在独立应用程序上使用ADFS进行Windows身份验证 [英] windows authentication with ADFS on standalone application

问题描述

我有这个Windows控制台应用程序，它正在尝试对ADFS执行Windows身份验证。我已经可以使用用户名/密码进行身份验证，但是由于用户已经在Windows中进行身份验证，因此我不想这样做。

I have this Windows console application which is trying to perform windows authentication against ADFS. I'm already able to authenticate by using username/password but I don't want to do it this way since the user has already been authenticated in Windows.

我有这段代码：

        //Setup the connection to ADFS

        const string adfsEndpoint = "https://iis.dev.lab/adfs/services/trust/13/windowsmixed";

        var factory = new WSTrustChannelFactory(new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(adfsEndpoint))
        {
            TrustVersion = TrustVersion.WSTrust13
        };

        //Setup the request object 
        var rst = new RequestSecurityToken
        {
            RequestType = RequestTypes.Issue,
            KeyType = KeyTypes.Bearer,
            AppliesTo = new EndpointReference(relyingPartyId)
        };

        //Open a connection to ADFS and get a token for the logged in user
        var channel = factory.CreateChannel();

        var genericToken = channel.Issue(rst) as GenericXmlSecurityToken;

，当它试图获取令牌时，我有一个例外：

and when it tries to get the token I have this exception:

安全支持提供程序接口（SSPI）身份验证失败。 ser
ver可能未在标识为 host / iis.dev.lab的帐户中运行。如果se
rver在服务帐户（例如，网络服务）中运行，请在EndpointAddress中将
帐户的ServicePrincipalName指定为se
rver的身份。如果服务器以用户帐户运行，请在服务器的EndpointAddress中将帐户的UserPrin
cipalName指定为标识。

Security Support Provider Interface (SSPI) authentication failed. The ser ver may not be running in an account with identity 'host/iis.dev.lab'. If the se rver is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the se rver. If the server is running in a user account, specify the account's UserPrin cipalName as the identity in the EndpointAddress for the server.

问题是：

• 用户已经在 dev.lab 域中进行了身份验证


• ADSF服务在 dev.lab 域中的管理员用户帐户下运行


• 在错误消息中，我有 iis.dev .lab 域是出于某种原因，可能是原因。.

• The user is already authenticated in dev.lab domain
• ADSF service is running under an admin user account in dev.lab domain
• In the error message I have iis.dev.lab domain for some reason and it may be the reason..

问题：

1. 我应该使用此URL（ ../ adfs / services / trust / 13 / windowsmixed ）来执行这种身份验证吗？还是应该使用 kerberosmixed ？有人可以指出一些有关ADFS中每个服务目标的文档吗？


2. 是否可以在发出请求之前设置用户的域？我已经试过了这个 factory.Credentials.Windows.ClientCredential.Domain = dev.lab; ，但没有成功。


3. 即使执行win auth，我是否仍需要定义凭据？例如，像这样： factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials; ？

1. Should I use this url ("../adfs/services/trust/13/windowsmixed")to perform this kind of authentication ? Or should I use kerberosmixed ? Can someone point out some documentation concerning the goal of each service available in ADFS?
2. Is there a way to set the domain of the user before making the request? I've tried this factory.Credentials.Windows.ClientCredential.Domain = "dev.lab"; but it didn't work out.
3. Do I still need to define the credentials even if doing win auth? Like this for instance: factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials; ?

我们将不胜感激。

推荐答案

因此，此错误消息的可能原因是您可能拥有ADFS配置错误。

So the "probable" reason for this error message is that you probably have ADFS configured incorrectly.

在此处查找SPN的定义： https://msdn.microsoft.com/zh-CN/library/ms677949（v = vs.85）.aspx

Look here for the definition of a SPN: https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

要解决此问题，您将需要在ADFS服务帐户或服务器本身上设置SPN。

To resolve this you will either need to set an SPN on the ADFS service account or the Server itself.

SETSPN -a HTTP / {ADFS服务器的URL}域名/服务名

SETSPN -a HTTP/{THE URL OF THE ADFS SERVER} DOMAIN/SERVICENAME

SETSPN -a HTTP / {ADFS服务器的URL}计算机名

SETSPN -a HTTP/{THE URL OF THE ADFS SERVER} COMPUTERNAME

，然后重新启动ADFS服务。关于服务帐户的一条注释，如果您使用网络或系统帐户运行，则仍将使用计算机名称，因为这些名称是本地服务器帐户。例如，如果您具有iis.dev.lab的ADFS网址，则可以执行以下操作：

and then restart the ADFS services. One note on the service accounts, if you're running using the network or system account then you will still need to use the computer name as those are local server accounts. An example, if you have an ADFS url of iis.dev.lab then you do this:

SETSPN -a HTTP / IIS.DEV.LAB ADFSServer

SETSPN -a HTTP/IIS.DEV.LAB ADFSServer

也-要测试您的adfs设置： https： //iis.dev.lab/adfs/ls/IdpInitiatedSignon.aspx

Also - to test your adfs setup: https://iis.dev.lab/adfs/ls/IdpInitiatedSignon.aspx

这篇关于在独立应用程序上使用ADFS进行Windows身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！