2

所以对于初学者来说,这是我的环境:

  • 共享点 2010
  • Windows Server 2008 标准版
  • 这是我本地机器上的 VHD
  • 我已连接到我的工作域 我也已连接到
  • VPN 也是因为我需要的一些资源需要它

所以我在 SharePoint 中有一个用于 SSO 的 STS

STS 是通过 PowerShell cmdlet 创建的:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\IdentityServer.cer")
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" –SameAsIncoming

# $map2 ... $mapN

$realm = "urn:mycompany:software"
$signinurl = "https://somesignin.com/FederationProvider/"

$ap = New-SPTrustedIdentityTokenIssuer -Name "MyFederationProvider" -Description "My Fed Provider" -Realm $realm -UseWReply -ImportTrustCertificate $cert -ClaimsMappings $map1 -SignInUrl $signinurl -IdentifierClaim $map1.InputClaimType

对于我的 SharePoint 网站的 Internet 区域,我将上面创建的受信任身份提供程序作为声明身份验证类型。

当我登录时一切顺利,直到我在代码中点击这一行,FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(signInResponseMessage, Response);

The error I get is:
Exception information: 
    Exception type: SecurityTokenException 
    Exception message: The issuer of the token is not a trusted issuer. 

Request information: 
    Request URL: https://mySharePointSite.com:443/_trust/default.aspx 
    Request path: /_trust/default.aspx 
    User host address: 127.0.0.1 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: MyDomain\ThreadAccount

Thread information: 
    Thread ID: 10 
    Thread account name: MyDomain\ThreadAccount
    Is impersonating: False 
    Stack trace:    at Microsoft.SharePoint.IdentityModel.SPTrustedIssuerNameRegistry`1.GetIssuerName(SecurityToken securityToken)
   at Microsoft.SharePoint.IdentityModel.SPPassiveIssuerNameRegistry.GetIssuerName(SecurityToken securityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

但是,根证书位于本地计算机上计算机帐户的 MMC 证书管理单元的受信任根证书颁发机构中。同样,根证书在 SharePoint 中被认为是受信任的。我通过管理中心->安全->管理信任添加了它。

任何想法为什么我仍然会收到此错误?

4

2 回答 2

0

您是否在https://somesignin.com/FederationProvider/上运行了 STS ?

New-SPTrustedIdentityTokenIssuer 的文档说它“在场中创建身份提供者”。这对我来说似乎措辞不佳。它实际上并没有创建一个新的 STS。New-SPTrustedIdentityTokenIssuer 真正做的是在共享点和现有的第 3 方身份提供者之间配置信任关系。例如,

LiveID:

http://technet.microsoft.com/en-us/library/ff607628.aspx

或 ADFS:

http://msdn.microsoft.com/en-us/library/hh446525.aspx

于 2012-06-13T15:09:12.497 回答
0

问题是最初使用的证书不是来自我开发的域。对于本地开发,创建了自签名证书,然后颁发者受到信任。此证书已添加到我本地 Sharepoint 场的管理信任库中, http: //onpointwithsharepoint.blogspot.ca/2012/11/managing-trust-certificates-by-using.html

于 2013-08-09T03:45:40.613 回答