Identity and Access Tool

Microsoft Free

Identity and Access Tool for Visual Studio 2012. Use this package to secure your application with claims based identity and accept users from multiple identity providers.

(30) Review
Visual Studio
Download (53,006)
E-mail Twitter Digg Facebook
Add to favorites
Reviews (30)
Q and A (47)
Sign in to write a review
Sort by:

by Aaron [MVP] | January 10 2014

by Amsterdams | November 22 2013

I get this error
{"No version of the CardSpace service was found to be installed on the machine. Please install CardSpace and retry the operation."}

I was trying to implement this

I have both 2012 and 2012 VS installed. Not sure if that is the problem

by Simerjot Kaur | October 11 2013

Unfortunately I have not been able to use the tool get which is very sorry since I really need such a tool. Even in a very simple scenario with a wcf service application and a windows console application when using the adfs it won’t work for me.

When executing the whole i always run into following exception:
{"No version of the CardSpace service was found to be installed on the machine. Please install CardSpace and retry the operation."}

by Vinny Jo | August 29 2013

Using ADFS 2.0. With Claims.... and Framework 4.5 (Mvc 4 project template)
Few issues:
The web.config produced contains issuerNameRegistry\authority and should be issuerNameRegistry\trustedIssuers (Framework 4.5)

the FederationMetadata.xml does not have any details about ds:Signature, KeyDescriptor, fed:ClaimTypesRequested. (can not specified certificate)

Tried Visual studio 2010 (Claim web project template) Add STS Reference option produced the right FederationMetada.xml.

by Mithun_daa | August 13 2013

I ran into the same issue as some of you here where the package was failing to load. Please make sure you close all instances of VS and restart it.

by ytr32323 | July 22 2013

by Srilatha Inavolu - MSFT | June 19 2013

Hi All,

Please run "devenv.exe /ResetSettings" if you have issues with VS loading the package.

If that doesn't work, please try the remaining steps in this post :

Hope this helps,

by shriji1111 | June 05 2013

I found an error with this tool... it seems that it's bug
for more detail you may refer my microsoft forum page

by Quynh H. Nguyen | May 20 2013

by Vittorio Bertocci - MSFT | May 17 2013

Sorry to read that you are having issues with the tool and Update 2.
I have Update 2 on multiple machines and the tool works as expected. If you want us to help troubleshoot, I suggest you use the Q & A tab.

by rjygraham | May 16 2013

+1 for broken in Update 2. Still broken in Update 3 CTP even after an uninstall/reinstall.

by ggobbe | May 14 2013

Not working on visual studio 2012 update 2... The Identify and Access menu (to add an STS Reference) is missing.

by David Donabedian | May 12 2013

Not working with VS2012 Update 2

by Frank Robijn | May 11 2013

This type of extension is very welcome, but the current version is difficult to work with - it might not work at all. Tried to use it on a very simple WCF project, but it complains about a missing certificate. It tells you where to expect it (at C:\Users\...\AppData\Local\Microsoft\VisualStudio\11.0\Extensions\uv2jfeqz.qr2\LocalHost.pfx) and behold - that file exists! Unfortunately there is no information at all on how to solve this type of problem. It's a mess.

by Sergio Parra | April 27 2013

Thanks! nice job!

by Per Ekstedt | April 26 2013

Unfortunately I have not been able to use the tool get which is very sorry since I really need such a tool. Even in a very simple scenario with a wcf service application and a windows console application when using the local development STS it won’t work for me.

I can successfully configure the service application just clicking next and with SAML 2.0 chosen and it seems right even when I make a service reference in the console application to.

When executing the whole i always run into following exception:
{"No version of the CardSpace service was found to be installed on the machine. Please install CardSpace and retry the operation."}

Sometimes the LocalSTS don’t start but I get the error started or not.

Am I alone on this?

by _arash | April 07 2013

Thanks, it's great to see things are improving with identity tool

by Richard D | February 12 2013

The idea of the I&A tool is really great.

Unfortunately the software is very far from ready. Continiously there are errors, with no (or very fuzzy) error details to debug on.

This is not software you can rely your application on (not yet).

Microsoft is absent in the support.

by neoscoob | February 09 2013

The fact that this is not supported on Express editions is completely stupid.

by Brent Schmaltz - MSFT | February 04 2013

I haven't been able to repro the <system.ServiceModel> issue.

Andrey M_ have you seen it lately? Anyone else?

