3.2.4.1 IssueToken

The IssueToken interface provides an operation that returns a Web ticket for a client.

 <wsdl:portType name="IWebTicketService">
     <wsdl:operation name="IssueToken">
         <wsdl:input wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" message="tns:IWebTicketService_IssueToken_InputMessage"/>
         <wsdl:output wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message="tns:IWebTicketService_IssueToken_OutputMessage"/>
     </wsdl:operation>
 </wsdl:portType>

If there is an error while processing the credentials of the user, then depending on the authentication type used, the response message contains the error details in a custom HTTP header or in a SOAP fault.

HTTP X-Ms-diagnostics Header

The X-Ms-diagnostics header is an HTTP header that is returned if Integrated Windows authentication or certificate (2) authentication signed by the UAS fails at the Web Ticket Service for the reasons in this section.

The header has the following format.

 X-Ms-diagnostics = errorId ";" source ";" reason ";" fault
 errorId = 1*DIGIT
 source = DQUOTE 1*(ALPHA / DIGIT / "-" / "." / "_" / "~") DQUOTE  
                                            ; Fully qualified domain name of server
 token = DQUOTE 1*( ALPHA / DIGIT / "-" / "." / "_" / "~") DQUOTE
 fault = DQUOTE 1*(ALPHA) ":" 1*(ALPHA) DQUOTE

The HTTP response code and the details of the X-Ms-diagnostics header are described later for each authentication type.

The following table lists Integrated Windows authentication errors.

Type of error	Response code	ErrorId	token	faultcode
The user was authenticated but could not be found in the UAS database.	403	28000	User is not SIP enabled.	wsse:FailedAuthentication
Some unexpected error occurred in the system.	500	28001	Internal error while processing Integrated Windows authentication or authorization.	wsse:FailedAuthentication

SOAP Faults

The following OCSDiagnosticsFaultType, as defined in section 2.2.4.1, are returned for Live ID authentication failures, OCS-signed certificate (2) failures, or if there are internal errors processing the RST after Integrated Windows authentication or certificate (2) credentials signed by the UAS are successfully verified. The following table lists SOAP errors.

faultcode	ErrorId	Reason
wsse:SecurityTokenUnavailable	28028	The Live ID token encryption key cannot be resolved. Check that the token is obtained for this site in the appropriate Live ID environment.
wsse:SecurityTokenUnavailable	28017	The Live ID token signing key cannot be resolved. Check that the token is obtained from the appropriate Live ID environment.
wsse:UnsupportedSecurityToken	28018	The Live ID token was produced with the incorrect site policy.
wsse:FailedAuthentication	28019	The Live ID token identity is not associated with a user account.
wsse:InvalidSecurity	28020	There is no valid security token.
wsse:UnsupportedSecurityTokenType	28021	The security token type is unsupported.
wsse:InvalidSecurityToken	28022	There is no valid subject statement.
wsse:InvalidSecurity	28023	There is no valid message security.
wsse:FailedAuthentication	28024	Authentication failed.

The "key cannot be resolved" errors above indicate that protocol server could not locate the key referenced in the token in local or remote stores that it knows about. The "incorrect site policy" error above indicates that Live ID token presented to the protocol server was constructed using policy that the server does not understand.

The following table lists certificate (2) authentication errors while processing the contents of a certificate (2) signed by the UAS.

faultcode	ErrorId	Reason
wsse:FailedAuthentication	28011	The certificate (2) is expired.
wsse:FailedAuthentication	28012	The certificate (2) is invalid.
wsse:FailedAuthentication	28013	The certificate (2) is not found.
wsse:FailedAuthentication	28014	The user was not found when queried in the database.
wsse:FailedAuthentication	28015	There was an internal error while processing a certificate (2) authentication or authorization provided by the UAS.

The following table lists internal failures that occur after Integrated Windows authentication and UAS certificate (2) credentials are successfully verified.

SubCode	ErrorId	Reason
wsse:InvalidSecurity	28025	There is no valid security principal.
wsse:InvalidSecurity	28026	There is no valid security identity.
wsse:InvalidSecurity	28027	There is no valid message security.

The following table lists failures that occur while processing the RST.

SubCode	ErrorId	Reason
wst:RequestFailed	28035	The SIP URI in the claim type requirements of the Web ticket request does not match the SIP URI associated with the presented credentials.