发行人对用户身份的声明与委托身份(演员身份)的nameid声明不匹配

时间:2018-06-25 14:06:56

标签: certificate jwt sharepoint-2013 csom sharepoint-addin

问题在于我们无法使用证书进行连接。为什么,我们真的不知道。希望我们能对此问题有所帮助。我可以用更多原始数据代表您。如果您想接收未清除的数据,我可以这样做,但只能私下进行。 总之,我们收到了两个错误消息:

发布者对用户身份的声明与委托身份(角色身份)的nameid(名称标识符)声明不匹配。预计这两个声明匹配,因此该令牌将被拒绝。

当用户尝试连接时,它会起作用:

User 'i:0#.w|XXX-dev\XXX_dev_admin' logged in to SP site 'Team Site'
(Url: 'https://portal.XXX-dev.local/ins/134700')

它还可以模拟使用:

UserForClientContextSPHost = svc_xxxxxxxxx@XXX-dev.local 

User 'i:0#.w|XXX-dev\svc_xxxxxxxxx' logged in to SP site 'Team Site'(Url: 'https://portal.XXX-dev.local/ins/134700')

当我们尝试使用证书时,它会出错:

这是令牌帮助程序的深度调试:

 /// <summary>
 /// Retrieves an S2S access token signed by the application's private certificate on behalf of the specified 
 /// WindowsIdentity and intended for the SharePoint at the targetApplicationUri. If no Realm is specified in 
 /// web.config, an auth challenge will be issued to the targetApplicationUri to discover it.
 /// </summary>
 /// <param name="targetApplicationUri">Url of the target SharePoint site</param>
 /// <param name="identity">Windows identity of the user on whose behalf to create the access token</param>
 /// <returns>An access token with an audience of the target principal</returns>

正在询问该领域的网址:https://portal.XXX-dev.local/ins/134700/,相应的领域是“ 2803fc7f-fa5d-407a-b921-3ecae88058d3”

我们在高度信任的环境中工作,因此没有Windows用户,并且在场外也没有索赔:

JsonWebTokenClaim[] claims = identity != null ? GetClaimsWithWindowsIdentity(identity) : null;So => claims == null

最后,此方法称为:

return GetS2SAccessTokenWithClaims(targetApplicationUri.Authority, realm, claims);

权限是“ portal.XXX-dev.local”

当我们深入研究GetS2SAccessTokenWithClaims方法时,我们会看到正在创建一个actortoken:

{"typ":"JWT","alg":"RS256","x5t":"mQN7mCJyUpGtannrI5sr6oTdJwU"}.{"aud":"00000003-0000-0ff1-ce00-000000000000/portal.XXX-dev.local@2803fc7f-fa5d-407a-b921-3ecae88058d3","iss":"82c987be-b75b-4ddf-83d7-a3d7cf9b0a66@2803fc7f-fa5d-407a-b921-3ecae88058d3","nbf":"1529923577","exp":"1529966777","nameid":"496fc703-ad06-4672-be2a-cfdcaed9c774@2803fc7f-fa5d-407a-b921-3ecae88058d3"}

使用了令牌,但我们在TokenHelper.cs的注释中看到了

// App-only token is the same as actor token for delegated case'

使用的访问令牌如下:AppOnlyAccessTokenForSPHost

我们看到,当我们不使用仅应用程序时:外部令牌发行者应该匹配参与者令牌nameid。 (请参见故事的结尾)

如果它不是仅用于应用程序,则使用以下内容:

nameid, // outer token issuer should match actor token nameid             audience
 JsonWebSecurityToken jsonToken = new JsonWebSecurityToken(nameid, DateTime.UtcNow, DateTime.UtcNow.Add(HighTrustAccessTokenLifetime), outerClaims);

因此,当apponly = false时,它可以工作,但是当apponly = true时,它不能工作。


因此,以上内容是对令牌创建方式的深入探讨。以下是有关IIS中的托管应用程序和具有已部署应用程序的Sharepoint Server之间的网络通信的信息。我的文字设置为粗体,因此您可以更好地看到日志记录和我自己添加的内容之间的区别:


因此,这是网络流量的摘要。我可以提供该日志文件,但是我需要对其进行清理,然后才能将其公开发布:

当我们正在寻找认证握手时:一切似乎都很好(是吗?)