1 - 20 of 30 Items   
Sign in to start a discussion

  • VS2013
    8 Posts | Last post March 13, 2014
    • Is this built into VS2013, or is there an updating coming?
    • Interested in this as well.
    • I also really need an update to this extension for VS2013, or some documentation on how it's built in.
      Anyone in the same situation might like to try this as a temporary work around:
    • +1 everyone else here. Can we get some feedback on when an updated tool will be available, or if there is a new procedure for handling this?
    • Can someone out there please let us know the situation with 2013???
    • Hi all,
      the Identity & Access tool was shipped out of band as a VSIX in VS2012 given that the timelines did not allow to integrate it in VS2012 itself.
      In VS2013 we added support for claims-based identity directly into the ASP.NET project creation experience (see, hence there are no plans of porting the Identity and Access tool to VS2013.
      We are aware of the fact that as of today the feature set of the two approaches are not 100% equivalent. VS2012 and VS2013 work well side by side, if you depend on functionality only available on the Identity & Access tool we recommend you keep both available until functional parity is reached (see below).
      Here there are some comments on the main differences:
      - Re-entrancy. Right now VS2013 can configure authentication only at project creation time. Re-entrancy is being considered as a feature for a future update
      - ACS support. As detailed in, ACS will not receive further investments hence VS2013 will not support it directly. AS equivalent ACS functionality appears in Windows Azure AD, VS2013 will expose it accordingly
      - Local STS. Support for Local STS didn't make it in VS2013. There are community driven alternatives (see - let us know if those cover your needs or if you really want the Local STS functionality back in the VS2013 tools
      Thank you!
    • So I came to need this app due to downloading the WIF Samples, which requires it. I'm using the WIF samples because .Net 4.5 has rendered 99% of the online documentation for STS useless. But to use 4.5, I'm running 2013. Which doesn't support this tool. Maybe it doesn't matter, since the sample throws errors out of the box due to AspNet compatibility being enabled. The whole situation is just a complete mess.
    • "AS equivalent ACS functionality appears in Windows Azure AD". This is simply not true, there is merely a promise to support all of the scenarios that ACS currently enables. So basically your whole justification is absurd. I should not need to move backwards in visual studio versions to get this working, period.
  • Windows Azure Active Directory option not working
    1 Posts | Last post February 26, 2014
    • I am following the steps on the webpage ‘How To: Enable WIF for a WCF Web Service Application’
      I have got this working using the ‘Use the Local Development STS to test your application’ option and am now trying again this time selecting ‘Use a business provider (e.g. Windows Azure Active Directory..’ but unfortunately have not been able to get it to work.
      My first problem arises when I try to add my Service Reference Step 2.4.
      At this point I receive the following warning:
      Custom tool warning: Obtaining metadata from issuer '' failed with error 'System.InvalidOperationException: Metadata contains a reference that cannot be resolved: ''. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at that could accept the message.
      If I continue and complete the project when I attempt to run it a Windows CardSpace form appears containing the following message:
      The following error occurred: Incoming policy failed validation
      I initially experienced the same problem when selecting the ‘Use the Local Development STS to test your application’ option and eventually found a solution on this forum.
      I resolved my problem by editing the web.config immediately after completing Step 1, point 6 as follows:
              <binding name="">
                <security mode="Message">
                    <!--issuerMetadata address="https://localhost/adfs/services/trust/mex" /-->
                    <issuerMetadata address="http://localhost:12330/wsTrustSTS/mex" />
      However, despite repeated attempts I cannot find the correct value to put in this element when using Azure. 
      Kind regards,
      Liz Guess
  • Documentation for VS 2013 "organizational accounts"
    1 Posts | Last post February 26, 2014
    • Same as everyone, would like to see this better documented. Vittorio's response is helpful, but roadmap for ASP.NET Identity does not mention the WAAD area.
      At least for now, the configuration done by the "Change Authentication" button seems to be consistent with past documentation. I point to this article for a solid page describing the web.config sections we need to be aware of:
      Been trying to use the WAAD integration since the VS 2013 preview. Admit to being pretty confounded.
  • SvcUtil Unable to obtain Metadata from LocalSTS
    4 Posts | Last post October 31, 2013
    • I've been trying to use both "Add Service Reference" in Visual Studio and SvcUtil to generate the config for a client program from a service which was setup to use the LocalSTS as the IP using the Identity and Access Tool. The issuer address for the client config is "" which I suspect is incorrect.
      When I run SvcUtil against the service I get an error that it is unable to download the metadata from the LocalSTS.  The error is the following:
      Error: Obtaining metadata from issuer 'https://localhost/adfs/services/trust/mex' failed with error
      'System.InvalidOperationException: Metadata contains a reference that cannot be resolved: 'https://localhost/adfs/services/trust/mex'. --->
      System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'. --->
      System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. --->
      System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
      I looked in the certificate store and the localhost cert is in the Local Computer Personal store, but not in the Trusted Root Certificates store.  I tried adding it to the Trusted Root Certificates with no change in the results.
      I was just wondering how I could get Add Service Reference and SvcUtil to work so that I could generate my client side configuration?
