首先,这是我的环境:
所以我在SharePoint中有一个用于SSO的STS
STS是通过PowerShell cmdlet创建的:
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\IdentityServer.cer")
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming
# $map2 ... $mapN
$realm = "urn:mycompany:software"
$signinurl = "https://somesignin.com/FederationProvider/"
$ap = New-SPTrustedIdentityTokenIssuer -Name "MyFederationProvider" -Description "My Fed Provider" -Realm $realm -UseWReply -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType
对于我的SharePoint网站的Internet区域,我将上面创建的可信身份提供程序作为声明身份验证类型。
当我登录一切顺利,直到我在代码中点击此行, FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(signInResponseMessage,Response);
The error I get is:
Exception information:
Exception type: SecurityTokenException
Exception message: The issuer of the token is not a trusted issuer.
Request information:
Request URL: https://mySharePointSite.com:443/_trust/default.aspx
Request path: /_trust/default.aspx
User host address: 127.0.0.1
User:
Is authenticated: False
Authentication Type:
Thread account name: MyDomain\ThreadAccount
Thread information:
Thread ID: 10
Thread account name: MyDomain\ThreadAccount
Is impersonating: False
Stack trace: at Microsoft.SharePoint.IdentityModel.SPTrustedIssuerNameRegistry`1.GetIssuerName(SecurityToken securityToken)
at Microsoft.SharePoint.IdentityModel.SPPassiveIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
但是,根证书位于本地计算机上“计算机帐户”的“MMC证书”管理单元中的“受信任的根证书颁发机构”中。 同样,根证书在SharePoint中被视为可信任。我通过管理中心添加了它 - >安全 - >管理信任。
为什么我仍然会收到此错误?
答案 0 :(得分:0)
您是否在https://somesignin.com/FederationProvider/运行STS?
New-SPTrustedIdentityTokenIssuer的文档说它“在服务器场中创建一个身份提供者”。这对我来说似乎措辞不力。它实际上并没有创建新的STS。 New-SPTrustedIdentityTokenIssuer真正做的是配置sharepoint和现有第三方身份提供者之间的信任关系。例如,
的LiveID:
http://technet.microsoft.com/en-us/library/ff607628.aspx
或ADFS:
答案 1 :(得分:0)
问题是最初使用的证书不是来自我开发的域。对于本地开发,创建了自签名证书,然后发布者受信任。此证书已添加到我的本地Sharepoint服务器场的管理信任库http://onpointwithsharepoint.blogspot.ca/2012/11/managing-trust-certificates-by-using.html。