从WPF客户端中的ADAL到Windows Server 2012 R2上的ADFS 3.0的SSO [英] SSO from ADAL in WPF Client to ADFS 3.0 on Windows Server 2012 R2

问题描述

我正在尝试编写一个WPF客户端，该客户端使用ADAL对Windows Server 2012 R2上的ADFS进行身份验证。我已经使用表单身份验证成功实现了此操作，在该表单中，系统会提示用户输入域用户名和密码。但是，我想利用SSO并使用当前登录的域用户来针对ADFS进行身份验证。

不幸的是，我只收到一条错误消息：

'<不支持此方法重载。 ADFS服务器名>'

我做了很多搜索，但是发现一些矛盾的信息：

• 有关Windows Store应用程序（与WPF有什么区别？）的SO帖子，其中Vittorio Bertocci链接到有关如何实现该功能的博客：
  

  
  
  

  此外，我的全局身份验证策略设置如下：

  
  
  

  < a href = https://i.stack.imgur.com/7z148.png rel = nofollow noreferrer>

  解决方案

  仅密码授予需要Windows Server 2016，在这种情况下，提供原始的用户名和密码。您的问题似乎表明您想使用当前登录的用户登录，这将改用Kerberos。
  基于Kerberos的身份验证应该与ADFS 3和ADFS 2016无关地使用-只要您的客户端连接到域网络，本地计算机就不会具有阻止您的应用当前找到域用户的隐私设置。登录并在ADFS实例上启用了正确的端点。

  
  

  I am trying to write an WPF client which uses ADAL to authenticate against ADFS on a Windows Server 2012 R2. I have successfully implemented this using "Forms Authentication" where the user is prompted for the domain username and password. However, I want to take advantage of SSO and use the currently logged on domain user to authenticate against the ADFS.

  Unfortunately, I'm only getting an error message saying:

  This method overload is not supported by '< ADFS servername>'

  I have done a lot of searching, but find some of the information contradictive:

  • This SO post about a Windows Store App (any differences to WPF?) where Vittorio Bertocci links to a blog on how to achieve it: ADAL for Windows Store SSO

  • This SO post where Vittorio Bertocci claims that silent authentication is only possible with Windows Server 2016: Authenticate with ADFS inside Console App silently

  Is it a fact that Windows Server 2016 is required to perform SSO in conjunction with ADAL? Is there any other way to do it?

  EDIT:

  After upgrading to the latest alpha of ADAL (3.9.302111717-alpha) I'm getting the more detailed error message

  MSIS9611: The authorization server does not support the requested 'grant_type'. The authorization server only supports 'authorization_code' or 'refresh_token' as the grant type.

  The code I'm executing is this:

  string authority = "https://myServer.com/adfs";
  string resourceURI = "http://myApp/";
  string clientId = "XXXX-XXX-XXXX-XXXX-XXXXX";
  string clientReturnUri = "http://anarbitraryreturnuri/";
  
  var ac = new AuthenticationContext(authority, false);
  var token = await ac.AcquireTokenAsync(resourceURI, clientId,new UserCredential());
  

  I was able to implement a working solution using WS-Trust, so I am confident that the machine I'm running on has the privacy settings to enable the app to find the currently logged on user.

  The Oauth2 endpoint looks as follows:

  Also, my global authentication policy is set up like this:

  解决方案

  Windows Server 2016 is only required for the password grant - in which you provide raw username and password. Your question seems to suggest you want to sign on with the currently signed in user, which would leverage Kerberos instead. Kerberos based authentication should work with ADFS "3" and ADFS 2016 indifferently - as long as your client is connected to the domain network, the local machine does not have privacy settings that prevent your app from finding out the domain user currently logged in and the correct endpoints are enabled on the ADFS instance.

  这篇关于从WPF客户端中的ADAL到Windows Server 2012 R2上的ADFS 3.0的SSO的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！