我创建了一个测试网站,我想使用连接到AD的ADFS服务器登录。当我使用生成的STS-provider项目时,loing工作正常但是当我尝试使用win 2008服务器上安装的真实ADFS服务器时,我收到以下错误消息:
[UriFormatException: Invalid URI: The format of the URI could not be determined.]
System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) +7225919
System.Web.Security.SingleSignOn.SignInResponse.get_Target() +164
[InvalidOperationException: The protocol message in the current request is malformed. The event log on the server contains detailed information.]
System.Web.Security.SingleSignOn.SignInResponse.get_Target() +488
System.Web.Security.SingleSignOn.LSAuthenticationObject.RejectBadMessagesPhase1() +643
System.Web.Security.SingleSignOn.LSAuthenticationObject.EnsureCurrent(HttpContext context) +445
System.Web.Security.SingleSignOn.LSAuthenticationModule.OnEnter(Object o, EventArgs args) +147
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
当我访问我的网站时,我被重定向到ADFS服务器并提示输入凭据。到现在为止还挺好。但在我提供正确的凭据后,它似乎在尝试创建响应票时失败了吗?
有没有人知道我做错了什么或错误信息可能引用的URI?
----使用更多日志和错误消息进行更新----
有两个事件日志条目,它们都没有提供太多帮助:
A sign-in message was received that contains incorrectly formatted data.
Format error: Invalid URI: The format of the URI could not be determined.
This situation can be due to rogue clients; interoperability failure with non-Microsoft, single-sign-on software; or message tampering.
User Action
If you are using non-Microsoft federation software in your environment, verify that the federation software is compatible with AD FS.
并且
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 2013-10-01 14:48:09
Event time (UTC): 2013-10-01 12:48:09
Event ID: aa19d901b4af49009aaa65310b7ccf22
Event sequence: 33
Event occurrence: 6
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/adfs-2-130250981254471250
Trust level: Full
Application Virtual Path: /adfs
Application Path: C:\Windows\SystemData\ADFS\sts\
Machine name: WIN-U9HD61HVTHM
Process information:
Process ID: 1344
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: UriFormatException
Exception message: Invalid URI: The format of the URI could not be determined.
Request information:
Request URL: https://10.100.13.67:443/adfs/ls/clientlogon.aspx
Request path: /adfs/ls/clientlogon.aspx
User host address: 10.100.13.91
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
Thread ID: 3
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
at System.Web.Security.SingleSignOn.SignInResponse.get_Target()
Custom event details:
我还启用了所有可以找到的日志记录,并且在日志中,登录响应似乎是:
[VERBOSE] Sign In Response Dump
--------------------
wcontext = rm=0&id=passive&ru=%2fdefault.aspx%3f
wresult to follow
XML Data Follows
----------------
<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:RequestedSecurityToken>
<saml:Assertion AssertionID="_c7434b4c-88d6-4648-974d-cf0dc1582958" IssueInstant="2013-10-01T12:49:05Z" Issuer="https://WIN-U9HD61HVTHM.adtest.local/adfs/" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2013-10-01T12:49:05Z" NotOnOrAfter="2013-10-01T13:49:05Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://10.100.13.67/adfs/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2013-10-01T12:49:05Z" AuthenticationMethod="urn:federation:authentication:windows">
<saml:Subject>
<saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">per@adtest.local</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_c7434b4c-88d6-4648-974d-cf0dc1582958">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>3VkZjrL3Lyej2UhVJtiSvL1K7u4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>PEYPQ4FSOvf2LCH1UEPUD9TTd9M7jZT8isw578G7TVgk01HecoaH1p7KCTpcnGpG+aQlmtR6D1oyXYKwwsij9aLVeWT/zxqf1PjxfAfQL19t6KZMwZJOhV2XCfdqfsgEbFHIUU/4KGstwghCHLGMTVUXVx2p2FAs0VO1AV42Ua3M+ZMpx2rWWeEdh9OGMSysFug+D2gFMytcwlbVLBaPMbs8mNfXGm84CWMJ9ctM4XbwkBhfPnhvKyYcNeu1dic13ky4Rb6ODRejZhfwKXr8g2fSkV2QrnZLo8VNBBUD2+tVB/fCIThIiyrHfD7Rou8yChePHKYoYnhY6jmlBUJSrQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC4DCCAcigAwIBAgIQZLlKZlHvZrxCk97r+uMNcDANBgkqhkiG9w0BAQUFADAsMSowKAYDVQQDEyFGZWRlcmF0aW9uIFNlcnZlciBXSU4tVTlIRDYxSFZUSE0wHhcNMTMwOTE4MTIzODE2WhcNMTQwOTE4MTgzODE2WjAsMSowKAYDVQQDEyFGZWRlcmF0aW9uIFNlcnZlciBXSU4tVTlIRDYxSFZUSE0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOjCAdqbOyVJjpOeN/z9R2YmcBian7LGDLfmlFzqdETPN8nD7keCETYFAon9BsEObxz685I5pL5Ay7fVOFKmdT9yQ6jLB6T3kEqIVSRPml5EzYoV4/nOxPgALnyTueUc7P+kZJQYBXgKdeCXnCUBX6FiFv/CmtKYuT2RSozSYP0UrM9dK2iXDnR1+Xf2cD7XsC4sitg0YbZyVxfeuoqUCrCKsQO2naKvfdhFWuUBws/1bcES+lvmbympYpZtgHZ98byqiheFUmtvhK666VzcBsWQBSrXAQt5oDHtFl8o9NiRKblZnCt3NfJrogA5RScXrh0e0bTJ6X2H3cxeTZpVCZAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAL9Pxpp3wFZzaH2M2r1jUJt6N12cHtwaDzQc680wqcgFycOww21m/SUlnFAlFU+pyXAR2soLljQkI7Fi+xv85msnvRKoIyHueQKSe4gvtTMfjnQY5BYKfROK+gRyL9sAp+zDgDWLYVML/cDRci2s9+3sYH6qrfV6Rg0kRYgnQvqe5uLlAN0WDZRnoX5+TIRKJW1502HW6eY6FopZZ83GYduvqXDZS/LaX2yhFau7u1z3jDIXQ7umyuidr8QSj/H24v/vBK6znyl94ziHS/syHvbdZiaERtmOhfoWGFjuDt89y3XI3/hris/uvqmh1pGJiPV2P62fRm5+HwMxMctQdS4=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</saml:Assertion>
</wst:RequestedSecurityToken>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsa:Address>https://10.100.13.67/adfs/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
</wst:RequestSecurityTokenResponse>
答案 0 :(得分:0)
最有可能是wtrealm或wreply(取决于你提供的)是畸形的。问题可能是因为这些参数不是uri转义。
提供请求的正确方法是
https://your.adfs/adfs/ls?wa=wsignin1.0&wtrealm=https%3a%2f%2fyour.app%2fresource