无法将声明 cookie 从 .NET 4.5 解密到 .NET 3.5 [英] Unable to decrypt claims cookie from .NET 4.5 to .NET 3.5
问题描述
我一直试图让以下场景正常工作大约一个星期,但没有成功.我有 2 个应用程序,一个支持声明的 .NET 4.5 应用程序,它运行良好(适用于其他 .NET 4 及更高版本的应用程序);以及使用 WebForms .NET 3.5 构建的旧式 Intranet 系统.遗留应用程序不能升级到更高版本的 .NET(会容易得多).
I have been trying to get the following scenario to work for around a week now with no luck. I have 2 applications, a .NET 4.5 application that is claims enabled, which is working perfectly well (works with other .NET 4 and up applications); and a legacy Intranet system built using WebForms .NET 3.5. The legacy application CANNOT be upgraded to a later version of .NET (would be so much easier).
我想要发生的是,当我登录 .NET 4.5 应用程序时,我需要在访问 .NET 3.5 应用程序时进行身份验证.我确保应用程序之间的 Cookie 名称相同,并且 web.config 中的 machineKey 值相同(我使用 MachineKeySessionSecurityTokenHandler 来确保加密的 cookie 值即使在 Web Farm 场景中也是相同的);然而,当我转到 .NET 3.5 应用程序时,我从 SymmetricEncryptionFormatter 类收到以下错误:
What I want to happen is that when I login on the .NET 4.5 application, I need to be authenticated when I visit the .NET 3.5 application. I have ensured that the Cookie Names between the applications are the same, and that the machineKey values in the web.config are the same (I am using MachineKeySessionSecurityTokenHandler to ensure that the encyrpted cookie values are the same even in a Web Farm scenario); however what happens is that when I move to the .NET 3.5 application I get the following error from the SymmetricEncryptionFormatter class:
ID0006:输入字符串参数为空或空.参数名称:值
ID0006: The input string parameter is either null or empty.Parameter name: value
我尝试将 MachineKey 密钥(解密密钥/验证密钥/验证/解密)更改为各种不同的组合(确保它们在 2 个站点之间保持一致).我可以看到,当我访问这两个站点时,可以看到具有相同 cookie 值的相同 cookie.我认为这个问题可能与 .NET 3.5 & 之间的密码学变化有关..NET 4.5(参见此处 [http://blogs.msdn.com/b/webdev/archive/2012/10/23/cryptographic-improvements-in-asp-net-4-5-pt-2.aspx])
I have tried changing the MachineKey keys (decryptionkey/validationkey/validation/decryptiom) to a variety of different combinations (ensuring that they are consistent between the 2 sites). I can see that the same cookie, with the same cookie value is visible when I go to the 2 sites. I think that the issue may be related to the Crytographic changes between .NET 3.5 & .NET 4.5 (see here [http://blogs.msdn.com/b/webdev/archive/2012/10/23/cryptographic-improvements-in-asp-net-4-5-pt-2.aspx])
有没有人对可能导致这种情况的原因有任何想法?
Does anyone have any ideas as to what may be causing this?
来自 .NET 4.5 应用程序 Web.config 的关键条目:
<system.identityModel>
<identityConfiguration>
<securityTokenHandlers>
<remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
<add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</securityTokenHandlers>
</identityConfiguration>
</system.identityModel>
<authentication mode="None" />
<system.identityModel.services>
<federationConfiguration>
<cookieHandler requireSsl="false" name="TestName" />
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:51318/" realm="http://localhost:57083/" persistentCookiesOnPassiveRedirects="true" requireHttps="false" />
</federationConfiguration>
</system.identityModel.services>
来自 .NET 3.5 应用程序 Web.config 的关键条目:
<authentication mode="None"/>
<machineKey decryptionKey="CC510DF4..." validationKey="BEAC835EEC..." />
<microsoft.identityModel>
<service>
<securityTokenHandlers>
<!-- Replace the SessionSecurityTokenHandler with our own. -->
<remove type="Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
<add type="MachineKeySessionSecurityTokenHandler, App_Code"/>
</securityTokenHandlers>
</service>
</microsoft.identityModel>
<microsoft.identityModel.services>
<federationConfiguration>
<wsFederation passiveRedirectEnabled="true" issuer="http://localhost:51318/" realm="http://localhost:57083/" requireHttps="false"/>
<cookieHandler requireSsl="false" name="TestName"/>
</federationConfiguration>
</microsoft.identityModel.services>
推荐答案
cookie 的内部格式在 WIF 和 .NET 4.5 之间发生了变化.您不能在版本之间共享它们.
The internal format of the cookie has changed between WIF and .NET 4.5. You can't share them between the versions.
而是将两个应用指向同一个 STS 并让每个应用使用自己的会话 cookie.
Rather point both apps to the same STS and let each app use their own session cookie.
这篇关于无法将声明 cookie 从 .NET 4.5 解密到 .NET 3.5的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
