我想使用ADFS 2.0对使用自编WCF服务的用户进行身份验证。该服务已准备就绪并且功能齐全。此外,ADFS 2.0已正确设置。
当我在代码中设置客户端绑定并在那里执行操作时,一切都按预期工作。但是,当我想使用“更新服务引用”生成的配置时,绑定是错误的,并且不能按预期工作。
我在哪里错过了什么?任何提示欢迎。
给出错误
未处理的异常:System.ServiceModel.FaultException:消息 与行动 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue'不能 由于ContractFilter不匹配而在接收器处理 EndpointDispatcher。这可能是因为合同不匹配 (发送方和接收方之间不匹配的操作)或绑定/安全性 发送者和接收者之间不匹配。检查发件人和 接收者具有相同的合同和相同的约束力(包括 安全要求,例如消息,传输,无)。
服务器配置:
<bindings>
<ws2007FederationHttpBinding>
<binding>
<security mode="TransportWithMessageCredential">
<message establishSecurityContext="false">
<issuerMetadata address="https://sts.local.domain/adfs/services/trust/mex" />
<issuer address="https://sts.local.domain/adfs/services/trust/2005/windowstransport" binding="ws2007HttpBinding" />
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
</claimTypeRequirements>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding>
<security mode="Transport">
<transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>
<message clientCredentialType="None" establishSecurityContext="false" negotiateServiceCredential="true" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
客户端配置(不工作):
<bindings>
<ws2007FederationHttpBinding>
<binding name="WS2007FederationHttpBinding_IMyService" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text"
textEncoding="utf-8" useDefaultWebProxy="true">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="TransportWithMessageCredential">
<message algorithmSuite="Default" establishSecurityContext="false"
issuedKeyType="SymmetricKey" negotiateServiceCredential="true">
<issuer address="https://sts.local.domain/adfs/services/trust/2005/windowstransport" binding="ws2007HttpBinding" />
<issuerMetadata address="https://sts.local.domain/adfs/services/trust/mex" />
<tokenRequestParameters>
<AppliesTo xmlns="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
<Address>https://service.machine.local/STSWcfService/MyService.svc</Address>
</EndpointReference>
</AppliesTo>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
<wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
</trust:Claims>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</trust:SecondaryParameters>
</tokenRequestParameters>
</message>
</security>
</binding>
</ws2007FederationHttpBinding>
<ws2007HttpBinding>
<binding>
<security mode="Transport">
<transport clientCredentialType="Windows" />
<message clientCredentialType="Windows" establishSecurityContext="false" />
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="https://service.machine.local/STSWcfService/MyService.svc"
binding="ws2007FederationHttpBinding" bindingConfiguration="WS2007FederationHttpBinding_IMyService"
contract="ServiceReference.IMyService" name="WS2007FederationHttpBinding_IMyService" />
</client>
代码中的客户端绑定(正常工作):
private static SecurityToken GetToken()
{
var factory = new WSTrustChannelFactory(new WindowsWSTrustBinding(SecurityMode.Transport), adfsEndPoint)
{
TrustVersion = TrustVersion.WSTrustFeb2005
};
var requestSecurityToken = new RequestSecurityToken
{
RequestType = WSTrustFeb2005Constants.RequestTypes.Issue,
AppliesTo = new EndpointAddress(serviceEndPoint),
KeyType = WSTrustFeb2005Constants.KeyTypes.Symmetric
};
var channel = factory.CreateChannel();
return channel.Issue(requestSecurityToken);
}
private static void CallService(SecurityToken token)
{
// create binding and turn off sessions
var binding = new WS2007FederationHttpBinding(WSFederationHttpSecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
// create factory and enable WIF plumbing
var factory = new ChannelFactory<IMyService>(binding, new EndpointAddress(serviceEndPoint));
factory.ConfigureChannelFactory();
// turn off CardSpace - we already have the token
factory.Credentials.SupportInteractive = false;
var channel = factory.CreateChannelWithIssuedToken(token);
foreach (var claim in channel.GetClaims())
{
Console.WriteLine("{0}\n {1}\n {2} ({3})\n", claim.ClaimType, claim.Value, claim.Issuer, claim.OriginalIssuer);
}
}
答案 0 :(得分:1)
我认为您的安全模式和客户端凭据可能不匹配。
将它放在app.config(客户端和服务器)中,并确保进程具有对目录的写访问权。
<system.diagnostics>
<sources>
<source name="Microsoft.IdentityModel" switchValue="Verbose">
<listeners>
<add name="xml" type="System.Diagnostics.XmlWriterTraceListener"
initializeData="c:\temp\WIF.svclog" />
</listeners>
</source>
<source name="System.ServiceModel.MessageLogging" switchValue="Verbose">
<listeners>
<add name="xml" type="System.Diagnostics.XmlWriterTraceListener"
initializeData="c:\temp\WCF.svclog" />
</listeners>
</source>
</sources>
<trace autoflush="true" />
</system.diagnostics>
在试图弄清楚什么是错的时候,这对我帮助很大。我还建议(仅用于测试)在您的错误中包含服务异常。
<behaviors>
<serviceBehaviors>
<behavior>
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>
请执行此操作并使用日志中的错误更新您的问题。
答案 1 :(得分:0)
您可以创建另一个绑定部分,并为其指定另一个名称,而不是Visual Studio生成的名称。在下次更新时,绑定将被合并。
答案 2 :(得分:-1)
由于某些原因我无法添加注释 - 但是我已经看到WCF'忽略'我的wshttpbinding并且当我改变了我的SVC文件内容时取代了basichttpbinding - 它最终依赖于该方案来确定绑定和因此,忽略除httpHest的basicHttpBinding之外的任何内容。
看看那里,看看是否有帮助。