Identify Security Token Service Improved Error Handling
Identify Security Token Service is now able to handle most of the errors happening while processing a security token issuing request. With this improvement, the client no longer receives a FaultException with message "The server was unable to process the request due to an internal error." When an exception is thrown, Identify Security Token Service makes sure the following is true:
- All errors are logged with detailed messages, error codes, and full stacktrace.
- A fault exception response to the client has a specific message with its fault code.
- All uncaught exceptions are handled.
Below is an overview of the Event IDs that are being logged at the Event viewer/text file/database log
| Error Message | Error Event Id | Type | Possible cases |
|---|---|---|---|
| STSConfigurationLoadingError | 5001 | Warning/Error | Warning: The value at the setting 'Received Security Token Encryption certificate' at the WS Trust connection is invalid or empty. Error: The value at the 'Bootstrap token trusted issuers' is invalid or empty when using ActAs requests at the WS Trust connection. The Audience restriction configured on the WS Trust connection is invalid. The Authentication Connection that is chosen for the WS Trust connection is disabled |
| STSInvalidProtocolConnectionFoundError | 5003 | Error | The WS Trust connection doesn't exist or it's disabled. There's more than one WS Trust connection matching to the AppliesTo |
| STSClientCertificateSecurityTokenValidationFailedError | 5004 | Error | The requested certificate doesn't map to any user belonging to the Identify store/ADFS store. |
| STSUserNamePasswordValidationFailedError | 5005 | Error | The requested user credential doesn't exist at the Identify store/ADFS store. |
| STSAuthenticationFailedError | 5010 | Error | The requested user credential doesn't exist at the Identify store/ADFS store. (Note: The Authentication Connection of the WS Trust connection is None.) |
| STSAuthorizationFailedError | 5011 | Error | The ActAs user is not authorized for the wstrust connection |
| STSActAsTokenValidationFailedError | 5012 | Error | The ActAs element on RST is invalid (not SAML 2, not a certificate, invalid issuer...). |
| STSLogEvent | 5020 | Info | It logs all STS debug log events. |
| StsUnknownError | 5050 | Error | It's an unknown error, e.g., RP expects the SAML 1.1 token, but the IDP contains the claim type doesn't suite with the format rule. |