Azure的 - 运行使用ADFS的Azure应用程序返回以下错误：异常消息：ID4014：一个SecurityTokenHandler不 [英] Azure - running an app in Azure using ADFS returns the following error: Exception message: ID4014: A SecurityTokenHandler is not

问题描述

我有我的应用程序构建和部署在Azure中，利用ADFS进行身份验证。当我进入我的应用程序，它重定向我到ADFS登录页。我登录，然后重定向我回到我的应用程序，在那里我会遇到以下异常：

  

异常信息：
      异常类型：SecurityTokenException
      异常消息：ID4014：一个SecurityTokenHandler未注册读取安全令牌（'的BinarySecurityToken'，
  的http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd').
  在System.IdentityModel.Services.TokenReceiver.ReadToken（字符串
  tokenXml，XmlDictionaryReaderQuotas readerQuotas，
  FederationConfiguration federationConfiguration）在
  System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(Htt$p$pquestBase
  请求）的
  System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest（对象
  发件人，EventArgs参数）在
  System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  在System.Web.HttpApplication.ExecuteStep（IExecutionStep一步，
  布尔和放大器; completedSynchronously）

这是我第一次处理ADFS和天青 - 几个问题：

1. 我需要什么我的code的一部分进行修改，以适应
   安全令牌要求（假设我需要）？例如，当通过ADFS在用户登录和ADFS用户重定向回我的应用程序，应我的应用只是工作在这一点上，并在页面变化顶部的登录链接注销？我使用MVC4。


2. 我公司的ADFS服务器都有自己的登录页面。这是否意味着我
   只要消除自带开箱即用我的Azure的登录功能
   MVC应用程序？

修改
下面是删除了所有的敏感数据FederationMetadata.xml文件： http://mikemarks.net/FederationMetadata.xml

修改
这里是我的 system.identityModel 和 system.identityModel.service 我的web.config的部分：

 ＆LT; system.identityModel＆GT;
  ＆LT; identityConfiguration＆GT;
    ＆LT; audienceUris＆GT;
      ＆LT;增加价值=htt​​ps://conocopocazuremike.cloudapp.net//＆GT;
    ＆LT; / audienceUris＆GT;
    ＆LT;！ - 评论通过身份识别和访问VS包 - ＆GT;
    ！＆LT;  - ＆LT; issuerNameRegistry TYPE =System.IdentityModel.Tokens.ValidatingIssuerNameRegistry，System.IdentityModel.Tokens.ValidatingIssuerNameRegistry＆GT;＆LT;机构名称=HTTP：//胡说/ ADFS /服务/信任＆GT;＆LT ;键＆GT;＆LT;加入指纹=嗒嗒/＆GT;＆LT; /键＆GT;＆LT; validIssuers＆GT;＆LT;添加名称=HTTP：//胡说/ ADFS /服务/信任/＆GT;＆LT; / validIssuers＆GT;＆LT ; /权威＆GT;＆LT; / issuerNameRegistry＆GT;  - ＆GT;
    ＆LT;！ -  certificationValidationMode设置为无的身份和访问工具为Visual Studio。为发展宗旨.--＆GT;
    ＆LT; certificateValidation certificateValidationMode =无/＆GT;
    ＆LT;！ - 评论通过身份识别和访问VS包 - ＆GT;
    ！＆LT;  - ＆LT; issuerNameRegistry TYPE =System.IdentityModel.Tokens.ValidatingIssuerNameRegistry，System.IdentityModel.Tokens.ValidatingIssuerNameRegistry＆GT;＆LT;机构名称=HTTP：//胡说/ ADFS /服务/信任＆GT;＆LT ;键＆GT;＆LT;加入指纹=嗒嗒/＆GT;＆LT; /键＆GT;＆LT; validIssuers＆GT;＆LT;添加名称=HTTP：//胡说/ ADFS /服务/信任/＆GT;＆LT; / validIssuers＆GT;＆LT ; /权威＆GT;＆LT; / issuerNameRegistry＆GT;  - ＆GT;
    ＆LT;！ - 评论通过身份识别和访问VS包 - ＆GT;
    ＆LT;！ - ＆LT; issuerNameRegistry TYPE =System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry，System.IdentityModel，版本= 4.0.0.0，文化=中性公钥= b77a5c561934e089＆GT;＆LT; trustedIssuers＆GT;＆LT;加入指纹=嗒嗒NAME =HTTP：//胡说/ ADFS /服务/信任/＆GT;＆LT; / trustedIssuers＆GT;＆LT; / issuerNameRegistry＆GT;  - ＆GT;
    ＆LT; issuerNameRegistry TYPE =System.IdentityModel.Tokens.ValidatingIssuerNameRegistry，System.IdentityModel.Tokens.ValidatingIssuerNameRegistry＆GT;
      ＆LT;机构名称=HTTP：//胡说/ ADFS /服务/信任＆GT;
        ＆LT;＆按键GT;
          ＆LT;加入指纹=嗒嗒/＆GT;
        ＆LT; /键＆GT;
        ＆LT; validIssuers＆GT;
          ＆LT;添加名称=HTTP：//胡说/ ADFS /服务/信任/＆GT;
        ＆LT; / validIssuers＆GT;
      ＆LT; /权威＆GT;
    ＆LT; / issuerNameRegistry＆GT;
  ＆LT; / identityConfiguration＆GT;
＆LT; /system.identityModel>
＆LT; system.identityModel.services＆GT;
  ＆LT; federationConfiguration＆GT;
    ＆LT;的CookieHandler requireSsl =FALSE/＆GT;
    ＆LT; wsFederation passiveRedirectEnabled =真发行人=htt​​ps：//开头废话/ ADFS / LS /的境界=htt​​ps://blah.cloudapp.net/requireHttps =FALSE/＆GT;
  ＆LT; / federationConfiguration＆GT;
＆LT; /system.identityModel.services>
 

