我正在尝试使用otrder在我的NGINX代理后面运行ADFS 3.0,以便将我的本地AD与我的office365帐户联合起来。 一切似乎都运转良好,但有些问题仍未得到解答: 1-有一篇文章(https://technet.microsoft.com/it-it/library/hh852618(v=ws.10).aspx)解释了adfs 2.0上第三部分adfs代理的行为应该是什么,但是对于ADFS 3.0我找不到相同的内容。 特别是那些文章告诉“MEX信息与外联网不同。为了适应这种情况,所有对URL / adfs / services / trust / mex的外部请求必须在后面重新路由到/ adfs / services / trust / proxymex-结束STS。“这在adfs 3.0上仍然如此吗? 我的nginx配置如下,是否足够?
upstream adfsup {
server mydc03.mydomain.local:443;
server mydc01.mydomain.local:443;
keepalive 100;
}
server {
listen 443;
server_name adfs.mypubdomain.it;
ssl on;
ssl_certificate /etc/letsencrypt/live/adfs.mypubdomain.it/cert.pem;
#ssl_certificate /ssl/adfs_mypubdomain_it.pem;
ssl_certificate_key /etc/letsencrypt/live/adfs.mypubdomain.it/privkey.pem;
#ssl_certificate_key /ssl/adfs_mypubdomain_it.key;
location / {
proxy_pass https://adfsup; # my existing apache instance
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-MS-Proxy mypubrp0v;
proxy_http_version 1.1;
#proxy_next_upstream error timeout invalid_header http_500 http_503;
proxy_next_upstream error timeout invalid_header http_503;
proxy_connect_timeout 2;
}
}
Token validation failed.
Additional Data
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
myuser@mydomain.it-The user name or password is incorrect
Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: myuser@mydomain.it ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
我可以在rca测试(https://www.testconnectivity.microsoft.com/?testid=SingleSignOn)上重现此错误提供错误的密码,但我认为错误的密码转换异常是不正常的。 顺便说一句,我的所有用户似乎都很好,通过ADFS登录正在运行,有谁知道如何纠正这种情况? 谢谢 洛伦佐
答案 0 :(得分:0)
对于任何第三方系统充当ADFS 2012R2(a.k.a.ADFS 3.0)的代理以进行外部网访问,它必须支持MS-ADFSPIP协议。它只需要实现身份验证部分而不是Web应用程序发布部分。
ADFS 2012R2要求。 https://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_extranet
MS-ADFSPIP协议。 http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-ADFSPIP].pdf