1

我在这个配置上度过了一段糟糕的时光。我在没有 SSL 的情况下一切正常,但是将其切换到 SSL 给我带来了一些问题,我正在拉扯我的头发。我的不匹配在哪里?这些配置文件非常复杂,其中发生了很多事情,我不确定从哪里开始。

我看到的错误:

  1. 客户端收到异常:System.ServiceModel.Security.SecurityNegotiationException:无法打开安全通道,因为与远程端点的安全协商失败。这可能是由于用于创建通道的 EndpointAddress 中缺少或错误指定了 EndpointIdentity。请验证 EndpointAddress 指定或暗示的 EndpointIdentity 是否正确标识了远程端点。---> System.ServiceModel.FaultException:验证消息的安全性时出错。
  2. 所以我打开服务器登录。然后服务器日志显示: System.ServiceModel.Security.MessageSecurityException:安全处理器无法在消息中找到安全标头。这可能是因为消息是不安全的错误,或者是因为通信双方之间存在绑定不匹配。如果为安全配置了服务并且客户端未使用安全性,则可能会发生这种情况。

WIF/WCF 客户端 .config:

<?xml version="1.0" encoding="utf-8"?>

<configuration>
  <system.serviceModel>
    <client>
      <endpoint address="https://mydevbox.dev1.mydomain.com/AdfsWcfHelloWorld/SayHelloService.svc"
                binding="customBinding"
                bindingConfiguration="WS2007FederationHttpBinding_ISayHelloService"
                contract="ActiveFederationHelpers.Tests.ISayHelloService"
                name="WS2007FederationHttpBinding_ISayHelloService">
        <identity>
          <certificateReference findValue="22909537C6356E15C20C93A5F652FB0C6AA8A282"
                                storeLocation="LocalMachine"
                                storeName="My"
                                x509FindType="FindByThumbprint" />
        </identity>
      </endpoint>
    </client>
    <bindings>
      <customBinding>
        <binding name="WS2007FederationHttpBinding_ISayHelloService">
          <security defaultAlgorithmSuite="Default"
                    authenticationMode="SecureConversation"
                    requireDerivedKeys="true"
                    securityHeaderLayout="Strict"
                    includeTimestamp="true"
                    keyEntropyMode="CombinedEntropy"
                    messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                    messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                    requireSecurityContextCancellation="true"
                    requireSignatureConfirmation="false">
            <localClientSettings cacheCookies="true"
                                 detectReplays="true"
                                 replayCacheSize="900000"
                                 maxClockSkew="00:05:00"
                                 maxCookieCachingTime="Infinite"
                                 replayWindow="00:05:00"
                                 sessionKeyRenewalInterval="10:00:00"
                                 sessionKeyRolloverInterval="00:05:00"
                                 reconnectTransportOnFailure="true"
                                 timestampValidityDuration="00:05:00"
                                 cookieRenewalThresholdPercentage="60" />
            <localServiceSettings detectReplays="true"
                                  issuedCookieLifetime="10:00:00"
                                  maxStatefulNegotiations="128"
                                  replayCacheSize="900000"
                                  maxClockSkew="00:05:00"
                                  negotiationTimeout="00:01:00"
                                  replayWindow="00:05:00"
                                  inactivityTimeout="00:02:00"
                                  sessionKeyRenewalInterval="15:00:00"
                                  sessionKeyRolloverInterval="00:05:00"
                                  reconnectTransportOnFailure="true"
                                  maxPendingSessions="128"
                                  maxCachedCookies="1000"
                                  timestampValidityDuration="00:05:00" />
            <secureConversationBootstrap defaultAlgorithmSuite="Default"
                                         authenticationMode="IssuedTokenForSslNegotiated"
                                         requireDerivedKeys="true"
                                         securityHeaderLayout="Strict"
                                         includeTimestamp="true"
                                         keyEntropyMode="CombinedEntropy"
                                         messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
                                         messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
                                         requireSecurityContextCancellation="true"
                                         requireSignatureConfirmation="true">
              <issuedTokenParameters keySize="256"
                                     keyType="SymmetricKey"
                                     tokenType="">
                <additionalRequestParameters>
                  <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                    <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                    <trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
                    <trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
                                  xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
                      <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                                      Optional="true"
                                      xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                      <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                                      Optional="true"
                                      xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                      <wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
                                      Optional="true"
                                      xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                      <wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
                                      Optional="true"
                                      xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" />
                    </trust:Claims>
                    <trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
                    <trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