    • While continuing to investigate this I noticed that the Identity and Access Tool puts an issuer metadata address into the config file of "https://localhost/adfs/services/trust/mex" instead of the correct value of "http://localhost:15196/wsTrustSTS/mex" where 15196 is the port number assigned in the tool.  When I substituted this into the service config and ran Add Service Reference, it generated an issuer address of http://localhost:15196/wsTrustSTS/.
      So there seems to be a bug in the Identity and Access tool that it does not insert the correct issuerMetadata address when the LocalSTS is selected.
    • THANK YOU!  I had this same issue.  I kept getting the "windows cardspace" "Incoming policy failed Validation" error.  This post saved me.   
      The issue I had before this one had to do with the first time I tried to use the Identity and Access extension:
       1. the reference to the Security.IdentityModel.Tokens.ValidatingIssuerNameRegistry wasn't created and I had to find it and add it.
      2. the Config file for the client didn't generate the ws2007 Binding at all.  Even after fixing #1.  I had to manually add it.
      Then, I ran into this issue here... Thank you for posting the fix. :)
    • I passed the same point (finally got rid of that "windows cardspace" thing), but now when I check the value of "OperationContext.Current.ClaimsPrincipal" in my web service, I got null.  What can be the problem?  My gut feeling, once again, tells me that it's probably something in the config files (either web.config for the web services, or app.config for the desktop WPF app which act as a web service client).  
        I realize that for web services I should use WSTrust instead of the older WSFrederation.  But in the web.config for the web service, I still have this:
      <add key="ida:FederationMetadataLocation" value="http://localhost:12053/wsFederationSTS/FederationMetadata/2007-06/FederationMetadata.xml" />
      Can it be a problem?
      BTW, I was following the MSDN tutorial, "How To: Enable WIF for a WCF Web Service Application" (
  • Does not work
    2 Posts | Last post October 24, 2013
    • It's not appearing in the menu
    • I set mine target framework to 4.5 and it shows up.
  • creates invalid element in web.config
    1 Posts | Last post October 15, 2013
    • When the tool manipulates web.config, it creates an invalid node under <issuerNameRegistry>:
       <authority name="LocalSTS">
                  <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" />
                  <add name="LocalSTS" />
      it should be:
                      <add thumbprint="9B74CB2F320F7AAFC156E1252270B1DC01EF40D0" name="LocalSTS" />
      Or am I missing something?
  • "Identity and Access" menu item
    4 Posts | Last post September 26, 2013
    • I have installed Identity and Access Tool, but the "Identity and Access" menu never appears in the context menu when right clicking a web application project file. Already installed WIF separately.
    • What type of application are you using?  MVC4 or ???
    • I am experiencing the same behavior for a MVC4 Web App - Intranet.  
      Visual Studio 2012 Update 3
      Identity And Access V 1.1.0
    • Please disregard, I had inadvertently switched the framework version to 4.0.  Once switched back to 4.5, the option reappeared.  Sorry.
  • Error: Invalid access to memory location
    1 Posts | Last post September 24, 2013
    • Hi,
      I am getting "Invalid access to memory location" error sometimes (not always) when I right click on my project and select "Identity and Access...".
  • Missing "Choose how to handle unauthenticated requests" option
    6 Posts | Last post August 13, 2013
    • I've an MVC 4 application (Orchard CMS) targeting .NET 4.5. I want to add authentication through ACS in my project.
      I rightclick the project -> "Identity and Access"
      I fill in the Providers tabs and click OK
      I rightclick the project -> "Identity and Access"
      I click the Configuration tab
      Now in the blog of Vittorio ( ), there should now be an option "Choose how to handle unauthenticated requests", but unfortunately, this option is not there. It is just missing.
      Can anyone tell me what's wrong, or where to look?
    • That feature is enabled / disabled depending on the project type, a GUID in the csproj file. A check is made for MVC4, by looking at 
      <ProjectTypeGuids> for "E3E379DF-F4C6-4180-9B81-6769533ABE47" which is inserted when the mvc4 template runs on project creation.
      What does your <ProjectTypeGuids> look like?
    • Thank you for your answer Brent. My <ProjectTypeGuids> looks like this:
    • Hi Brent,
      It seems there is an issue with the tools and the type of project as you mention. If we create a new MVC 4 App, the Wizard works as expected, but when we create a new Web Forms, the "Choose how to handle unauthenticated requests" is missing. We checked the Identity Training Kit and it seems (by looking at the screenshots) that this was enable for Web Forms. 
      We have VS 2012 with Update 2 installed. We need this for a Web Form project. Thoughts?
    • Hi Richard and Hernán,
      This feature is currently only supported for MVC4 project as mentioned in Vittorio's blog (towards the end of the post).
      Richard, from the ProjectTypeGuids, looks like you have a Web Forms project, an MVC4 project should have also have a E3E379DF-F4C6-4180-9B81-6769533ABE47 guid. Can you please double check ?
    • I've started all over with an empty project, could not wait so many months to get an answer :-(
      I'm very sure it was a MVC 4 project.
  • Configuring an ACS namespace
    1 Posts | Last post July 19, 2013
    • When you choose to use the Windows Azure Access Control Service, you are prompted for your ACS namespace and its management key.
      I initially thought that the management key was the Symmetric Key from the Management service in the ACS portal, however it looks as if it's really the Password. Is this correct??
      I stumbled on this when I regenerated the symmetric key and then couldn't connect with the new key. When you first create an ACS namespace both the symmetric key and password are the same, but when you regenerate the key, the old password is left as it was.
1 - 10 of 47 Items