WIF STS ID3242: The security token could not be authenticated or authorized

Question

I\'m getting the following error in my client application when it tries to authenticate to my service:

ID3242: The security token could not be authenticat

Answer 1

In a similar situation, this forum post by Dominick Baier suggests that the web service rejects the token, so tracing at the STS would not show any problem.

He suggests to check this web service's <microsoft.identityModel><service><securityTokenHandlers><securityTokenHandlerConfiguration><audienceUris> section in its web.config, and to switch on the Microsoft.IdentityModel trace source in that same file.

Answer 2

In my case, turning tracing on revealed one more exception that was thrown before

ID3242: The security token could not be authenticated or authorized

Use this to turn on tracing on the WCF side:

<system.diagnostics>
<sources>
  <source name="Microsoft.IdentityModel" switchValue="Verbose">
    <listeners>
      <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="D:\Logs\rie\RIE_Trace.log" />
    </listeners>
  </source>
</sources>
<trace autoflush="true" />

Again, in my case, the trace files revealed the following exception:

ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris. Audience: http://some.th.ing/

Turns out the audienceUri was not correct in the WCF Web.config.

Hope this helps