Monday, May 7, 2012

WIF claims authentication System.ArgumentException

When creating a custom STS authentication provider using the Windows Identity Foundation SDK, the default website the Visual Studio template creates works fine by itself.  However, when integrating with SharePoint, this would error out with this exception when hitting the SharePoint http:///_trust:

Exception of type 'System.ArgumentException' was thrown. Parameter name: encodedValue. 

The trace stack would have SPClaimProviderManager.DecodeClaimFromFormsSuffix(...) as the last method in the call.  It is very sketchy as to what the problem is. 

The problem, as it turns out, is in the form authentication cookie name.  By default ASP.NET web has .ASPXAUTH as the cookie name defined.  For example:

   
     
   

When a SharePoint web application is configured to use FBA or custom authentication provider, it actually expects a forms auth cookie name of "FedAuth".  This can be easily seen using Fiddler. 

When the custom STS web application does a post to http:///_trust, the mismatch in the FBA cookie name resulted in that SharePoint can't find the authentication ticket.  So how to fix this?  the STS web (created by the Visual Sudio WIF SDK template) needs its authentication ticket for the default.aspx to process properly and then post to  to work.  So we can't just remove it, nor can we change its name to "FedAuth", as this would confuse SharePoint.   Changing .ASPXAUTH to some other name has no effect.  

The solution I found, is to expire the STS Web's authentication ticket in default.aspx.  This way, default.aspx processing is not affected, but it won't post the cookie to /_trust.  Add the line in the box into default.aspx.cs:

 



Once this is added, the post request in Fiddle changed from:

 


to:
 


This allows SharePoint's /_trust/ to create its own FBA ticket cookie and redirect to /_layouts/Authenticate.aspx:

And everything from there works fine and user can be logged in normally.


Posted by at

4 comments:

Unknown said...

Hi, i hava same problem. The code you metion is insert to custom login page?? Can you explain more detail. Thank so much.

May 26, 2012 at 3:29 AM
Bob Huang said...

Sorry I didn't see this earlier. The code above is for the default.aspx.cs in the STS project that Visual Studio creates when you use the STS template. There's a separate Login.aspx with the UI for users to login. Default.aspx is where it checks for tokens/cookies, if not present, it redirects to Login.aspx for user to login. After a successful login, user is redirected back to Default.aspx, which posts tokens to the relying party application (SharePoint in this case).

August 15, 2012 at 10:00 AM
Dai Pham said...

Hello Bob Huang,

The same issue faced here and I have tried to add the new line in the Custom STS Default.aspx.cs file. Unfortunately, after that, request sent to SharePoint /trust endpoint seems doesn't have cookie, and user looks like he has not logged in to SharePoint.

Any advise would be much appreciated.

Thank you.

Best Regards,
Dai

December 19, 2017 at 10:13 AM
Anonymous said...

ATTENTION!!!!!

Join the great Illuminati today and become rich and famous . Are you seeking for wisdom and knowledge ? Are you a business Man / woman , Pastor,politician , musician, doctor , footballer , Swimer? Do you
want to be a famous artist or an actor, and you want to be rich, powerful and famous in the world ? Join the Illuminati New World Order and let your dreams come through. Contact our supreme grand master via his WhatsApp number +1-414-219-9452

February 15, 2019 at 2:50 AM

Post a Comment

Subscribe to: Post Comments (Atom)