我一直在努力为开发目的设置一个新的服务器(Windows Server 2012) . 目的是测试通过AD FS登录Web应用程序 . 该机器是域控制器,具有自己的证书服务和AD FS .
网络应用程序使用Owin,我一直在关注本指南:https://developers.de/blogs/armin_kalajdzija/archive/2016/10/06/how-to-implement-web-sign-on-with-adfs-in-asp-net-mvc-using-owin.aspx
当我冲浪到我设置的网站时,我被重定向到AD FS但是在登录后我得到了一个错误 . 在事件查看器中,我得到:
首先是一个事件323
The Federation Service could not authorize token issuance for the caller '*domain\user*
' on behalf of the subject '*domain\user*
' to the relying party 'https://*domain*:44330/'. Please see event 501 with the same instance id for caller identity. Please see event 502 with the same instance id for OnBehalfOf identity, if any.
Additional Data
Instance id: 28b6e92b-453e-4488-93d1-3671268ff24c
Exception details:
Microsoft.IdentityServer.Service.IssuancePipeline.OnBehalfOfAuthorizationException: MSIS5009: The impersonation authorization failed for caller identity System.Security.Claims.ClaimsIdentity and delegate System.Security.Claims.ClaimsIdentity for relying party trust https://*domain*:44330/.
at System.IdentityModel.AsyncResult.End(IAsyncResult result)
at System.ServiceModel.Security.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
at System.ServiceModel.Security.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
User Action
Use the Windows PowerShell Get-ADFSClaimsProviderTrust or Get-ADFSRelyingPartyTrust cmdlet to ensure the caller is authorized on behalf of the subject to the relying party.
然后一些501和502具有用户/声明信息 . 然后一个364
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: MSIS3126: Access denied.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
>System.ServiceModel.FaultException: MSIS3126: Access denied.
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
现在我尝试了一些事情:
依赖方已将“允许访问所有用户”作为唯一的颁发授权规则 . 我在“发行转换规则”下尝试了不同的规则 . 我在501和502事件中看到的不同属性主要是“将LDAP属性作为声明发送” . (也搞乱了一些转换 - 并通过规则)
我已经尝试在SHA-1和SHA-256之间的依赖方上来回更改安全散列算法 .
我已经尝试将WS-Federation endpoints 更改为https:// domain / adfs / ls / . (并尝试使用或不使用/结尾的不同 endpoints 和标识符)
我已经尝试更改声明提供程序信任(AD)中的规则,然后将其还原,因为它不起作用 .
我已经尝试通过PowerShell将SigningCertificateRevocationCheck设置为'none' .
我删除并重新创建了依赖方信任 .
我得到的错误总是相同的 . 任何人都有其他想法的想法吗?