System.Net Information: 0 : [1112] Current OS installation type is 'Server'.
System.Net Verbose: 0 : [4872] WebRequest::Create(https://portal.XXX-dev.local/ins/134700/_vti_bin/client.svc)
System.Net Verbose: 0 : [4872] HttpWebRequest#65296005::HttpWebRequest(https://portal.XXX-dev.local/ins/134700/_vti_bin/client.svc#-89446220)
System.Net Information: 0 : [4872] RAS supported: True
System.Net Verbose: 0 : [4872] ServicePoint#33094::ServicePoint(portal.XXX-dev.local:443)
System.Net.Sockets Verbose: 0 : [4872] DNS::TryInternalResolve(portal.XXX-dev.local)
System.Net.Sockets Verbose: 0 : [4872] Socket#45306114::Connect(10.0.2.5:443#84017585)
System.Net.Sockets Information: 0 : [4872] Socket#45306114 - Created connection from 10.0.2.6:1351 to 10.0.2.5:443.
System.Net Information: 0 : [4872] Connection#1224489 - Created connection from 10.0.2.6:1351 to 10.0.2.5:443.
System.Net Information: 0 : [4872] TlsStream#15480286::.ctor(host=portal.XXX-dev.local, #certs=0)
System.Net Information: 0 : [4872] Associating HttpWebRequest#65296005 with ConnectStream#35899697
System.Net Information: 0 : [4872] HttpWebRequest#65296005 - Request: GET /ins/134700/_vti_bin/client.svc HTTP/1.1

System.Net Information: 0 : [4872] ConnectStream#35899697 - Sending headers
{
Authorization: Bearer
Host: portal.XXX-dev.local
Connection: Keep-Alive
}.
System.Net Information: 0 : [4872] SecureChannel#53220401::.ctor(hostname=portal.XXX-dev.local, #clientCertificates=0, encryptionPolicy=RequireEncryption)
System.Net Information: 0 : [4872] Enumerating security packages:
System.Net Information: 0 : [4872]     Negotiate
System.Net Information: 0 : [4872]     NegoExtender
System.Net Information: 0 : [4872]     Kerberos
System.Net Information: 0 : [4872]     NTLM
System.Net Information: 0 : [4872]     TSSSP
System.Net Information: 0 : [4872]     pku2u
System.Net Information: 0 : [4872]     WDigest
System.Net Information: 0 : [4872]     Schannel
System.Net Information: 0 : [4872]     Microsoft Unified Security Protocol Provider
System.Net Information: 0 : [4872]     CREDSSP
System.Net Information: 0 : [4872] SecureChannel#53220401 - Left with 0 client certificates to choose from.
System.Net Information: 0 : [4872] AcquireCredentialsHandle(package = Microsoft Unified Security Protocol Provider, intent  = Outbound, scc     = System.Net.SecureCredential)
System.Net Information: 0 : [4872] InitializeSecurityContext(credential = System.Net.SafeFreeCredential_SECURITY, context = (null), targetName = portal.XXX-dev.local, inFlags = ReplayDetect, SequenceDetect, Confidentiality, AllocateMemory, InitManualCredValidation)

我注意到以下数据正在发送到服务器:

.........ldap:///CN=XXX-dev-SPFARMXXX-Root,CN=SPFarmXXX-ad,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXX-dev,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint0..


System.Net Information: 0 : [4872] InitializeSecurityContext(In-Buffers count=2, Out-Buffer length=0, returned code=OK).