解决方案

此错误

  

ID4014：一个SecurityTokenHandler未注册阅读安全
  令牌（'的BinarySecurityToken'，
  的http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd')

通常会弹出当你的应用程序接收JWT令牌，它仅配置为读取SAML或SWT令牌。另一个原因可能是因为SAML令牌已经被发回给依赖方之前加密或二进制EN codeD。

要检查的第一件事是两端（ADFS和信赖方应用程序）是否配置了同样的类型，而且RP（依赖方）可以读取配置令牌（SAML / SWT / JWT）。

为了在依赖方最终完全理解的配置，我们需要知道以下的web.config 文件的部分： system.identityModel ， system.identityModel.services ， system.webServer 。随着，我们还需要ADFS的配置 - 依赖方是如何在ADFS结束配置。什么端点被配置并用于什么。调查最好的工具就是提琴手。

和以消除Azure是问题，请检查您的应用程序正常工作在片premises环境。

I have my app built and deployed in Azure, utilizing ADFS for authentication. When I access my app, it redirects me to the ADFS log-in page. I log in, and then it redirects me back to my app, where I encounter the following exception:

Exception information: Exception type: SecurityTokenException Exception message: ID4014: A SecurityTokenHandler is not registered to read security token ('BinarySecurityToken', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'). at System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration) at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

This is my first time dealing with ADFS and Azure - few questions:

1. What part of my code would I need to modify to accommodate the Security Token requirement (assuming I need to)? For example, when the user logs in through ADFS, and ADFS redirects the user back to my app, should my app "just work" at that point, and the Login link at the top of the page change to Logout? I'm using MVC4.
2. My company's ADFS server has its own log-in page. Does this mean I can do away with the log-in functionality that comes out of the box with my Azure MVC app?

EDIT Here's the FederationMetadata.xml file with all sensitive data removed: http://mikemarks.net/FederationMetadata.xml

EDIT Here's my system.identityModel and system.identityModel.service section of my web.config:

<system.identityModel>
  <identityConfiguration>
    <audienceUris>
      <add value="https://conocopocazuremike.cloudapp.net/" />
    </audienceUris>
    <!--Commented by Identity and Access VS Package-->
    <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="http://blah/adfs/services/trust"><keys><add thumbprint="blah" /></keys><validIssuers><add name="http://blah/adfs/services/trust" /></validIssuers></authority></issuerNameRegistry>-->
    <!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.-->
    <certificateValidation certificateValidationMode="None" />
    <!--Commented by Identity and Access VS Package-->
    <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="http://blah/adfs/services/trust"><keys><add thumbprint="blah" /></keys><validIssuers><add name="http://blah/adfs/services/trust" /></validIssuers></authority></issuerNameRegistry>-->
    <!--Commented by Identity and Access VS Package-->
    <!--<issuerNameRegistry type="System.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><trustedIssuers><add thumbprint="blah" name="http://blah/adfs/services/trust" /></trustedIssuers></issuerNameRegistry>-->
    <issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
      <authority name="http://blah/adfs/services/trust">
        <keys>
          <add thumbprint="blah" />
        </keys>
        <validIssuers>
          <add name="http://blah/adfs/services/trust" />
        </validIssuers>
      </authority>
    </issuerNameRegistry>
  </identityConfiguration>
</system.identityModel>
<system.identityModel.services>
  <federationConfiguration>
    <cookieHandler requireSsl="false" />
    <wsFederation passiveRedirectEnabled="true" issuer="https://blah/adfs/ls/" realm="https://blah.cloudapp.net/" requireHttps="false" />
  </federationConfiguration>
</system.identityModel.services>

解决方案

This error

ID4014: A SecurityTokenHandler is not registered to read security token ('BinarySecurityToken', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd')

Usually pops out when your application received JWT token, and it is only configured to read SAML or SWT tokens. Other reason might be because a SAML token has been encrypted or binary encoded before sending back to the relying party.

First thing to check is whether both ends (ADFS and Relying Party Application) are configured for the same token type and that the RP (Relying Party) can read the configured token (SAML/SWT/JWT).

In order to fully understand configuration at the Relying party end we need to know following sections of web.config file: system.identityModel, system.identityModel.services, system.webServer. Along with that we also need the configuration of ADFS - how the relying party is configured at ADFS end. What endpoints are configured and what are used. The best tool to investigate is Fiddler.

And to eliminate that Azure is the issue, please verify that your application works correctly in on-premises environment.

这篇关于Azure的 - 运行使用ADFS的Azure应用程序返回以下错误：异常消息：ID4014：一个SecurityTokenHandler不的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！