ADFS 3.0(Win 2012 R2) - 错误ID4022:无法解析解密加密安全令牌所需的密钥。 [英] ADFS 3.0 (Win 2012 R2) - Error ID4022: The key needed to decrypt the encrypted security token could not be resolved.
问题描述
我们正在升级ADFS 3.0(Windows 2012 R2)以取代ASFS 2.0(Windows 2008 R2)。
ADFS 3.0依赖方服务器正常运行只要加密被禁用。
如果启用解密,则会出现以下错误:
Microsoft.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException:ID4022:无法解析解密加密安全令牌所需的密钥。确保使用所需的密钥填充SecurityTokenResolver。
ADFS 2.0(声明提供商) < - Trusts - ; ADFS 2.0(依赖方) (加密或不加密可以正常工作)。
ADFS 3.0(声明提供商) < - Trusts - ADFS 2.0(依赖) ()(加密或不加密)。
ADFS 2.0(声明提供商) < - Trusts - ADFS 3.0(依赖方)(正常工作)禁用加密)。
ADFS 3.0(声明提供商) < - Trusts - ADFS 3.0(依赖方)(禁用加密时工作正常)。
加密的SAML响应包含依赖方服务器上加密证书的序列号,并且依赖方ADFS服务可以访问与此序列号相对应的证书密钥。
ADFS 3.0依赖方服务器似乎配置完全相同(包括签名和加密)离子 使用的证书) 作为ADFS 2.0依赖方服务器。
可能导致此解密错误的原因 并且无法解析安全令牌证书?
我从ADFS 2.0升级到ADFS 3.0后遇到了完全相同的问题。
你找到了吗?该问题的任何解决方案?
我使用来自声明提供商网站的此命令暂时禁用加密:
Set-ADFSRelyingPartyTrust -targetname XXX -EncryptClaims
假
We are in the process of upgrading ADFS 3.0 (Windows 2012 R2) to replace ASFS 2.0 (windows 2008 R2).
The ADFS 3.0 relying party server functions properly as long as encryption is disabled.
If decryption is enabled it errors with the following error:
Microsoft.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException: ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key.
ADFS 2.0 (Claims Provider) <-- Trusts -- ADFS 2.0 (Relying Party) (Works fine with encryption or without).
ADFS 3.0 (Claims Provider) <-- Trusts -- ADFS 2.0 (Relying Party) (Works fine with encryption or without).
ADFS 2.0 (Claims Provider) <-- Trusts -- ADFS 3.0 (Relying Party) (Works fine with encryption disabled).
ADFS 3.0 (Claims Provider) <-- Trusts -- ADFS 3.0 (Relying Party) (Works fine with encryption disabled).
The encrypted SAML Response contains a serial number for the encryption certificate on the relying party server and the key corresponding to the certificate with this serial number is accessible to the Relying Party ADFS Service.
The ADFS 3.0 relying party server seems to be configured exactly the same (including the signing and encryption certificates used) as the ADFS 2.0 relying party server.
What could be causing this decryption error and the inability to resolve the security token certificate?
Hi, I have the exact same problem after upgrading from ADFS 2.0 to ADFS 3.0.
Have you found any solution to the problem?
I temporarily disabled the encryption with this command from the Claims Provider site:
Set-ADFSRelyingPartyTrust -targetname XXX -EncryptClaims
false
这篇关于ADFS 3.0(Win 2012 R2) - 错误ID4022:无法解析解密加密安全令牌所需的密钥。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