System.Net Information: 0 : [4872] Remote certificate: [Version]
  V3

[Subject]
  CN=*.XXX-dev.local
  Simple Name: *.XXX-dev.local
  DNS Name: *.XXX-dev.local

[Issuer]
  CN=XXX-dev-SPFARMXXX-Root, DC=XXX-dev, DC=local
  Simple Name: XXX-dev-SPFARMXXX-Root
  DNS Name: XXX-dev-SPFARMXXX-Root

[Serial Number]
  5800000002DA96F25EA0DBC0AA000000000002

[Not Before]
  3/17/2017 8:48:16 AM

[Not After]
  3/17/2019 8:48:16 AM

[Thumbprint]
  564BC61B424A6F21CCC6629ACADEE9F2C1FD3812

[Signature Algorithm]
  sha1RSA(1.2.840.113549.1.1.5)

[Public Key]
  Algorithm: RSA
  Length: 2048
  Key Blob: 30 82 01 0a 02 82 01 01 00 b2 5a e2 8f 4d 7b 84 26 84 7b 51 88 63 83 4a b7 5f b5 59 07 3a dd b8 41 dc ea f2 4f bd a0 d3 5e 5b de 40 5e 16 6c b1 38 d2 9b a9 4e 17 f6 4b 3c a6 a0 e1 6e a1 d7 86 76 20 ed 73 03 f2 7e d5 af 4b b2 e9 52 ae fe 55 f8 7a 3b 34 8f c3 9d 6d 23 35 c9 4d 30 45 cb d9 5b 14 98 10 0d 18 e8 a2 0f ea bb ea 9f c2 11 23 79 ef e5 ff 83 6a be 3a 36 d1 48 87 4d 17 ce a0 fe 8e a1 c0 ce 27 11 5f 4c 61 4f 9a 22 ce 7d 7b d1 1c 75 c1 e9 ae ....
System.Net Information: 0 : [4872] SecureChannel#53220401 - Remote certificate was verified as valid by the user.
System.Net Information: 0 : [4872] ProcessAuthentication(Protocol=Tls, Cipher=Aes256 256 bit strength, Hash=Sha1 160 bit strength, Key Exchange=44550 256 bit strength).

然后执行以下请求:

System.Net Verbose: 0 : [4872] WebRequest::Create(https://portal.XXX-dev.local/ins/134700//_vti_bin/client.svc) (no ->/) System.Net Information: 0 : [4872] HttpWebRequest#6739836 - Request: GET /ins/134700//_vti_bin/client.svc HTTP/1.1 System.Net Information: 0 : [4872] ConnectStream#48047364 - Sending headers { Authorization: Bearer Host: portal.XXX-dev.local }.

System.Net Information: 0 : [4872] Connection#1224489 - Received status line: Version=1.1, StatusCode=401, StatusDescription=Unauthorized. System.Net Information: 0 : [4872] Connection#1224489 - Received headers { Transfer-Encoding: chunked X-SharePointHealthScore: 0 SPRequestGuid: d688749e-b5e1-308d-d529-2df0391f7a98 request-id: d688749e-b5e1-308d-d529-2df0391f7a98 X-FRAME-OPTIONS: SAMEORIGIN Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: https://portal.XXX-dev.local/_vti_bin/client.svc/ Server: Microsoft-IIS/8.5 WWW-Authenticate: Bearer realm="2803fc7f-fa5d-407a-b921-3ecae88058d3",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="82c987be-b75b-4ddf-83d7-a3d7cf9b0a66@2803fc7f-fa5d-407a-b921-3ecae88058d3,00000003-0000-0ff1-ce00-000000000000@2803fc7f-fa5d-407a-b921-3ecae88058d3",NTLM X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET MicrosoftSharePointTeamServices: 15.0.0.4893 X-Content-Type-Options: nosniff X-MS-InvokeApp: 1; RequireReadOnly Date: Mon, 25 Jun 2018 09:57:36 GMT }.

System.Net Verbose: 0 : [4872] Data from ConnectStream#32922036::Read

上面的标头中包含以下正文:

没有监听 https://portal.XXX-dev.local/_vti_bin/client.svc的操作,但是有监听 https://portal.XXX-dev.local/_vti_bin/client.svc/的操作,因此您被重定向到那里。

< p>

System.Net的结论是:

System.Net Error: 0 : [4872] Exception in HttpWebRequest#6739836::GetResponse - The remote server returned an error: (401) Unauthorized..

