在ADFS2.0响应期间，私钥不支持交换KeySpec

Question

有这样的问题

我们声称已知道为此站点配置的asp.net站点和adfs服务器

所以，我们已经 - 我们启动了我们的Web应用程序 - 移动进行身份验证到adfs服务器并返回到网站 - 因此我们的错误服务器页面包含我们网站的网址

**System.NotSupportedException: The private key does not support the exchange KeySpec.
Source Error: 
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  
Stack Trace: 
[NotSupportedException: The private key does not support the exchange KeySpec.]
   System.IdentityModel.Tokens.X509AsymmetricSecurityKey.DecryptKey(String algorithm, Byte[] keyData) +237615
   System.IdentityModel.Selectors.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key) +378
   Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.ReadToken(XmlReader reader) +253
   Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader) +105
   Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas) +282
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +312
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099462
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171**

Windows日志显示在这段时间内我们收到了这样的警告 - 正如我建议完全与服务器错误页面错误相关联

Log Name:      Application
Source:        ASP.NET 2.0.50727.0
Date:          3/23/2011 2:05:50 PM
Event ID:      1309
Task Category: Web Event
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      machine-name
Description:
Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 3/23/2011 2:05:50 PM 
Event time (UTC): 3/23/2011 2:05:50 PM 
Event ID: 356af0be20744d15bba97111f6bbd475 
Event sequence: 7 
Event occurrence: 6 
Event detail code: 0 

Application information: 
    Application domain: /appl-domain/ClaimsAwareWebAppWithManagedSTS-1-129453622903756000 
    Trust level: Full 
    Application Virtual Path: /ClaimsAwareWebAppWithManagedSTS 
    Application Path: C:\tools\AdvantageSso\Using Managed STS\ClaimsAwareWebAppWithManagedSTS\ 
    Machine name: machine-name 

Process information: 
    Process ID: 3840 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 

Exception information: 
    Exception type: NotSupportedException 
    Exception message: The private key does not support the exchange KeySpec. 

Request information: 
    Request URL: https://app-url/ClaimsAwareWebAppWithManagedSTS/default.aspx 
    Request path: /ClaimsAwareWebAppWithManagedSTS/default.aspx 
    User host address: host-name
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 

Thread information: 
    Thread ID: 10 
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
    Is impersonating: False 
    Stack trace:    at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.DecryptKey(String algorithm, Byte[] keyData)
   at System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key)
   at Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

部分空用户和IsAuthenticated = false非常混淆......所以这是否意味着我们不通过身份验证ob ADFS或它显示请求网站的当前结果

所以，不幸的是，我不是这个领域的大专家，并且在这周与它斗争

有人可以帮我解决问题吗？

非常感谢

Answer 1

这里似乎发生的事情是，您在AD FS中的依赖方信任被配置为使用某些证书的（公共部分）加密其令牌。它会这样做，并且您的Web应用程序尝试使用同一证书的私钥解密它们。

但是，证书需要支持“密钥交换”，并且从您的错误消息看起来您的证书不是。我不知道您从哪里获得证书，但如果您使用IX509Enrollment通过Windows COM以编程方式创建证书，则需要将KeySpec的IX509PrivateKey设置为{{ 3}}

您需要做的另一件事是确保证书支持“文档签名”。为此，请确保XCN_AT_KEYEXCHANGE包含XCN_OID_KP_DOCUMENT_SIGNING或1.3.6.1.4.1.311.10.3.12。

此外，上述COM接口背后的COM类名称记录在IX509ExtensionEnhancedKeyUsage页面上。

Answer 2

您还应该检查寻址证书的（服务）用户是否在本地计算机上具有足够的权限来访问证书。那是我的问题。