来自AD FS的信赖方信任错误 [英] Relying Party Trust Errors from AD FS

问题描述

我正在尝试使用AD FS 2.0使用声明感知Web应用程序来解决错误。

以下是有关服务器，证书和流量的基础结构概述。每台服务器都运行Windows Server 2012

1.      
   Web服务器（WS1）位于主持依赖方的DMZ中，使用HTTPS声明感知ASP.net Web应用程序，端口443。
2.      
   来自WS1的流量路由到位于DMZ中的ADFS代理（PRX1）服务器。
3.      
   来自PRX1的流量路由到位于客户端域的ADFS服务器（ADFS1）。

证书按以下方式安装：

1.      
   依赖方应用程序（在WS1上）使用SSL的自签名证书 - 我将其称为certRP.client.com。
2.      
   ADFS服务器的证书存储区具有公钥SSL证书（certRP.client.com）。还有来自受信任机构（certADFS.client.com）的证书，其中主题名称与联合身份验证服务名称的名称相匹配。 
   
3.      
   代理服务器在其证书存储区中有certADFS.client.com。

代理服务器是否还需要依赖方Web应用程序使用的SSL证书（certRP.client.com）？

ADFS证书配置如下：

1.      
   服务证书：certADFS.client.com用于AD FS中的服务通信，令牌解密和令牌签名。
2.      
   依赖方信任：
   
   
   
   1.     
      加密证书配置为使用certRP.client.com
   2.      
      用于签名选项卡的证书配置为使用certADFS.client.com

   
   

其他信赖方信任配置：

1.      
   监控： 与依赖方共存的FederationMetadata文件的URI正在解决而没有问题
2.      
   标识符： 这被设置为www.theDomain.com/RP/default.aspx (这是依赖方）
3.      
   端点：目前只有WS-Federation Passive Endpoint为www.theDomain.com/RP/default.aspx (这是依赖方）
4.      
   高级：安全散列算法设置为SHA-1

通过Home Realm Discovery，我目前正在使用AD FS托管登录页面对Active Directory进行身份验证。提交凭据后，我收到"用户名或密码不正确"消息。
但是，我已经确认身份验证成功，因为我从Active Directory框中查看了我正在测试的帐户的安全日志

以下是报告的错误在ADFS服务器上：

联合服务在处理WS-Trust请求时遇到错误。

请求类型：http：//schemas.xmlsoap.org/ws/2005/02/trust/ RST /发行

附加数据

例外细节：

Micr osoft.IdentityServer.Framework.SecurityTokenService.FailedAuthenticationException：MSIS3055：未指定或不支持请求的依赖方信任"https://org.client.com/adfs/ls/"。
如果指定了信赖方信任，则用户可能无权访问信赖方信任。 ---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException：MSIS3020：无法找到标识符为"https://org.client.com/adfs/ls/"的依赖方
信任。

   ---内部异常堆栈跟踪结束---

  在System.IdentityModel.AsyncResult.End（IAsyncResult结果）

  在System.ServiceModel.Security.WSTrustServiceContract.ProcessCoreAsyncResult.End（IAsyncResult ar）

  在System.ServiceModel.Security.WSTrustServiceContract.EndProcessCore（IAsyncResult ar，String requestAction，String responseAction，String trustNamespace）

Microsoft.IdentityServer.Service.Policy.PolicyServer .Engine.ScopeNotFoundPolicyRequestException：MSIS3020：标识符为"https://org.client.com/adfs/ls/"的信赖方信任无法找到
。

------------------------------- -------------------------------------------------- -----------------------------------------

< p style ="margin-bottom：0in; margin-bottom：.0001pt; line-height：normal; text-autospace：none">
在联邦被动请求期间遇到错误。

附加数据

异常详情：

Microsoft.IdentityServer.Web.AuthenticationFailedException：MSIS8108：身份验证失败。

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest（MSISRequestSecurityToken request）

 在Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken（MSISSignInRequestMessage signInRequest，SecurityTokenElement onBehalfOf，SecurityToken primaryAuthToken，
String desiredTokenType，Uri& replyTo ）

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSingleSignOnToken（SecurityToken securityToken，String issuer）

< p style ="margin-bottom：0in;边距：.0001pt;行高：正常; text-autospace：none">
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RedirectAdfsLsForRpTokenInSsoCase（SecurityToken securityToken，WSFederationMessage wsFederationPassiveRequestMessage，
HttpRequest request，HttpResponse response）