不过,CSOM仍然会进一步查询(不知道为什么,但这实际上是我们要查询的问题:加载Web并获取登录名)。

System.Net Verbose: 0 : [4872] WebRequest::Create(https://portal.XXX-dev.local/ins/134700/_vti_bin/client.svc/ProcessQuery)

...

<?xml version="1.0" encoding="UTF-8"?> <Request xmlns="http://schemas.microsoft.com/sharepoint/clientquery/2009" AddExpandoFieldTypeSuffix="true" SchemaVersion="15.0.0.0" LibraryVersion="15.0.0.0" ApplicationName=".NET Library"> <Actions> <ObjectPath Id="2" ObjectPathId="1" /> <ObjectPath Id="4" ObjectPathId="3" /> <ObjectPath Id="6" ObjectPathId="5" /> <Query Id="7" ObjectPathId="3"> <Query SelectAllProperties="false"> <Properties> <Property Name="Title" ScalarProperty="true" /> <Property Name="Url" ScalarProperty="true" /> </Properties> </Query> </Query> <Query Id="8" ObjectPathId="5"> <Query SelectAllProperties="false"> <Properties> <Property Name="LoginName" ScalarProperty="true" /> </Properties> </Query> </Query> </Actions> <ObjectPaths> <StaticProperty Id="1" TypeId="{3747adcd-a3c3-41b9-bfab-4a64dd2f1e0a}" Name="Current" /> <Property Id="3" ParentId="1" Name="Web" /> <Property Id="5" ParentId="3" Name="CurrentUser" /> </ObjectPaths> </Request>

System.Net Information: 0 : [4872] HttpWebRequest#39549169 - Request: POST /ins/134700/_vti_bin/client.svc/ProcessQuery HTTP/1.1

System.Net Information: 0 : [4872] ConnectStream#54033113 - Sending headers
{
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im1RTjdtQ0p5VXBHdGFubnJJNXNyNm9UZEp3VSJ9.eyJhdW....
Content-Type: text/xml
Host: portal.XXX-dev.local
Content-Length: 898
Expect: 100-continue
Accept-Encoding: gzip, deflate
}.

但是,正在从System.Sockets.Net中检索以下内容:

  

发行人声明的用户身份与nameid不匹配   (名称标识符)委托身份(演员身份)的声明。它   预计这两个声明匹配,因此该令牌为   拒绝了。

如果我们阅读此消息,则可以从套接字级别的Sharepoint服务器获得消息,并将其与从调试器检索到的信息结合在一起,我应该知道些什么?但是我看不到我能做什么。所以我们继续:

.NET C#中引发以下异常:

例外:{        “状态”:7,        “响应”:{           “ m_HttpResponseHeaders”:[              “ SPRequestGuid”,              “ request-id”,              “ X-FRAME-OPTIONS”,              “ SPRequestDuration”,              “ SPIisLatency”,              “服务器”,              “ WWW-Authenticate”,              “ X-Powered-By”,              “ MicrosoftSharePointTeamServices”,              “ X-Content-Type-Options”,              “ X-MS-InvokeApp”,              “日期”,              “内容长度”           ],           “ m_Uri”:“ https://portal.XXX-dev.local/ins/134700/_vti_bin/client.svc/ProcessQuery”,           “ m_Certificate”:空,           “ m_Version”:{              “主要”:1,              “次要”:1,              “构建”:-1,              “修订”:-1,              “主要修订”:-1,              “次要修订”:-1           },           “ m_StatusCode”:401,           “ m_ContentLength”:211,           “ m_Verb”:“ POST”,           “ m_StatusDescription”:“未经授权”,           “ m_MediaType”:空        },        “ Message”:“远程服务器返回错误:(401)未经授权。”,        “数据”:{

   },
   "InnerException":null,
   "StackTrace":" at System.Net.HttpWebRequest.GetResponse()\r\n at Microsoft.SharePoint.Client.SPWebRequestExecutor.Execute()\r\n at Microsoft.SharePoint.Client.ClientRequest.ExecuteQueryToServer(ChunkStringBuilder sb)\r\n at …",
   "HelpLink":null,
   "Source":"System"
}

0 个答案:

没有答案