToken(TokenFactoryImpl.java:269)
--
View this message in context: http://cxf.547215.n5.nabble.com/Calling-kerberosmixed-endpoint-on-ADFS-tp5758202p5758256.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Calling kerberosmixed endpoint on ADFS
Posted by Colm O hEigeartaigh <co...@apache.org>.
Try using a more recent version of CXF, 2.7.3 is quite old.
Colm.
On Thu, Jun 11, 2015 at 12:28 PM, niranjana.murthy <
niranjana.billappa@gmail.com> wrote:
> I use cxf version 2.7.3 and jdk1.7.45
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Calling-kerberosmixed-endpoint-on-ADFS-tp5758202p5758203.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Calling kerberosmixed endpoint on ADFS
Posted by "niranjana.murthy" <ni...@gmail.com>.
I use cxf version 2.7.3 and jdk1.7.45
--
View this message in context: http://cxf.547215.n5.nabble.com/Calling-kerberosmixed-endpoint-on-ADFS-tp5758202p5758203.html
Sent from the cxf-user mailing list archive at Nabble.com.