RequestSecurityToken from STS and post it to my website

Question

My web site implements AD FS based authentication. Now I need to programmatically access my web site through a client. My client should request the security token from the ADFS server using the currently logged on user's context. I have been successfully able to request the security token from the adfs/services/trust/13/usernamemixed endpoint using username and password from the client and post it to my website.

What is not working for me is requesting the same token from the adfs/services/trust/13/windowsmixed endpoint using the DefaultNetworkCredentials. I get the error The HTTP request was forbidden with client authentication scheme 'Anonymous'.. I am using Microsoft.IdentityModel SDK (instead of System.IdentityModel in .NET 4.5).

Here's a snippet of my code.

  factory = new MSWSTrustChannelFactory(
  new Microsoft.IdentityModel.Protocols.WSTrust.Bindings.WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                    stsUrl);

  factory.TrustVersion = TrustVersion.WSTrust13;

  factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;

  var rst = new RequestSecurityToken
  {
      RequestType = RequestTypes.Issue,
      AppliesTo = new EndpointAddress(realm),
      KeyType = KeyTypes.Bearer,
      RequestDisplayToken = true
  };

  MSIWSTrustChannelContract channel = factory.CreateChannel();
  RequestSecurityTokenResponse rstr;
  SecurityToken token = channel.Issue(rst, out rstr);

I don't have any control on the ADFS server and can't debug what is going wrong from there. Whatever I can do is only from the client end. Any idea what is going wrong with my code above? Any help or pointers are greatly appreciated.

Answer 1

I think you need to set establishSecurityContext of message security as FALSE
binding.Security.Message.EstablishSecurityContext = false;

Following code works for me .

            WS2007HttpBinding binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
            binding.Security.Message.EstablishSecurityContext = false;               
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
            if (isWindowsUser)
            {
                binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
                ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/windowsmixed");                    
            }
            else
            {
                binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
                ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/usernamemixed");                    
            }
            factory = new WSTrustChannelFactory(binding, ep);
            factory.TrustVersion = TrustVersion.WSTrust13;

                factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;                     


            var rst = new RequestSecurityToken
            {
                RequestType = RequestTypes.Issue,
                AppliesTo = new EndpointReference("urn:adfsmonitor"),
                KeyType = KeyTypes.Bearer,
            };
            IWSTrustChannelContract channel = factory.CreateChannel();
            GenericXmlSecurityToken genericToken = channel.Issue(rst)
             as GenericXmlSecurityToken;
            return genericToken.TokenXml.InnerXml.ToString();