Handling username/password validation errors

Hot Topic

Announcing the Cider November CTP for .Net Framework 3.0 RTM
There is no "Footer.gif".
Creating a debugger visualizer for cusom data type
WCF & WinForms compatible?
customizable toolbars?
DLinq not working
making a .net call from new excel sheet, using task pane for user control.
question
I get an Error when i try to deploy my reports, will anyone PLEASE HELP ME!!!
Image-tag with source requiring username and password

Visual Studio

On Drillthrough opening a new window
Breakpoint Unconditionally Skipped!
Question about install Outlook Addin writen by VSTO2005
connecting excel file to C++ program
Converting VS 2003 add-in to VS 2005
Rules in DSL Tools V1
SSMS and VSIP
Appointment Instance not closing
Little trick: Run solution in Exp hive via 'Send To' menu
remote debugging

Handling username/password validation errors

Hi,

I try to implement custom token provider as is shown in "Token Provider" sample from WCF samples collection. There, when user's credentials validation fails in my custom UserNamePasswordValidator is trown new SecurityTokenException.

On the client side i receive MessageSecurityException from which i'm not able to get error message from the server, only general exception description: "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail". But FaultException also doesn't contain my error message.

Also, i tried to change trowing of SecurityTokenException with FaultException but has same results.

Can someone provide some guidance on how to handle this exception in client layer Or may be is there other workaround to be able to receive on the client side error messages about unsuccessful validations in UserNamePasswordValidator I just want to show to the user more descriptive error message than simple "Authentication failed".

PS: I have seen other topics with the same question as mine, but i don't find any answer, so, i will put same question again - i'm sorry for this.

Regards

Answer this question

Handling username/password validation errors

  • Morn

    Any idea how

    <serviceDebug includeExceptionDetailInFaults="true" />

    Doesn't seem to work in this scenario. I just want to be able to distinguish between "Your login failed" and "The administrator screwed up the configuration file".

  • ajpharrington

    Hi, Clemens

    I don't want to tell much, but enough for users of enterprise level applications. For example in one case to tell that it just mistyped the password and, in other case, that his account was disabled by administrator.

    Other point is that, if MessageSecurityException is the way to handle username/password validation errors, i want to know exactly that exception was thrown in Validate method of password validator and not in tens or hundreds of places in System.ServiceModel . How can help there MessageSecurityException received on the client with message "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail." and inner FaultException with message "An error occurred when processing the security tokens in the message."

    Or may be i do something in a wrong way

    Thanks for your responce and i hope you'll help or point me to the right direction.

    Best regards

  • shivavrata

    I truly wonder what sort of detail information except "I don't know you and you can't come in here" (aka "Authentication Failed") you want to give to someone who is trying to break into your system with an invalid username or password or other means of authentication Do you want to make their lives easier by telling them more

    Thanks in advance for clarifying
    Clemens




  • PSHK

    There does not seem to be any way [that I can find] to specify an error that the client can consume. I'm trying to do a similar process for my STS implementation, providing reasonable error messages back to the client application to indicate various error conditions, such as invalid login, account inactive, must change password, etc. However, when the Username/Password validator throws an exception [of any type] from the STS, the error propogated back to the client is absolutely useless, and contains none of the information that was included in the exception thrown by the STS doing the authentication.

    To me, this is unacceptable. Be as flippant as you want about "how much information you want to give someone breaking into your system", there are a number of scenarios where perfectly valid users would like to know why exactly they can't log in, so that they can go about fixing the situation. In addition, the client application would like to be able to handle very specific cases to allow the user to re-login, re-try, etc. Has anyone figured out how we might provide this type of functionality

    Thanks!

  • Tryst

    Nobody can help here

    Is a way to get a custom fault back to the client instead of catching general MessageSecurityException Same question was asked here but too without a responce.

    To reproduce this situation is enought to open "UserNamePassword Validator" solution from samples collection in WCF documentation and change in client.cs username or password to don't match these expected by the server.

    Or can someone point to the other place where i can ask this question and get a responce

    Regards

  • cougar91

    The solution is here http://forums.microsoft.com/MSDN/ShowPost.aspx PostID=840163&SiteID=1 add username and password properties to your AuthorisationPolicy, set them in the constructor. In your ServiceAuthorisationManager CheckAccessCore method retrieve your AuthorisationPolicy perform your custom Authentication and raise an exception if the Authentication fails.

  • Raj Deep

    Agreed -- in an enterprise application, returning these types of error indications is highly useful.

    Even Windows Live Messenger returns a differrent indication if the account is locked out.

    Why isn't it possible to return a simple fault contract that contains some information about why the authentication failed



  • hazz

    Is this still an issue in .NET 3.5 It's really frustrating that you can not override this "security feature" even if you want to do this. I have to explain nearly on daily basis what "An unsecured or incorrectly secured fault was received from the other party" means.

  • RickNa

    I'm wondering if anyone has found a solution for this

  • waheyluggage

    I'm wondering if this change in RC1 helps the situation any:

     

    System.ServiceModel.Security

    Change

    Add New Exception type for AccessDenied semantics

    Description

    A new exception type was added to signal authorization failures.

    Type of Origin

    System.ServiceModel.Security.SecurityAccessDeniedException

    This change effects

    OM

     

    Will have to try it out...



  • RWF

    You can set the behavior to send back to the client falt information

  • user11

    It is not an unreasonable request to be able to customise the exception information returned, especially since the response returned here is not SOAP 1.1 compliant (particularly the faultCode):

    <s:Body>
    <s:Fault>
    <faultcode xmlns:a="    http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode>
     <faultstring xml:lang="en-AU">An error occurred when verifying security for the message.</faultstring>
    </s:Fault>
    </s:Body>

    My external SOAP client (not using a Microsoft platform) expects something like this for an authentication failure:

    <soap:Body>
    <soap:Fault>
    <faultcode>soap:Client</faultcode>
     <faultstring>ACCESS DENIED: Invalid username token supplied.</faultstring>

    <faultactor>http://localhost/QCS.IJIS.AC/IJISInboundWS/IJISInboundWS.asmx</faultactor>
    </soap:Fault>
    </soap:Body>

    So far I have been unable to generate a faultCode my client will understand. Can you please advise how to do this Following the recommended method below for generating SOAP 1.1 via a MessageFault is useless because it is apparently overidden in the stack:

    Code Block

    SecurityTokenException secEx = new SecurityTokenException("ACCESS DENIED: Invalid username token supplied");

    MessageFault msgFault = MessageFault.CreateFault(new FaultCode("Client"), new FaultReason(secEx.Message), secEx);

    FaultException faultEx = FaultException.CreateFault(msgFault, typeof(SecurityTokenException));

    throw faultEx;

    Please do not consider this question answered until you can shed some light on this.
  • Handling username/password validation errors
Answer this question