3.2.4.1 IssueToken
The IssueToken interface provides an operation that returns a Web ticket for a client.
-
<wsdl:portType name="IWebTicketService"> <wsdl:operation name="IssueToken"> <wsdl:input wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" message="tns:IWebTicketService_IssueToken_InputMessage"/> <wsdl:output wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message="tns:IWebTicketService_IssueToken_OutputMessage"/> </wsdl:operation> </wsdl:portType>
If there is an error while processing the credentials of the user, then depending on the authentication type used, the response message contains the error details in a custom HTTP header or in a SOAP fault.
HTTP X-Ms-diagnostics Header
The X-Ms-diagnostics header is an HTTP header that is returned if Integrated Windows authentication or certificate (2) authentication signed by the UAS fails at the Web Ticket Service for the reasons in this section.
The header has the following format.
-
X-Ms-diagnostics = errorId ";" source ";" reason ";" fault errorId = 1*DIGIT source = DQUOTE 1*(ALPHA / DIGIT / "-" / "." / "_" / "~") DQUOTE ; Fully qualified domain name of server token = DQUOTE 1*( ALPHA / DIGIT / "-" / "." / "_" / "~") DQUOTE fault = DQUOTE 1*(ALPHA) ":" 1*(ALPHA) DQUOTE
The HTTP response code and the details of the X-Ms-diagnostics header are described later for each authentication type.
The following table lists Integrated Windows authentication errors.
Type of error |
Response code |
ErrorId |
token |
faultcode |
---|---|---|---|---|
The user was authenticated but could not be found in the UAS database. |
403 |
28000 |
User is not SIP enabled. |
wsse:FailedAuthentication |
Some unexpected error occurred in the system. |
500 |
28001
|
Internal error while processing Integrated Windows authentication or authorization. |
wsse:FailedAuthentication |
SOAP Faults
The following OCSDiagnosticsFaultType, as defined in section 2.2.4.1, are returned for Live ID authentication failures, OCS-signed certificate (2) failures, or if there are internal errors processing the RST after Integrated Windows authentication or certificate (2) credentials signed by the UAS are successfully verified. The following table lists SOAP errors.
faultcode |
ErrorId |
Reason |
---|---|---|
wsse:SecurityTokenUnavailable |
28028 |
The Live ID token encryption key cannot be resolved. Check that the token is obtained for this site in the appropriate Live ID environment. |
wsse:SecurityTokenUnavailable |
28017 |
The Live ID token signing key cannot be resolved. Check that the token is obtained from the appropriate Live ID environment. |
wsse:UnsupportedSecurityToken |
28018 |
The Live ID token was produced with the incorrect site policy. |
wsse:FailedAuthentication |
28019 |
The Live ID token identity is not associated with a user account. |
wsse:InvalidSecurity |
28020 |
There is no valid security token. |
wsse:UnsupportedSecurityTokenType |
28021 |
The security token type is unsupported. |
wsse:InvalidSecurityToken |
28022 |
There is no valid subject statement. |
wsse:InvalidSecurity |
28023 |
There is no valid message security. |
wsse:FailedAuthentication |
28024 |
Authentication failed. |
The "key cannot be resolved" errors above indicate that protocol server could not locate the key referenced in the token in local or remote stores that it knows about. The "incorrect site policy" error above indicates that Live ID token presented to the protocol server was constructed using policy that the server does not understand.
The following table lists certificate (2) authentication errors while processing the contents of a certificate (2) signed by the UAS.
faultcode |
ErrorId |
Reason |
---|---|---|
wsse:FailedAuthentication |
28011 |
The certificate (2) is expired. |
wsse:FailedAuthentication |
28012 |
The certificate (2) is invalid. |
wsse:FailedAuthentication |
28013 |
The certificate (2) is not found. |
wsse:FailedAuthentication |
28014 |
The user was not found when queried in the database. |
wsse:FailedAuthentication |
28015 |
There was an internal error while processing a certificate (2) authentication or authorization provided by the UAS. |
The following table lists internal failures that occur after Integrated Windows authentication and UAS certificate (2) credentials are successfully verified.
SubCode |
ErrorId |
Reason |
---|---|---|
wsse:InvalidSecurity |
28025 |
There is no valid security principal. |
wsse:InvalidSecurity |
28026 |
There is no valid security identity. |
wsse:InvalidSecurity |
28027 |
There is no valid message security. |
The following table lists failures that occur while processing the RST.
SubCode |
ErrorId |
Reason |
---|---|---|
wst:RequestFailed |
28035 |
The SIP URI in the claim type requirements of the Web ticket request does not match the SIP URI associated with the presented credentials. |