我们在从 AD FS 2.0 转换到 AD FS 3.0 时遇到问题。
我们有一个 ASP.NET MVC 应用程序,它通过 AD FS 使用联合身份验证。在我们的测试环境中,我们将 Thinktecture Identityserver 2 配置为 AD FS 中的声明提供程序。应用程序请求authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI". 作为参考,这里是我们 web.config 文件的整个标识部分:
<system.identityModel>
<identityConfiguration>
<claimsAuthenticationManager type="ProjectName.Authorization.AuthenticationManager, ProjectName" />
<claimsAuthorizationManager type="ProjectName.Authorization.AuthorizationManager,ProjectName" />
<audienceUris>
<add value="https://applicationdomain/" />
</audienceUris>
<securityTokenHandlers>
<securityTokenHandlerConfiguration saveBootstrapContext="true">
<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089">
<trustedIssuers>
<add thumbprint="(thumbprint of ADFS certificate)" name="ADFS Test" />
</trustedIssuers>
</issuerNameRegistry>
</securityTokenHandlerConfiguration>
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<wsFederation freshness="120" passiveRedirectEnabled="true" issuer="https://adfsdomain/adfs/ls" realm="https://applicationdomain/" requireHttps="true" authenticationType="urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI" />
<serviceCertificate>
<certificateReference findValue="(thumbprint of application's certificate)" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" />
</serviceCertificate>
<cookieHandler requireSsl="true" />
</federationConfiguration>
</system.identityModel.services>
我们目前正在使用 Windows Server 2008 R2 和 AD FS 2.0 的有些过时的服务器上运行,但它可以工作。我们最近设置了运行 Windows Server 2012 R2 和 AD FS 3.0 的服务器的新环境。我们已经在一个新服务器上安装了我们的 MVC 应用程序,并在另一个服务器上设置了 AD FS 3.0,配置类似于旧的 AD FS 2.0(据我们所知),MVC 应用程序作为依赖方,Thinktecture Identityserver 2 作为声明提供者。一个区别是我们现在在单独的服务器上使用 AD FS 代理,因为 AD FS 3.0 需要这个(而 AD FS 2.0 不需要)。事实上,我们有两个 AD FS 服务器,然后是负载均衡器后面的两个代理。Thinktecture Identityserver 2 仍在旧服务器上运行(在 Windows Server 2008 R2 上)。
这是问题所在:我浏览到应用程序的地址。我按预期被重定向到 AD FS,它立即将我重定向到 Thinktecture Identityserver 2。到目前为止一切都很好。我使用用户名(“Anders”)和密码登录,然后被重定向回 AD FS。在这里,我得到一个一般错误页面,上面写着“发生错误”。在 AD FS 服务器上的事件日志中(负载均衡器显然总是将我引导到同一个节点,这恰好是主节点)我发现两个错误和一个警告。第一个错误:
Event 197, AD FS
The Federation Service could not satisfy a token request because the
accompanying credentials do not meet the authentication type requirement of
'urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI' for the relying party
'https://applicationdomain.no'.
Authentication type:
Desired authentication type(s): urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI
Relying party: https://applicationdomain.no
This request failed.
然后是警告:
Event 1000, AD FS
An error occurred during processing of a token request. The data in this event
may have the identity of the caller (application) that made this request. The
data includes an Activity ID that you can cross-reference to error or warning
events to help diagnose the problem that caused this error.
Additional Data
Caller: Anders
OnBehalfOf user:
ActAs user:
Target Relying Party: https://applicationdomain.no
然后是第二个错误:
Event 364, AD FS
Encountered error during federation passive request.
Additional Data
Protocol Name:
wsfed
Relying Party:
Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: Exception of type 'Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException' was thrown.
at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.EndIssue(IAsyncResult result)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, SecurityToken deviceSecurityToken, String desiredTokenType, WrappedHttpListenerContext httpContext, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, MSISSession& session)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSerializedToken(MSISSignInRequestMessage wsFederationPassiveRequest, WrappedHttpListenerContext context, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponseForSecurityToken(GenericProtocolRequest originalRequest, SecurityTokenElement requestedTokenElement, ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
我已在此页面上阅读了有关 AD FS 中支持的 SAML 身份验证类型的信息:https ://msdn.microsoft.com/en-us/library/hh599318.aspx 。SmartcardPKI未在此处列出。(但请注意,该文档适用于 AD FS 2.0。)
在 AD FS 服务器(旧的和新的)上,我尝试使用以下 PowerShell 命令列出支持的 AuthenticationType:
get-adfsproperties | select-object -expandProperty AuthenticationContextOrder | select-object -Property AbsoluteUri
在旧服务器和新服务器上都输出:
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient
urn:oasis:names:tc:SAML:2.0:ac:classes:X509
urn:federation:authentication:windows
urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
这里也没有SmartcardPKI。无论如何,它在旧环境中的工作量更少。
我还尝试使用PasswordProtectedTransport代替SmartcardPKI(通过编辑 MVC 应用程序的 web.config)。结果完全一样,只是现在第一条错误消息说:
The Federation Service could not satisfy a token request because the
accompanying credentials do not meet the authentication type requirement of
'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport' for the
relying party 'https://applicationdomain.no'...
任何关于我下一步应该尝试什么的指示都将非常受欢迎。也许 AD FS 2.0 和 3.0 之间存在差异,需要我对 Thinktecture IdentityServer 2 进行配置更改?