                    <trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
                    <trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
                    <trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
                  </trust:SecondaryParameters>
                </additionalRequestParameters>
                <issuer address="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/13/usernamemixed"
                        bindingConfiguration="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/13/usernamemixed"
                        binding="ws2007HttpBinding" />
                <issuerMetadata address="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/mex" />
              </issuedTokenParameters>
              <localClientSettings cacheCookies="true"
                                   detectReplays="true"
                                   replayCacheSize="900000"
                                   maxClockSkew="00:05:00"
                                   maxCookieCachingTime="Infinite"
                                   replayWindow="00:05:00"
                                   sessionKeyRenewalInterval="10:00:00"
                                   sessionKeyRolloverInterval="00:05:00"
                                   reconnectTransportOnFailure="true"
                                   timestampValidityDuration="00:05:00"
                                   cookieRenewalThresholdPercentage="60" />
              <localServiceSettings detectReplays="true"
                                    issuedCookieLifetime="10:00:00"
                                    maxStatefulNegotiations="128"
                                    replayCacheSize="900000"
                                    maxClockSkew="00:05:00"
                                    negotiationTimeout="00:01:00"
                                    replayWindow="00:05:00"
                                    inactivityTimeout="00:02:00"
                                    sessionKeyRenewalInterval="15:00:00"
                                    sessionKeyRolloverInterval="00:05:00"
                                    reconnectTransportOnFailure="true"
                                    maxPendingSessions="128"
                                    maxCachedCookies="1000"
                                    timestampValidityDuration="00:05:00" />
            </secureConversationBootstrap>
          </security>
          <textMessageEncoding maxReadPoolSize="64"
                               maxWritePoolSize="16"
                               messageVersion="Default"
                               writeEncoding="utf-8">
            <readerQuotas maxDepth="32"
                          maxStringContentLength="8192"
                          maxArrayLength="16384"
                          maxBytesPerRead="4096"
                          maxNameTableCharCount="16384" />
          </textMessageEncoding>
          <httpsTransport manualAddressing="false"
                          maxBufferPoolSize="524288"
                          maxReceivedMessageSize="65536"
                          allowCookies="false"
                          authenticationScheme="Negotiate"
                          bypassProxyOnLocal="false"
                          decompressionEnabled="true"
                          hostNameComparisonMode="StrongWildcard"
                          keepAliveEnabled="true"
                          maxBufferSize="65536"
                          proxyAuthenticationScheme="Anonymous"
                          realm=""
                          transferMode="Buffered"
                          unsafeConnectionNtlmAuthentication="false"
                          useDefaultWebProxy="true" />
        </binding>
      </customBinding>
      <ws2007HttpBinding>
        <binding name="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/13/usernamemixed"
                 closeTimeout="00:01:00"
                 openTimeout="00:01:00"
                 receiveTimeout="00:10:00"
                 sendTimeout="00:01:00"
                 bypassProxyOnLocal="false"
                 transactionFlow="false"
                 hostNameComparisonMode="StrongWildcard"
                 maxBufferPoolSize="524288"
                 maxReceivedMessageSize="65536"
                 messageEncoding="Text"
                 textEncoding="utf-8"
                 useDefaultWebProxy="true"
                 allowCookies="false">
          <readerQuotas maxDepth="32"
                        maxStringContentLength="8192"
                        maxArrayLength="16384"
                        maxBytesPerRead="4096"
                        maxNameTableCharCount="16384" />
          <reliableSession ordered="true"
                           inactivityTimeout="00:10:00"
                           enabled="false" />
          <security mode="TransportWithMessageCredential">
            <transport clientCredentialType="None"
                       proxyCredentialType="None"
                       realm="" />
            <message clientCredentialType="UserName"
                     negotiateServiceCredential="true"
                     algorithmSuite="Default"
                     establishSecurityContext="false" />
          </security>
        </binding>
      </ws2007HttpBinding>
    </bindings>
  </system.serviceModel>
  <system.diagnostics>
    <sources>
      <source name="System.ServiceModel"
              switchValue="Information, ActivityTracing"
              propagateActivity="true">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
      <source name="System.ServiceModel.MessageLogging">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
      <source name="myUserTraceSource"
              switchValue="Information, ActivityTracing">
        <listeners>
          <add name="xml" />
        </listeners>
      </source>
    </sources>
    <sharedListeners>
      <add name="xml"
           type="System.Diagnostics.XmlWriterTraceListener"
           initializeData="ClientErrors.svclog" />
    </sharedListeners>
  </system.diagnostics>

</configuration>

WCF 服务.config:

