4

I'm trying to obtain a token from ADFS to that I can use it with an on-premise Windows Service Bus installation. I may not have ADFS properly configured because I get the following message:

MSIS3127: The specified request failed.

The code to access the token is as follows:

    string adrecaSTS = "trust/13/usernamemixed";

    WS2007HttpBinding binding = new WS2007HttpBinding();

    binding.Security.Message.EstablishSecurityContext = false;
    binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
    binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
    binding.Security.Mode = SecurityMode.TransportWithMessageCredential; //https

    string baseSSLUri = @"https://<myadfs>/adfs/services/";



    WSTrustChannelFactory trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(baseSSLUri + adrecaSTS));
    trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
    trustChannelFactory.Credentials.UserName.UserName = "username";
    trustChannelFactory.Credentials.UserName.Password = "password";

    WSTrustChannel tokenClient = (WSTrustChannel)trustChannelFactory.CreateChannel();

    //create a token issuance issuance
    RequestSecurityToken rst = new RequestSecurityToken(RequestTypes.Issue);

    //call ADFS STS
    SecurityToken token = tokenClient.Issue(rst);

The endpoint is enabled on ADFS and my client (laptop on separate domain) trusts the certificate from ADFS.

Do I need to set up some kind of trust or something further? This error message is not particularly helpful.

4

3 回答 3

1

看这里:

https://github.com/thinktecture/Thinktecture.IdentityServer.v2/blob/master/src/Libraries/Thinktecture.IdentityServer.Protocols/WSFederation/HrdController.cs

ValidateToken 方法包含大部分代码 - 但您首先需要从通用令牌中提取 InnerXml 并将其转换为 SAML 安全令牌(再次使用令牌处理程序)。

于 2013-09-27T09:44:41.200 回答
0

发现问题。我试图以管理员帐户登录。当我使用普通用户时,它起作用了。

我还必须修改 RequestSecurityToken 以获得 KeyType.Symmetric 的 KeyType

于 2013-09-25T20:17:54.700 回答
0

我看到您解决了您的问题,但这里有一些额外的信息可能会帮助其他可能有相同错误消息但原因不同的人。

AD FS 错误“MSIS3127...”可能有多种原因。对我们来说,这是由我们的依赖方声明规则之一指定的不存在的 AD FS 属性存储引起的。

为了调试错误,我们检查了所有运行 AD FS 的服务器上的事件查看器,这就是我们发现指出属性存储问题的详细消息的地方。因此,如果其他人收到相同的错误消息,那么我建议检查 AD FS 上的事件查看器以查看是否有其他日志。

Applications and Services Logs请注意,AD FS 记录到=> AD FS=>的文件夹/节点下的事件查看器Admin

于 2021-03-16T20:21:51.427 回答