Identify*STS is now able to handle most of the error happening while processing a security token issuing request. With this improvement, the client will no longer receive a FaultException with message “The server was unable to process the request due to an internal error”. When an exception is thrown, Identify*STS will make sure the followings.
- All errors are logged with detail message, error code and full stacktrace
- Fault exception response to client will have specific message with its fault code.
- All uncaught exceptions are handled
Below is an overview of the Event IDs that are being logged at the Event Viewer
Erorr Message | Error Event Id | Type | Possible cases |
STSConfigurationLoadingError | 5001 | Warning/Error | Warning:- The value at the setting “Received Security Token Encryption certificate” at the wstrust connection is invalid or emptyError:- The value at the “Bootstrap token trusted issuers” is invalid or empty when using actas request ‘s at the wstrust connection- The Audience restriction configured on the wstrust connection is invalid
– the authentication connection which is chosen for the wstrust connection is disabled |
STSInvalidProtocolConnectionFoundError | 5003 | Error | – The wstrust connection doesn’t exist or it’s disabled.- There’s more than 1 wstrust connection matching to the AppliesTo |
STSClientCertificateSecurityTokenValidationFailedError | 5004 | Error | The requested certificate doesn’t map to any user belonging to the Identify store/ADFS store |
STSUserNamePasswordValidationFailedError | 5005 | Error | The requested user credential doesn’t exist at the Identify store/ADFS store |
STSAuthenticationFailedError | 5010 | Error | The requested user credential doesn’t exist at the Identify store/ADFS store (Note: the authentication connection of the wstrust connection is None) |
STSAuthorizationFailedError | 5011 | Error | The ActAs user is not authorized for the wstrust connection |
STSActAsTokenValidationFailedError | 5012 | Error | The Actas element on RST is invalid (not SAML2, not a certificate, invalid issuer…) |
STSLogEvent | 5020 | Info | It logs all STS debug log event |
StsUnknownError | 5050 | Error | It’s unknown error, e.g RP expects the SAML 1.1 token but the IDP contains the claim type doesn’t suite with the format rule |