<?xml version="1.0"?>

<configuration>
    <configSections>
        <section name="microsoft.identityModel"
                 type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    </configSections>
    <location path="FederationMetadata">
        <system.web>
            <authorization>
                <allow users="*" />
            </authorization>
        </system.web>
    </location>
    <system.web>
        <compilation debug="true"
                     targetFramework="4.0">
            <assemblies>
                <add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" />
            </assemblies>
        </compilation>
    </system.web>
    <system.serviceModel>
        <services>
            <service name="AdfsWcfHelloWorldServices.SayHelloService">
                <endpoint address="https://mydevbox.dev1.mydomain.com/AdfsWcfHelloWorld/SayHelloService.svc"
                          binding="ws2007FederationHttpBinding"
                          contract="AdfsWcfHelloWorldServices.ISayHelloService" />
            </service>
        </services>
        <behaviors>
            <serviceBehaviors>
                <behavior>
                    <serviceMetadata httpsGetEnabled="true" />
                    <federatedServiceHostConfiguration />
                    <serviceDebug includeExceptionDetailInFaults="true" />
                </behavior>
            </serviceBehaviors>
        </behaviors>
        <serviceHostingEnvironment multipleSiteBindingsEnabled="false" />
        <extensions>
            <behaviorExtensions>
                <add name="federatedServiceHostConfiguration"
                     type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
            </behaviorExtensions>
        </extensions>
        <protocolMapping>
            <add scheme="http"
                 binding="ws2007FederationHttpBinding" />
        </protocolMapping>
        <bindings>
            <ws2007FederationHttpBinding>
                <binding>
                    <security mode="TransportWithMessageCredential">
                        <message establishSecurityContext="false">
                            <issuerMetadata address="https://dev1dc2.dev1.mydomain.com/adfs/services/trust/mex" />
                            <claimTypeRequirements>
                                <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
                                     isOptional="true" />
                                <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
                                     isOptional="true" />
                                <add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
                                     isOptional="true" />
                                <add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
                                     isOptional="true" />
                            </claimTypeRequirements>
                        </message>
                    </security>
                </binding>
            </ws2007FederationHttpBinding>
        </bindings>
    </system.serviceModel>
    <system.webServer>
        <modules runAllManagedModulesForAllRequests="true" />
    </system.webServer>
    <microsoft.identityModel>
        <service>
            <audienceUris>
                <add value="https://mydevbox.dev1.mydomain.com/AdfsWcfHelloWorld" />
            </audienceUris>
            <serviceCertificate>
                <certificateReference findValue="22909537C6356E15C20C93A5F652FB0C6AA8A282"
                                      storeLocation="LocalMachine"
                                      storeName="My"
                                      x509FindType="FindByThumbprint" />
            </serviceCertificate>
            <issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
                <trustedIssuers>
                    <add thumbprint="E9C32071573CB4D52005EA2E7825A310D6C26B73"
                         name="http://DEV1DC2.Dev1.mydomain.com/adfs/services/trust" />
                </trustedIssuers>
            </issuerNameRegistry>
        </service>
    </microsoft.identityModel>
    <appSettings>
        <add key="FederationMetadataLocation"
             value="https://dev1dc2.dev1.mydomain.com/FederationMetadata/2007-06/FederationMetadata.xml" />
    </appSettings>
  <system.diagnostics>
    <sources>
      <source name="System.ServiceModel"
              switchValue="Information, ActivityTracing"
              propagateActivity="true" >
        <listeners>
          <add name="xml"/>
        </listeners>
      </source>
      <source name="System.ServiceModel.MessageLogging">
        <listeners>
          <add name="xml"/>
        </listeners>
      </source>
      <source name="myUserTraceSource"
              switchValue="Information, ActivityTracing">
        <listeners>
          <add name="xml"/>
        </listeners>
      </source>
    </sources>
    <sharedListeners>
      <add name="xml"
           type="System.Diagnostics.XmlWriterTraceListener"
           initializeData="ServerErrors.svclog" />
    </sharedListeners>
  </system.diagnostics>
</configuration>

更多细节:

  • 服务和客户端目前都在同一个盒子上运行
  • 所有证书均由我们域中的 CA 创建,并受到所有 (1) 台机器的完全信任
  • 我已成功从 ADFS 获取我的安全令牌
  • 我使用ChannelFactory<T>(binding).CreateChannelWithIssuedToken(myToken)(伪代码)连接到服务
  • 调用服务上的第一个方法时发生错误
  • 就像我说的那样,这一切都可以在没有 HTTPS 的情况下工作,并且该服务能够很好地从令牌中提取经过验证的声明,(Thread.CurrentPrincipal.Identity as IClaimsIdentity).Claims但是由于某些愚蠢的原因,我无法在双方都配置有 SSL 的正确连接

我真的很感激一些帮助。:-)

4

2 回答 2

1

MSDN 论坛上的一个模组 LeoTang帮助我解决了这个问题。问题出在客户端上。引用他的话:

在自定义绑定的“”部分中,authenticationMode 的值设置为“IssuedTokenForSslNegotiated”。

我遇到的另一个问题是 messageSecurityVersion - 我需要将其更改为WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10. 最后,我不得不关闭我的服务器配置的重播,因为一个随机数丢失的错误。这对我来说不是一个重要的功能,所以我禁用了它而不是进一步调查。

于 2012-08-16T17:21:36.347 回答
1

刚刚使用 ADFS 对 WCF 服务进行身份验证,并且真的没有胃口再次阅读整个配置,但根据我的经验,如果凭据不正确或客户端根本没有提供,协商失败总是会发生。

花一些时间为 WCF http://msdn.microsoft.com/en-us/library/ee517292.aspx设置诊断和我偶然发现的这个小警告http://intrepiddeveloper.wordpress.com/2008/08/07 /安全事件日志审计/

希望它有所帮助

于 2012-10-30T14:15:39.350 回答