IMS Login – Error 58274 Security token used for login is not valid


Error message and log information

User is able to log in to connection client. User can log in to ProjectWise using logical users. When he attempts login with IMS authentication (while connection client is already connected), error 58274 is thrown

Log reads something like below:

2018-03-22 11:39:38,691 WARN  [0x000049b4] pwise.security.sts - GeneralClaimsIdentityProvider::ValidateSecurityToken: SecurityTokenException occurred: System.IdentityModel.Tokens.SecurityTokenException: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.

   at System.IdentityModel.Tokens.SamlSecurityTokenHandler.ValidateToken(SecurityToken token)

   at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)

   at Bentley.GeneralClaimsIdentityProvider.ValidateSecurityTokenInternal(GeneralClaimsIdentityProvider* , Char* token, IClaimsIdentity* nativeClaimsIdentity, List`1& updatableTrustedIssuers, String& configFilePath)

   at Bentley.GeneralClaimsIdentityProvider.ValidateSecurityToken(GeneralClaimsIdentityProvider* , Char* securityToken, IClaimsIdentity* claimsIdentity)

 

2018-03-22 11:39:39,723 ERROR [0x000049b4] pwise.security.sts - FederationMetadataRetriever::GetSigningCertificates: exception occurred: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 104.209.211.13:443

   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

   --- End of inner exception stack trace ---

   at System.Net.HttpWebRequest.GetResponse()

   at Bentley.FederationMetadataRetriever.GetSigningCertificates()

 

Cause

In this particular case, certificates were changed at IMS so thumbprint provided to the client requesting federation data is not getting validated and connection is termed non-secure. A certificate thumbprint is a hexadecimal string that uniquely identifies a certificate. IMS does not provide any data to such connection and refuses connection.

Usually in such events, client (PWDI server in this case) should be able to re-request and get a new thumbprint. In this case something is stopping it from doing that.

 

Resolution

Thumbprint for IMS connection is available on ProjectWise Design Integration Server machine in C:\Program Files\Bentley\ProjectWise\bin (for default installation location secection) directory. Find and open Bentley.projectWise.IdentityproviderRP.Core.dll.cfg file (Bentley.projectWise.IdentityproviderRP.dll.cfg in case of old versions).  Contact ProjectWise Technical Support group and get a new thumbprint (they will get it from developement team). Manually replace the value in above configuration file and attempt connection.