ADFS - 无效的URI:无法确定URI的格式

时间:2013-10-01 12:04:03

标签: .net adfs

我创建了一个测试网站,我想使用连接到AD的ADFS服务器登录。当我使用生成的STS-provider项目时,loing工作正常但是当我尝试使用win 2008服务器上安装的真实ADFS服务器时,我收到以下错误消息:

[UriFormatException: Invalid URI: The format of the URI could not be determined.]
   System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) +7225919
   System.Web.Security.SingleSignOn.SignInResponse.get_Target() +164

[InvalidOperationException: The protocol message in the current request is malformed. The event log on the server contains detailed information.]
   System.Web.Security.SingleSignOn.SignInResponse.get_Target() +488
   System.Web.Security.SingleSignOn.LSAuthenticationObject.RejectBadMessagesPhase1() +643
   System.Web.Security.SingleSignOn.LSAuthenticationObject.EnsureCurrent(HttpContext context) +445
   System.Web.Security.SingleSignOn.LSAuthenticationModule.OnEnter(Object o, EventArgs args) +147
           System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

当我访问我的网站时,我被重定向到ADFS服务器并提示输入凭据。到现在为止还挺好。但在我提供正确的凭据后,它似乎在尝试创建响应票时失败了吗?

有没有人知道我做错了什么或错误信息可能引用的URI?

----使用更多日志和错误消息进行更新----

有两个事件日志条目,它们都没有提供太多帮助:

A sign-in message was received that contains incorrectly formatted data. 
Format error: Invalid URI: The format of the URI could not be determined. 

This situation can be due to rogue clients; interoperability failure with non-Microsoft, single-sign-on software; or message tampering. 

User Action 
If you are using non-Microsoft federation software in your environment, verify that the federation software is compatible with AD FS.

并且

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 2013-10-01 14:48:09 
Event time (UTC): 2013-10-01 12:48:09 
Event ID: aa19d901b4af49009aaa65310b7ccf22 
Event sequence: 33 
Event occurrence: 6 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/1/ROOT/adfs-2-130250981254471250 
    Trust level: Full 
    Application Virtual Path: /adfs 
    Application Path: C:\Windows\SystemData\ADFS\sts\ 
    Machine name: WIN-U9HD61HVTHM 

Process information: 
    Process ID: 1344 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 

Exception information: 
    Exception type: UriFormatException 
    Exception message: Invalid URI: The format of the URI could not be determined. 

Request information: 
    Request URL: https://10.100.13.67:443/adfs/ls/clientlogon.aspx 
    Request path: /adfs/ls/clientlogon.aspx 
    User host address: 10.100.13.91 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 

Thread information: 
    Thread ID: 3 
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
    Is impersonating: False 
    Stack trace:    at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at System.Web.Security.SingleSignOn.SignInResponse.get_Target()


Custom event details: 

我还启用了所有可以找到的日志记录,并且在日志中,登录响应似乎是:

