The problem is easily reproduced using the following steps:•Create an empty ASP.NET website and set up federation with ADFS◦Ensure that a UPN claim is emitted by ADFS•Modify C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe.config to allow access to authenticated users •Start the C2WTS service via start-run-services.msc•Modify the ASP.NET web.config file to enable identity impersonation•Log in via ADFS•Perform an IIS reset•Refresh the page The following error will occur:Either a required impersonation level was not provided, or the provided impersonation level is invalid. (Exception from HRESULT: 0x80070542)This error is fairly catastrophic as the entire app pool is compromised until it is recycled. i.e. – it is not the currently logged in user that no longer has access, it is all users!The solution is to remove the default SessionSecurityTokenHandler implementation from the microsoft.identityModel config section and add in a new one where the useWindowsTokenService flag is set to true. However, this is by no means intuitive and we should strongly consider making the useWindowstokenService flag equal true by default IF the C2WTS service is used for the initial token parsing.
Describe the problem that you're having.
What type of impact does this issue have?
Please wait...