Issue when trying to add FIM with ADFS custom attribute store.

Nov 7, 2012 at 12:14 PM

Greetings..

We are trying to add custom attribute store that would allow us to fetch attribute values from Forefront Identity Manager and issue them as claims. we have followed the steps mentioned at : http://fimattributestore.codeplex.com/

As instructed first downloaded the zip file :

1)      Have added this three dll files into C:\Program Files\Active Directory Federation Services 2.0 location on ADFS server ADFSSrv ( server running ADFS management tool)

  • Cortego.ADFS.FIMAttributeStore.dll - The attribute store,
  • Microsoft.ResourceManagement.Client.dll - The FIM WS client
  • Microsoft.ResourceManagement.ObjectModel.dll - The FIM WS object model (required by FIM client)

 

2)        Have Configured Custom Attribute Store with name as “FIM” and class name:

Cortego.ADFS.FIMAttributeStore.FIMAttributeStore, Cortego.ADFS.FIMAttributeStore, Version=1.0.0.0

Using ADFS management Snapin

Have also configured relevent optional parameters as instructed:

 

Endpoint :             http://fimsrv01:5725

FIMServiceSPN:     FIMServer/FIMService

UserName:            Administrator

Password:             P@$$w0rd

UserDomain:         FIMServer

 

3)      Have restarted the ADFS service as instructed..

But I test this setup i get the below listed errors in my ADFS eventviewer:

Error 1:

During processing of the Federation Service configuration, the attribute store 'FIM' could not be loaded.

Attribute store type: Cortego.ADFS.FIMAttributeStore.FIMAttributeStore, Cortego.ADFS.FIMAttributeStore, Version=1.0.0.0

 

User Action

If you are using a custom attribute store, verify that the custom attribute store is configured using AD FS 2.0 Management snap-in.

 

Additional Data

The maximum message size quota for incoming messages (524288) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.

 

 Error 2:

The Federation Service encountered an error while processing the WS-Trust request.

Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

 

Additional Data

Exception details:

Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0017: Attribute store 'FIM' is not configured.

   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)

   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)

   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace

 

 Error 3:

Encountered error during federation passive request.

 

Additional Data

 

Exception details:

Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: MSIS3127: The specified request failed.

   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)

   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

   --- End of inner exception stack trace ---

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

 

System.ServiceModel.FaultException: MSIS3127: The specified request failed.

   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)

   at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

Kindly let me know if any further information is required.

Appreciate your help on this issue..

Warm Regards,

Coordinator
Nov 8, 2012 at 6:34 AM

Hi There!
The reason this error occured is because you're requesting a lot of data and this exceeds the maximum size specified:

The maximum message size quota for incoming messages (524288) has been exceeded. To increase the quota, use the MaxReceivedMessageSize property on the appropriate binding element.

To solve this you need to increase the value for the different MaxReceivedMessageSize properties in the sourcecode and rebuild the project. As you can see in the code (http://fimattributestore.codeplex.com/SourceControl/changeset/view/19058#112103) the max size for schema is 1048576 bytes (mexBinding.MaxReceivedMessageSize = 1048576) and the same for data retrieved with your query (enumerationBinding.MaxReceivedMessageSize = 1048576) and the reason these values are larger than in the error is because I didn't make a release after the last change to the sourcecode. I know it wasn't very smart of me hardcoding these values into the project but I wanted the project to be as simple as possible to deploy.

I have a plan on making some updates to this project but unfortunately it depends on when I'll get som spare time and if you need this right now I recommend you to make a change in the source code yourself and rebuild it.

//Henrik

Nov 8, 2012 at 8:28 AM

Hi Henrik,

Thanks a lot for your quick response..

It's a bit urgent for me so i'll do the necessary changes in the sourcecode and rebuild it,

Thanks again..