我一直在为开发目的而设置新服务器(Windows Server 2012)。目的是测试通过AD FS登录Web应用程序。该计算机是域控制器,具有自己的证书服务和AD FS。
该网络应用使用Owin,并且我一直在遵循本指南:https://developers.de/blogs/armin_kalajdzija/archive/2016/10/06/how-to-implement-web-sign-on-with-adfs-in-asp-net-mvc-using-owin.aspx
当我浏览到我设置的站点时,我被重定向到AD FS,但是登录后却出现错误。在事件查看器中,我得到:
第一个事件323
The Federation Service could not authorize token issuance for the caller '*domain\user*
' on behalf of the subject '*domain\user*
' to the relying party 'https://*domain*:44330/'. Please see event 501 with the same instance id for caller identity. Please see event 502 with the same instance id for OnBehalfOf identity, if any.
Additional Data
Instance id: 28b6e92b-453e-4488-93d1-3671268ff24c
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.OnBehalfOfAuthorizationException: MSIS5009: The impersonation authorization failed for caller identity System.Security.Claims.ClaimsIdentity and delegate System.Security.Claims.ClaimsIdentity for relying party trust https://*domain*:44330/.
at System.IdentityModel.AsyncResult.End(IAsyncResult result)
at System.ServiceModel.Security.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
at System.ServiceModel.Security.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
User Action
Use the Windows PowerShell Get-ADFSClaimsProviderTrust or Get-ADFSRelyingPartyTrust cmdlet to ensure the caller is authorized on behalf of the subject to the relying party.
然后输入一些带有用户/声明信息的501和502。然后是364
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: MSIS3126: Access denied.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
>System.ServiceModel.FaultException: MSIS3126: Access denied.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
现在我已经尝试了一些方法:
依赖方具有“允许所有用户访问权限”作为唯一的发行授权规则。我在“发行转换规则”下尝试了不同的规则。我在501和502事件下看到的大多数属性都是“将LDAP属性作为声明发送”。 (还搞乱了一些转换和传递规则)
我曾尝试在SHA-1和SHA-256之间的依赖方之间来回更改安全哈希算法。
我尝试将WS-Federation端点更改为https:// domain / adfs / ls /。 (并尝试使用不同的端点和标识符,最后是否带有/)
我曾尝试更改Claims Provider Trust(AD)中的规则,然后将其还原,因为它不起作用。
我尝试通过PowerShell将SigningCertificateRevocationCheck设置为“ none”。
我已经删除并重新建立了依赖方信任。
我得到的错误总是一样的。任何人都有其他尝试的想法吗?