Identify*STS Improved Error Handling

Identify*STS Improved Error Handling

IdentifySTS is now able to handle most of the errors happening while processing a security token issuing request. With this improvement, the client no longer receives a FaultException with message “The server was unable to process the request due to an internal error.” When an exception is thrown, IdentifySTS makes sure the following is true:

  • All errors are logged with detailed messages, error codes, and full stacktrace.
  • A fault exception response to the client has a specific message with its fault code.
  • All uncaught exceptions are handled.

Below is an overview of the Event IDs that are being logged at the Event Viewer

Erorr Message Error Event Id Type Possible cases
STSConfigurationLoadingError 5001 Warning/Error Warning: The value at the setting “Received Security Token Encryption certificate” at the wstrust connection is invalid or empty.
Error: The value at the “Bootstrap token trusted issuers” is invalid or empty when using ActAs requests at the wstrust connection. The Audience restriction configured on the wstrust connection is invalid.
The Authentication Connection that is chosen for the wstrust connection is disabled
STSInvalidProtocolConnectionFoundError 5003 Error The wstrust connection doesn’t exist or it’s disabled.

There’s more than one wstrust connection matching to the AppliesTo

STSClientCertificateSecurityTokenValidationFailedError 5004 Error The requested certificate doesn’t map to any user belonging to the Identify store/ADFS store.
STSUserNamePasswordValidationFailedError 5005 Error The requested user credential doesn’t exist at the Identify store/ADFS store.
STSAuthenticationFailedError 5010 Error The requested user credential doesn’t exist at the Identify store/ADFS store. (Note: The Authentication Connection of the wstrust connection is None.)
STSAuthorizationFailedError 5011 Error The ActAs user is not authorized for the wstrust connection
STSActAsTokenValidationFailedError 5012 Error The ActAs element on RST is invalid (not SAML 2, not a certificate, invalid issuer...).
STSLogEvent 5020 Info It logs all STS debug log events.
StsUnknownError 5050 Error IIt’s an unknown error, e.g., RP expects the SAML 1.1 token, but the IDP contains the claim type doesn't suite with the format rule.