来自STS的RequestSecurityToken并将其发布到我的网站

时间:2013-03-09 23:35:28

标签: c# wif adfs geneva-framework

我的网站实施基于AD FS的身份验证。现在我需要通过客户端以编程方式访问我的网站。我的客户端应使用当前登录用户的上下文从ADFS服务器请求安全令牌。我已经成功地使用来自客户端的用户名和密码从adfs/services/trust/13/usernamemixed端点请求安全令牌并将其发布到我的网站。

对我不起作用的是使用adfs/services/trust/13/windowsmixedDefaultNetworkCredentials端点请求相同的令牌。我收到错误The HTTP request was forbidden with client authentication scheme 'Anonymous'.。我在.NET 4.5中使用Microsoft.IdentityModel SDK(而不是System.IdentityModel。)

这是我的代码片段。

  factory = new MSWSTrustChannelFactory(
  new Microsoft.IdentityModel.Protocols.WSTrust.Bindings.WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential),
                    stsUrl);

  factory.TrustVersion = TrustVersion.WSTrust13;

  factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;

  var rst = new RequestSecurityToken
  {
      RequestType = RequestTypes.Issue,
      AppliesTo = new EndpointAddress(realm),
      KeyType = KeyTypes.Bearer,
      RequestDisplayToken = true
  };

  MSIWSTrustChannelContract channel = factory.CreateChannel();
  RequestSecurityTokenResponse rstr;
  SecurityToken token = channel.Issue(rst, out rstr);

我没有对ADFS服务器进行任何控制,也无法调试那里出错的地方。无论我能做什么,只能来自客户端。知道我上面的代码出了什么问题吗?非常感谢任何帮助或指示。

1 个答案:

答案 0 :(得分:1)

我认为您需要将消息安全性的establishSecurityContext设置为FALSE
binding.Security.Message.EstablishSecurityContext = false;

以下代码适用于我。

            WS2007HttpBinding binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
            binding.Security.Message.EstablishSecurityContext = false;               
            binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
            if (isWindowsUser)
            {
                binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
                ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/windowsmixed");                    
            }
            else
            {
                binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
                ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/usernamemixed");                    
            }
            factory = new WSTrustChannelFactory(binding, ep);
            factory.TrustVersion = TrustVersion.WSTrust13;

                factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;                     


            var rst = new RequestSecurityToken
            {
                RequestType = RequestTypes.Issue,
                AppliesTo = new EndpointReference("urn:adfsmonitor"),
                KeyType = KeyTypes.Bearer,
            };
            IWSTrustChannelContract channel = factory.CreateChannel();
            GenericXmlSecurityToken genericToken = channel.Issue(rst)
             as GenericXmlSecurityToken;
            return genericToken.TokenXml.InnerXml.ToString();
相关问题
最新问题