I posted this problem over on the forum.
I have an ASP.NET application that uses FBA and calls a web service that performs CRUD operations on a back-end system i.e. the ASP.NET application is the client.
I want to claims-enable this application. I don’t want to do anything re. federation with the web service. It should just run in the background as it currently does.
When I run FedUtil, I get the message:
“ID1032: A wcf application federated to a security token service requires an application certificate. Please select a certificate for your application.”
It seems that FedUtil is trying to secure the web service and not the browser application? If I supply a certificate and then look at the resulting web.config, FedUtil hasn't done any of the usual passive profile stuff e.g. commenting out the entire current authentication:
!--Commented out by FedUtil--
!--authentication mode="Forms" forms loginUrl="~/Account/Login.aspx" timeout="2880" / /authentication
If I comment out the system.serviceModel section, FedUtil runs as expected.
I then un-comment the section and have a federated browser application with a non-federated web service.
This seems a very round-about way to achieve the objective.
Why does FedUtil only federate the web service?
How do you tell it to federate the browser functionality only? I would have thought that this was a common implementation?
Is there a better way to achieve this?
So what FedUtil seems to do is scan the web.config. If it finds a system.serviceModel section, it assumes this is a WCF session (i.e. active) that you want to secure and off it goes. But in fact, it's the browser session (i.e. passive) that you want to secure.
Anyway, the above provides a work-around but it's a PIA!