我们遇到从AD FS 2.0过渡到AD FS 3.0的问题。
我们有一个ASP.NET MVC应用程序,它通过AD FS使用联合身份验证。在我们的测试环境中,我们将Thinktecture Identityserver 2配置为AD FS中的声明提供程序。应用程序请求authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI"。作为参考,这是我们的web.config文件的整个标识部分:
<system.identityModel>
<identityConfiguration>
<claimsAuthenticationManager type="ProjectName.Authorization.AuthenticationManager, ProjectName" />
<claimsAuthorizationManager type="ProjectName.Authorization.AuthorizationManager,ProjectName" />
<audienceUris>
<add value="https://applicationdomain/" />
</audienceUris>
<securityTokenHandlers>
<securityTokenHandlerConfiguration saveBootstrapContext="true">
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="(thumbprint of ADFS certificate)" name="ADFS Test" />
</trustedIssuers>
</issuerNameRegistry>
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<wsFederation freshness="120" passiveRedirectEnabled="true" issuer="https://adfsdomain/adfs/ls" realm="https://applicationdomain/" requireHttps="true" authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI" />
<serviceCertificate>
<certificateReference findValue="(thumbprint of application's certificate)" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCertificate>
<cookieHandler requireSsl="true" />
</federationConfiguration>
</system.identityModel.services>
我们目前在运行Windows Server 2008 R2和AD FS 2.0的过时服务器上运行,但它可以正常运行。我们最近建立了一个运行Windows Server 2012 R2和AD FS 3.0的服务器的新环境。我们已经在一台新服务器上安装了我们的MVC应用程序,并在另一台服务器上设置AD FS 3.0,配置类似旧的AD FS 2.0(据我们所知),MVC应用程序作为依赖方,Thinktecture Identityserver 2作为索赔供应商。一个区别是我们现在在单独的服务器上使用AD FS代理,因为AD FS 3.0需要这个(而AD FS 2.0没有)。事实上,我们有两个AD FS服务器,然后是负载均衡器后面的两个代理。 Thinktecture Identityserver 2仍在旧服务器上运行(在Windows Server 2008 R2上)。
问题是:我浏览应用程序的地址。我按预期重定向到AD FS,这会立即将我重定向到Thinktecture Identityserver 2.到目前为止一切顺利。我使用用户名(“Anders”)和密码登录,然后重定向回AD FS。在这里,我得到一个错误页面,上面写着“发生错误”。在AD FS服务器上的事件日志中(负载均衡器显然总是将我引导到同一节点,这恰好是主节点)我发现两个错误和一个警告。第一个错误:
Event 197, AD FS
The Federation Service could not satisfy a token request because the
accompanying credentials do not meet the authentication type requirement of
'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI' for the relying party
'https://applicationdomain.no'.
Authentication type:
Desired authentication type(s): urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
Relying party: https://applicationdomain.no
This request failed.
然后警告:
Event 1000, AD FS
An error occurred during processing of a token request. The data in this event
may have the identity of the caller (application) that made this request. The
data includes an Activity ID that you can cross-reference to error or warning
events to help diagnose the problem that caused this error.
Additional Data
Caller: Anders
OnBehalfOf user:
ActAs user:
Target Relying Party: https://applicationdomain.no
然后是第二个错误:
Event 364, AD FS
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: Exception of type 'Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException' was thrown.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, SecurityToken deviceSecurityToken, String desiredTokenType, WrappedHttpListenerContext httpContext, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, MSISSession& session)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSerializedToken(MSISSignInRequestMessage wsFederationPassiveRequest, WrappedHttpListenerContext context, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponseForSecurityToken(GenericProtocolRequest originalRequest, SecurityTokenElement requestedTokenElement, ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
我在此页面上已阅读AD FS中支持的SAML身份验证类型:https://msdn.microsoft.com/en-us/library/hh599318.aspx。此处未列出 SmartcardPKI 。 (但请注意,该文档适用于AD FS 2.0。)
在AD FS服务器(旧版和新版)上,我尝试使用以下PowerShell命令列出支持的AuthenticationTypes:
get-adfsproperties | select-object -expandProperty AuthenticationContextOrder | select-object -Property AbsoluteUri
旧服务器和新服务器都输出:
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:federation:authentication:windows
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
此处没有 SmartcardPKI 。从来没有在旧环境中起作用。
我还尝试使用 PasswordProtectedTransport 代替 SmartcardPKI (通过编辑MVC应用程序的web.config)。结果完全相同,只是第一条错误消息现在说:
The Federation Service could not satisfy a token request because the
accompanying credentials do not meet the authentication type requirement of
'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' for the
relying party 'https://applicationdomain.no'...
关于我接下来应该尝试什么的任何指示都将非常受欢迎。也许AD FS 2.0和3.0之间存在差异,需要我对Thinktecture IdentityServer 2进行配置更改?