Identify*STS Improved Error Handling
IdentifySTS is now able to handle most of the errors happening while processing a security token issuing request. With this improvement, the client no longer receives a FaultException with message “The server was unable to process the request due to an internal error.” When an exception is thrown, IdentifySTS makes sure the following is true:
- All errors are logged with detailed messages, error codes, and full stacktrace.
- A fault exception response to the client has a specific message with its fault code.
- All uncaught exceptions are handled.
Below is an overview of the Event IDs that are being logged at the Event Viewer
|Erorr Message||Error Event Id||Type||Possible cases|
|STSConfigurationLoadingError||5001||Warning/Error||Warning: The value at the setting “Received Security Token Encryption certificate” at the wstrust connection is invalid or empty.
Error: The value at the “Bootstrap token trusted issuers” is invalid or empty when using ActAs requests at the wstrust connection. The Audience restriction configured on the wstrust connection is invalid.
The Authentication Connection that is chosen for the wstrust connection is disabled
|STSInvalidProtocolConnectionFoundError||5003||Error||The wstrust connection doesn’t exist or it’s disabled.
There’s more than one wstrust connection matching to the AppliesTo
|STSClientCertificateSecurityTokenValidationFailedError||5004||Error||The requested certificate doesn’t map to any user belonging to the Identify store/ADFS store.|
|STSUserNamePasswordValidationFailedError||5005||Error||The requested user credential doesn’t exist at the Identify store/ADFS store.|
|STSAuthenticationFailedError||5010||Error||The requested user credential doesn’t exist at the Identify store/ADFS store. (Note: The Authentication Connection of the wstrust connection is None.)|
|STSAuthorizationFailedError||5011||Error||The ActAs user is not authorized for the wstrust connection|
|STSActAsTokenValidationFailedError||5012||Error||The ActAs element on RST is invalid (not SAML 2, not a certificate, invalid issuer...).|
|STSLogEvent||5020||Info||It logs all STS debug log events.|
|StsUnknownError||5050||Error||IIt’s an unknown error, e.g., RP expects the SAML 1.1 token, but the IDP contains the claim type doesn't suite with the format rule.|