Bad_IdentityTokenRejected Connecting with Username & Password
29 views
Skip to first unread message
Adrian Tomren
Jun 10, 2025, 8:17:09 AMJun 10
to open62541
Hi all,
This is my first post here so sorry if the format is bad.
I am using v1.4.11 and using the client-api connecting to the Prosys Simulated Server, for testing. When I am using SecurityMode None, there is no problem in connecting to the server, but when i use Sign or SignAndEncrypt i get the error Bad_IdentityTokenRejected.
I am using v1.4.11 and using the client-api connecting to the Prosys Simulated Server, for testing. When I am using SecurityMode None, there is no problem in connecting to the server, but when i use Sign or SignAndEncrypt i get the error Bad_IdentityTokenRejected.
I am working on MacOS btw.
My code sequence is as follow:
My code sequence is as follow:
- Create a client with UA_Client_new()
- Get Config with UA_Client_getConfig()
- Set default config with UA_ClientConfig_setDefault()
- Edit config
- securityMode = UA_MESSAGESECURITYMODE_SIGNANDENCRYPT
- securityPolicyUri = "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"
- applicationUri = myApplicationUri
- userTokenPolicy.policyId = "username_basic256sha256"
- userTokenPolicy.tokenType = UA_USERTOKENTYPE_USERNAME
- userTokenPolicy.securityPolicyUri = "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"
- Set Encryption with UA_ClientConfig_setDefaultEncryption()
- "Try" to connect with UA_Client_connectUsername()
Setting the encryption works fine but as i mentioned, when i try to connect i only get the Bad_IdentityTokenRejected-error.
I have figured out with WireShark that after getting GetEndpointsResponse, the client send a "CloseSecureChannelRequest" straight away and the connection terminates (see image below).
This would make sense if the endpoint(s) did not match my setup, that is where I am lost. In the server I have the following three endpoints, where the first matches the one I want.
Which also seems correct from WireShark (or am I wrong here?)
Does anyone see what I am doing wrong? I am new to both OPC UA and this SDK, so most likely i have missed something, but I can not for the life of me figure out what!
Also, if any more information, exact code, or else is need, please let me know!
Thank you,
- Adrian, OPC UA beginner
vas...@linutronix.de
Jun 11, 2025, 3:42:18 AMJun 11
to open62541
Hi Adrian,
I don't see where the problem is at first glance, from the information you provided.
Here are some general tips for further troubleshooting:
- Enable or add log outputs in client and server to get more information when the problem occurs.
I hope this helps you move forward.
If you have more details, feel free to share them here, maybe we can help more then.
I don't see where the problem is at first glance, from the information you provided.
Here are some general tips for further troubleshooting:
- Take a look at the `client_encryption.c` example, especially lines 27 to 68. The encryption configuration should be the same on both sides of the connection.
- Try UA_Client_getEndpoints() first and compare securityPolicyUri, securityMode and policyId with the config, that you are using
- Try establishing the connection with the same configuration but using a different client, such as UaExpert or opcua-asyncio. Using a GUI or Python is often easier for testing and learning.- Enable or add log outputs in client and server to get more information when the problem occurs.
I hope this helps you move forward.
If you have more details, feel free to share them here, maybe we can help more then.
Cheers,
Vasilij
Jacky Bek
Jun 11, 2025, 4:35:35 AMJun 11
to vas...@linutronix.de, open62541
Hi,
To authenticate against a open62541 server with ssl certificate, the process of more complex.
In essence, you need to
1. Create a ssl server cert based on the settings of your opc server
2. Create a SSL client cert based on the settings of your opc client.
3. Copy the ssl client cert to the server trustlist directory
4. In the server code, you need to load the trustlist (containing the client cert). If you want to test using UAExpert, you need to create another cert with DER format
5. For the client object, you need to ensure that the applicationURI matches that of the server ApplicationURI.
If you need help feel free to pm me at jack...@gmail.com
Jacky
Sent from my iPhone
On 11 Jun 2025, at 15:42, vas...@linutronix.de <vasilij.s...@linutronix.de> wrote:
Hi Adrian,
--
You received this message because you are subscribed to the Google Groups "open62541" group.
To unsubscribe from this group and stop receiving emails from it, send an email to open62541+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/open62541/8dff2acd-d67e-468b-991c-3ee223bc0f62n%40googlegroups.com.
Adrian Tomren
Jun 11, 2025, 11:25:57 AMJun 11
to open62541
Hi Vasilij,
Thank you for the help!
Your suggestion to look at client_encryption.c was great, I had not found it yet!
I am now successfully connecting and the fault was as simple and stupid as me using cc.applicationURI instead of the correct cc.UA_UserNameIdentityToken.applicationURI instead!
Again, thank you, its great to finally figure it out!
- Adrian
vas...@linutronix.de
Jun 12, 2025, 3:07:45 AMJun 12
to open62541
No problem, I'm glad it helped.
Good luck with the project!
Good luck with the project!
Reply all
Reply to author
Forward
0 new messages