摘要验证失败 [英] Digest verification failed

问题描述

我正在开发一个使用ADFS来管理用户和登录名的.NET Web应用程序。在我的个人开发机器上和测试环境中，一切正常。但是，将应用程序发布到目标生产服务器后，出现以下异常：

  [CryptographicException：摘要验证失败参考'＃_ed85954d-e2b3-44a1-a455-f13b8eca5756'。] 
 System.IdentityModel.Reference.EnsureDigestValidityIfIdMatches（String id，Object resolveXmlSource）+1124029 
 System.IdentityModel.StandardSignedInfo.EnsureDigestValidityIfIdMatch Object resolveXmlSource）+92 
 System.IdentityModel.SignedXml.EnsureDigestValidity（String id，Object resolveXmlSource）+33 
 System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement（）+240 
 System.IdentityModel.EnvelopedSignatureReader。 Read（）+107 
 System.Xml.XmlReader.ReadEndElement（）+52 
 System.IdentityModel.Tokens.SamlSecurityTokenHandler.ReadAssertion（XmlReader reader）+1106 
 System.IdentityModel.Tokens.SamlSecurityTokenHandler .ReadToken（XmlReader阅读器）+57 
 System.IdentityMod el.Tokens.SecurityTokenHandlerCollection.ReadToken（XmlReader阅读器）+114 
 System.IdentityModel.Services.TokenReceiver.ReadToken（字符串tokenXml，XmlDictionaryReaderQuotas readerQuotas，FederationConfiguration federationConfiguration）+351 
 System.IdentityModel.Services.WSFederationAuthenticationModule。 SignInWithResponseMessage（HttpRequestBase请求）+387 
 System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest（对象发送者，EventArgs args）+103571 
 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute（） +80 
 System.Web.HttpApplication.ExecuteStep（IExecutionStep步骤，布尔值& +165 
  

我尝试在ADFS上启用WIF和WCF日志记录，但未发现任何结果

我意识到已经创建了一个非常类似的问题博客文章。事实证明，解决方案是取消选中TMG中ADFS计算机的应用链接翻译选项。

IFD配置的CRM服务器（也依赖于此ADFS）工作正常，这有点奇怪...

I'm developing a .NET web application which uses ADFS to manage users and logins. On my personal development machine and on our testing environment everything works fine. However, after publishing the application to the target production server I'm getting the following exception:

[CryptographicException: Digest verification failed for Reference '#_ed85954d-e2b3-44a1-a455-f13b8eca5756'.]
   System.IdentityModel.Reference.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource) +1124029
   System.IdentityModel.StandardSignedInfo.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource) +92
   System.IdentityModel.SignedXml.EnsureDigestValidity(String id, Object resolvedXmlSource) +33
   System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement() +240
   System.IdentityModel.EnvelopedSignatureReader.Read() +107
   System.Xml.XmlReader.ReadEndElement() +52
   System.IdentityModel.Tokens.SamlSecurityTokenHandler.ReadAssertion(XmlReader reader) +1106
   System.IdentityModel.Tokens.SamlSecurityTokenHandler.ReadToken(XmlReader reader) +57
   System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader) +114
   System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration) +351
   System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +387
   System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +103571
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

I've tried turning on WIF and WCF logging on the ADFS, but found nothing of interest in the logs.

I realize a very similar question has been created here, however my issue seems to be caused by something different as I'm not passing claims from a DB, only from the AD itself.

Another possibility is the one described in this article... but I'm not using ISA server. If something else is changing the reply, I don't know how to find it.

I'm a bit out of ideas. Can someone help me out?

解决方案

I guess the following recent XKCD comic is at least partially true:

On the second page of Google results I came upon this blog post. The solution, as it turned out, was to uncheck the Apply link translation option in TMG for the ADFS machine.

It's a bit strange that IFD configured CRM servers (which also relied on this ADFS) worked without a hitch...

这篇关于摘要验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！