[VERBOSE] Sign In Response Dump
--------------------
wcontext = rm=0&id=passive&ru=%2fdefault.aspx%3f
wresult to follow
XML Data Follows
----------------
<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
  <wst:RequestedSecurityToken>
    <saml:Assertion AssertionID="_c7434b4c-88d6-4648-974d-cf0dc1582958" IssueInstant="2013-10-01T12:49:05Z" Issuer="https://WIN-U9HD61HVTHM.adtest.local/adfs/" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
      <saml:Conditions NotBefore="2013-10-01T12:49:05Z" NotOnOrAfter="2013-10-01T13:49:05Z">
        <saml:AudienceRestrictionCondition>
          <saml:Audience>https://10.100.13.67/adfs/</saml:Audience>
        </saml:AudienceRestrictionCondition>
      </saml:Conditions>
      <saml:AuthenticationStatement AuthenticationInstant="2013-10-01T12:49:05Z" AuthenticationMethod="urn:federation:authentication:windows">
        <saml:Subject>
          <saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">per@adtest.local</saml:NameIdentifier>
        </saml:Subject>
      </saml:AuthenticationStatement>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <Reference URI="#_c7434b4c-88d6-4648-974d-cf0dc1582958">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>3VkZjrL3Lyej2UhVJtiSvL1K7u4=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>PEYPQ4FSOvf2LCH1UEPUD9TTd9M7jZT8isw578G7TVgk01HecoaH1p7KCTpcnGpG+aQlmtR6D1oyXYKwwsij9aLVeWT/zxqf1PjxfAfQL19t6KZMwZJOhV2XCfdqfsgEbFHIUU/4KGstwghCHLGMTVUXVx2p2FAs0VO1AV42Ua3M+ZMpx2rWWeEdh9OGMSysFug+D2gFMytcwlbVLBaPMbs8mNfXGm84CWMJ9ctM4XbwkBhfPnhvKyYcNeu1dic13ky4Rb6ODRejZhfwKXr8g2fSkV2QrnZLo8VNBBUD2+tVB/fCIThIiyrHfD7Rou8yChePHKYoYnhY6jmlBUJSrQ==</SignatureValue>
        <KeyInfo>
          <X509Data>
            <X509Certificate>MIIC4DCCAcigAwIBAgIQZLlKZlHvZrxCk97r+uMNcDANBgkqhkiG9w0BAQUFADAsMSowKAYDVQQDEyFGZWRlcmF0aW9uIFNlcnZlciBXSU4tVTlIRDYxSFZUSE0wHhcNMTMwOTE4MTIzODE2WhcNMTQwOTE4MTgzODE2WjAsMSowKAYDVQQDEyFGZWRlcmF0aW9uIFNlcnZlciBXSU4tVTlIRDYxSFZUSE0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOjCAdqbOyVJjpOeN/z9R2YmcBian7LGDLfmlFzqdETPN8nD7keCETYFAon9BsEObxz685I5pL5Ay7fVOFKmdT9yQ6jLB6T3kEqIVSRPml5EzYoV4/nOxPgALnyTueUc7P+kZJQYBXgKdeCXnCUBX6FiFv/CmtKYuT2RSozSYP0UrM9dK2iXDnR1+Xf2cD7XsC4sitg0YbZyVxfeuoqUCrCKsQO2naKvfdhFWuUBws/1bcES+lvmbympYpZtgHZ98byqiheFUmtvhK666VzcBsWQBSrXAQt5oDHtFl8o9NiRKblZnCt3NfJrogA5RScXrh0e0bTJ6X2H3cxeTZpVCZAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAL9Pxpp3wFZzaH2M2r1jUJt6N12cHtwaDzQc680wqcgFycOww21m/SUlnFAlFU+pyXAR2soLljQkI7Fi+xv85msnvRKoIyHueQKSe4gvtTMfjnQY5BYKfROK+gRyL9sAp+zDgDWLYVML/cDRci2s9+3sYH6qrfV6Rg0kRYgnQvqe5uLlAN0WDZRnoX5+TIRKJW1502HW6eY6FopZZ83GYduvqXDZS/LaX2yhFau7u1z3jDIXQ7umyuidr8QSj/H24v/vBK6znyl94ziHS/syHvbdZiaERtmOhfoWGFjuDt89y3XI3/hris/uvqmh1pGJiPV2P62fRm5+HwMxMctQdS4=</X509Certificate>
          </X509Data>
        </KeyInfo>
      </Signature>
    </saml:Assertion>
  </wst:RequestedSecurityToken>
  <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
      <wsa:Address>https://10.100.13.67/adfs/</wsa:Address>
    </wsa:EndpointReference>
  </wsp:AppliesTo>
</wst:RequestSecurityTokenResponse>

1 个答案:

答案 0 :(得分:0)

最有可能是wtrealm或wreply(取决于你提供的)是畸形的。问题可能是因为这些参数不是uri转义。

提供请求的正确方法是

https://your.adfs/adfs/ls?wa=wsignin1.0&wtrealm=https%3a%2f%2fyour.app%2fresource