WIF STS ID3242:无法对安全令牌进行身份验证或授权

时间:2011-03-07 17:33:20

标签: wcf wif sts-securitytokenservice

当我尝试对我的服务进行身份验证时,我的客户端应用程序中出现以下错误:

  

ID3242:无法对安全令牌进行身份验证或授权

以下是客户端的配置:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<bindings>
  <ws2007HttpBinding>
    <binding name="stsBinding">
      <security mode="Message">
        <message clientCredentialType="UserName"
          establishSecurityContext="false"
          negotiateServiceCredential="true"/>
      </security>
    </binding>
  </ws2007HttpBinding>
  <ws2007FederationHttpBinding>
    <binding name="echoClaimsBinding">
      <security mode="Message">
        <message>
          <claimTypeRequirements>
            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false"/>
          </claimTypeRequirements>
          <issuer address="http://localhost:17240/STS.svc"
                  bindingConfiguration="stsBinding"
                  binding="ws2007HttpBinding">
            <identity>
              <dns value="WCFSTS"/>
            </identity>
          </issuer>
          <issuerMetadata address="http://localhost:17240/STS.svc/Mex"></issuerMetadata>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
</bindings>
<behaviors>
  <endpointBehaviors>
    <behavior name="echoClaimsBehavior">
      <clientCredentials>
        <serviceCertificate>
          <defaultCertificate
            findValue="CN=WCFSTS"
            storeLocation="LocalMachine"
            storeName="My"
            x509FindType="FindBySubjectDistinguishedName"/>
          <authentication
            revocationMode="NoCheck"
            certificateValidationMode="None"/>
        </serviceCertificate>
      </clientCredentials>
    </behavior>
  </endpointBehaviors>
</behaviors>
<client>
  <endpoint address="http://localhost:1438/EchoClaims.svc/EchoClaims"
            binding="ws2007FederationHttpBinding"
            bindingConfiguration="echoClaimsBinding"
            contract="TestService.IEchoClaims"
            name="WS2007FederationHttpBinding_IEchoClaims"
            behaviorConfiguration="echoClaimsBehavior">
    <identity>
      <dns value="WCFServer"/>
    </identity>
  </endpoint>
</client>
</system.serviceModel>
</configuration>

以下是服务的配置

<?xml version="1.0"?>
<configuration>
<configSections>
<section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
</configSections>

<system.web>
<compilation debug="true" targetFramework="4.0">
  <assemblies>
    <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
  </assemblies>
</compilation>
</system.web>

<system.serviceModel>
<services>
  <service name="WcfService1.EchoClaims"
           behaviorConfiguration="echoClaimsBehavior">

    <endpoint address=""
              contract="WcfService1.IEchoClaims"
              binding="ws2007FederationHttpBinding"
              bindingConfiguration="echoClaimsBinding"></endpoint>
    <endpoint address="mex"
           binding="mexHttpBinding"
           contract="IMetadataExchange" />
  </service>
</services>
<behaviors>
  <serviceBehaviors>
    <behavior name="echoClaimsBehavior">

      <serviceMetadata httpGetEnabled="true" />
      <serviceCredentials>           
        <serviceCertificate 
          findValue="CN=WCFServer" 
          storeLocation="LocalMachine" 
          storeName="My" 
          x509FindType="FindBySubjectDistinguishedName" />
      </serviceCredentials>
    </behavior>
  </serviceBehaviors>
</behaviors>
<serviceHostingEnvironment multipleSiteBindingsEnabled="true" />

<bindings>
  <ws2007FederationHttpBinding>
    <binding name="echoClaimsBinding">
      <security mode="Message">
        <message negotiateServiceCredential="true">
          <!--<issuerMetadata address="http://localhost:17240/STS.svc/mex" />-->
          <claimTypeRequirements>
            <!--Following are the claims offered by STS 'http://localhost:17240/STS.svc'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.-->
            <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="false" />               
          </claimTypeRequirements>
        </message>
      </security>
    </binding>
  </ws2007FederationHttpBinding>
</bindings>
<diagnostics>
  <messageLogging logEntireMessage="true"
                  logMessagesAtServiceLevel="true"
                  logMessagesAtTransportLevel="true"></messageLogging>
</diagnostics>
</system.serviceModel>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>
<microsoft.identityModel>
<service>
  <audienceUris mode="Never"/>        
  <issuerNameRegistry type="WcfService1.CustomIssuerNameRegistry, WcfService1"/>        
</service>
</microsoft.identityModel>
<system.diagnostics>
<sources>
  <source name="System.ServiceModel" switchValue="Warning, Error, ActivityTracing"
       propagateActivity="true">
    <listeners>
      <add name="ServiceModelTraceListener"/>
    </listeners>
  </source>
</sources>
<sharedListeners>
  <add initializeData="ecb_tracelog.svclog"
                type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
                name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
    <filter type="" />
  </add>
</sharedListeners>
<trace autoflush="true" />
</system.diagnostics>
</configuration>

如果有人知道如何确定身份验证失败的原因,请告诉我。我有详细的日内瓦STS跟踪,但它没有给我任何关于证书未经过身份验证的消息。

2 个答案:

答案 0 :(得分:1)

在类似的情况下,this forum post Dominick Baier表示Web服务拒绝令牌,因此在STS上进行跟踪不会显示任何问题。

他建议在<microsoft.identityModel><service><securityTokenHandlers><securityTokenHandlerConfiguration><audienceUris>中查看此Web服务的web.config部分,并在同一文件中启用Microsoft.IdentityModel跟踪源。

答案 1 :(得分:1)

在我的情况下,转向跟踪揭示了之前抛出的另一个异常

ID3242:无法对安全令牌进行身份验证或授权

使用此选项打开WCF端的跟踪:

<system.diagnostics>
<sources>
  <source name="Microsoft.IdentityModel" switchValue="Verbose">
    <listeners>
      <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="D:\Logs\rie\RIE_Trace.log" />
    </listeners>
  </source>
</sources>
<trace autoflush="true" />

同样,在我的情况下,跟踪文件显示以下异常:

ID1038:AudienceRestrictionCondition无效,因为AudienceUris中不存在指定的受众群体。 观众:http://some.th.ing/

在WCF Web.config中, audienceUri 不正确。

希望这有帮助