受众限制无效,因为指定的受众标识符不存在于此联合身份验证服务的可接受标识符列表中 [英] The audience restriction was not valid because the specified audience identifier is not present in the acceptable identifiers list of this Federation Service
问题描述
我有一个配置,我配置AD FS 2.0有一个声明提供程序。一切正常但登录后我收到以下错误:
I have a setup where I have configured AD FS 2.0 has a Claims provider. Everything works but after the login I get following error:
受众限制是无效,因为指定的受众标识符不存在于此联合身份验证服务的可接受标识符列表中。
The audience restriction was not valid because the specified audience identifier is not present in the acceptable identifiers list of this Federation Service.
用户操作
User Action
请参阅验证失败的受众标识符的异常详细信息。如果受众标识符标识此联合身份验证服务,请使用Windows PowerShell for AD FS将受众标识符添加到可接受的标识符列表中。 请注意,
受众标识符用于验证令牌是否已发送到此联合身份验证服务。如果您认为受众标识符无法识别您的联合身份验证服务,则将其添加到可接受的标识符列表中可能会在您的系统中打开一个安全漏洞
。
See the exception details for the audience identifer that failed validation. If the audience identifier identifies this Federation Service, add the audience identifier to the acceptable identifiers list by using Windows PowerShell for AD FS. Note that the audience identifier is used to verify whether the token was sent to this Federation Service. If you think that the audience identifier does not identify your Federation Service, adding it to the acceptable identifiers list may open a security vulnerability in your system.
其他数据
Additional Data
例外详情:
Exception details:
ID1035:SAML断言未包含任何AudienceRestrictionConditions。要接受没有AudienceRestrictionConditions的断言,请将SecurityTokenHandlerConfiguration.AudienceRestriction.AudienceMode设置为AudienceUriMode.Never。
ID1035: The SAML assertion did not contain any AudienceRestrictionConditions. To accept assertions without AudienceRestrictionConditions, set SecurityTokenHandlerConfiguration.AudienceRestriction.AudienceMode to AudienceUriMode.Never.
有任何帮助吗?
推荐答案
请参阅http://social.msdn.microsoft.com/Forums/en-US/Geneva/ thread / a32b7cb0-7d3f-4439-a4b7-55ad9ca35af3。
see http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/a32b7cb0-7d3f-4439-a4b7-55ad9ca35af3.
然而,我仍然感到困惑,是否真的有必要通过电源外壳。是否有更容易的替代方案?
However I am still puzzled whether it is really necessary to do this via Power-Shell. Isn't there an easier alternative?
这篇关于受众限制无效,因为指定的受众标识符不存在于此联合身份验证服务的可接受标识符列表中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
