我是否需要使用Windows Identity Federation Utility创建可感知声明的asp.net Web应用程序? [英] Do I need to use the Windows Identity Federation Utility to create a claims-aware asp.net web application?
问题描述
我按照本页概述的步骤构建了一个可感知索赔的asp.net mvc应用程序:
I built a claims-aware asp.net mvc application following the steps outlined in this page: https://docs.microsoft.com/en-us/dotnet/framework/security/how-to-build-claims-aware-aspnet-mvc-web-app-using-wif. The example in the page uses an STS on the local host, but in my application I am pointing to a fully-functioning AD FS on a different server.
我正在使用Framework 4.7和Windows Server 2016托管AD FS并托管Web应用程序.
I'm using Framework 4.7 and Windows Server 2016 to host the AD FS and to host the web application.
在部署应用程序之后,我对其运行了Windows Identity Federation Utility(因为我认为我需要它来将应用程序添加为AD FS上的依赖方信任).该实用程序在web.config中插入了许多引用Microsoft.IdentityModel命名空间的标签.
After I deployed the application I ran the Windows Identity Federation Utility against it (because I thought I needed it to add the application as a Relying Party Trust on the AD FS). This utility inserts a lot of tags into the web.config that refer to the Microsoft.IdentityModel namespace.
然后,我将该应用程序作为依赖方信任关系添加到AD FS,并导航到声明感知应用程序.该页面失败,因为示例代码将STS返回的声明转换为System.Security.Claims.Claim.当我将其更改为Microsoft.IdentityModel.Claims.Claim时,它运行良好.
I then added the application as a Relying Party Trust to the AD FS, and navigated to the claims-aware app. The page failed because the sample code cast the claim returned by the STS as System.Security.Claims.Claim. When I changed it to cast as Microsoft.IdentityModel.Claims.Claim it worked fine.
我所遵循的示例未提及Windows Identity Federation Utility.我需要使用吗?还是没有它就可以工作?
The example I was following makes no mention of the Windows Identity Federation Utility. Do I need to use that? Or would this have worked without it?
当我尝试撤消web.config的更改时,该实用程序插入站点失败,并显示401错误(由于无效凭据导致访问被拒绝),因此显然需要该实用程序插入的内容才能从AD FS进行身份验证.这是因为我在将实用程序作为依赖方信任添加到ADFS之前在网站上运行了该实用程序吗?
When I try reversing the web.config changes that the utility inserted the site fails with a 401 error (access denied due to invalid credentials) so obviously the stuff inserted by the Utility is needed to get authentication from AD FS. Is this because I ran the Utility on the web site before adding it as a relying party trust to the ADFS?
推荐答案
此处的答案是:如果您使用的是ADFS Server 2016,请不要运行Windows Identity Federation Utility,因为它会强制使用Microsoft.Identity库,已弃用.我错误地认为需要此实用程序来创建FederationMetadata.xml文件.
The answer here is: don't run the Windows Identity Federation Utility if you are using ADFS Server 2016, as it forces use of the Microsoft.Identity libraries, which are deprecated. I mistakenly thought this utility was needed to create the FederationMetadata.xml file.
我手动创建了FederationMetadata.xml文件,并将我的web.config恢复为运行该实用程序之前的状态.这使我回到使用System.Identity库(已添加到4.5框架)中,而不是使用现在不建议使用的Microsoft.Identity库.
I created the FederationMetadata.xml file manually and reverted my web.config back to what it was before I ran the utility. This reverted me back to using the System.Identity libraries, which were added to the 4.5 framework, instead of the now-deprecated Microsoft.Identity libraries.
这篇关于我是否需要使用Windows Identity Federation Utility创建可感知声明的asp.net Web应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