非常感谢任何解决此问题的帮助！

解决方案

这是很多信息，但基本上它是只有1个应用程序和1个adfs服务器？

事件日志告诉你：

-------------- ---

---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException：MSIS3020：具有标识符"https：//org.client"的信赖方信任。无法找到com / adfs / ls /'

-----------------

这基本上告诉您SAML请求进入您的ADFS服务器，该服务器来自
https://org.client.com/ adfs / ls / 。ADFS所做的下一件事是查找所有依赖方配置，以查找是否有一个配置为"侦听"传入的SAML请求   https://org.client.com/adfs/ ls / 。
在这种情况下，ADFS找不到这样的依赖方，并且抛出了您看到的事件日志中的错误。因此，请检查ADFS服务器上的依赖方配置，尤其是"标识符"。  依赖方 属性中的标签。

Hi,

Hi,

Hi, I'm trying to troubleshoot an error with using a claims aware web application with AD FS 2.0.

Here is an outline of the infrastructure with regards to servers, certs, and traffic. Each server is running Windows Server 2012

1.       Web server (WS1) sits in DMZ hosting a relying party, claims aware ASP.net web application using HTTPS, port 443.
2.       Traffic from WS1 is routed to an ADFS Proxy (PRX1) server which is located in the DMZ .
3.       Traffic from PRX1 is routed to the ADFS Server (ADFS1) which resides in the client’s domain.

Certificates are installed in the following manner:

1.       The relying party app (on WS1) is using a self signed cert for SSL- I will refer to it as certRP.client.com.
2.       The ADFS server’s Certificate Store has the public key SSL cert (certRP.client.com ). There is also a certificate from a trusted authority (certADFS.client.com), where the subject name matches that of the Federation Service Name. 
3.       The proxy server has certADFS.client.com in its Certificate Store.

Does the proxy server also need the SSL cert used by the relying party web application (certRP.client.com)?

ADFS Certificates are configured as such:

1.       Service Certificates: The certADFS.client.com is being used for Service Communications, Token-decrypting, and Token-signing in AD FS.
2.       Relying party trust:
   1.      Encryption certificate is configured to use certRP.client.com
   2.       The cert used for the Signature tab is configured to use certADFS.client.com

Additional Relying Party Trust Configuration:

1.       Monitoring:  The URI for the FederationMetadata file residing with the relying party is resolving without issue
2.       Identifiers:  This is set as www.theDomain.com/RP/default.aspx (this is the relying party)
3.       Endpoints: Currently just have WS-Federation Passive Endpoint as www.theDomain.com/RP/default.aspx (this is the relying party)
4.       Advanced: Secure hash algorithm is set as SHA-1

Via Home Realm Discovery, I’m currently using the AD FS hosted login page to authenticate against Active Directory. After submitting credentials, I receive a ‘the user name or password is incorrect’ message. However, I have confirmed that the authentication is successful, as I viewed the Security log from the Active Directory box for the account I’m testing against

Here are the errors that are being reported on the ADFS server:

The Federation Service encountered an error while processing the WS-Trust request.

Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Additional Data

Exception details:

Microsoft.IdentityServer.Framework.SecurityTokenService.FailedAuthenticationException: MSIS3055: The requested relying party trust 'https://org.client.com/adfs/ls/' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://org.client.com/adfs/ls/' could not be located.

   --- End of inner exception stack trace ---

   at System.IdentityModel.AsyncResult.End(IAsyncResult result)

   at System.ServiceModel.Security.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)

   at System.ServiceModel.Security.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://org.client.com/adfs/ls/' could not be located.

--------------------------------------------------------------------------------------------------------------------------

Encountered error during federation passive request.

Additional Data

Exception details:

Microsoft.IdentityServer.Web.AuthenticationFailedException: MSIS8108: Authentication failed.

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSingleSignOnToken(SecurityToken securityToken, String issuer)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RedirectAdfsLsForRpTokenInSsoCase(SecurityToken securityToken, WSFederationMessage wsFederationPassiveRequestMessage, HttpRequest request, HttpResponse response)

Any assistance resolving this would be greatly appreciated!

解决方案

That's a lot of information, but basicly it's just 1 application and 1 adfs server?

Well the eventlog tells you:

-----------------

---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://org.client.com/adfs/ls/' could not be located

-----------------

This is basicly telling you a SAML request enters your ADFS server which originates from https://org.client.com/adfs/ls/. The next thing ADFS does is looking to all the relying party configurations to find if there is one configured which "listens" to incoming SAML requests with identifier https://org.client.com/adfs/ls/. In this case ADFS could not find such a relying party and the error in the eventlog you see is thrown. So check your relying party configurations on the ADFS server and especially the "Identifiers" tab in the relying party properties.

这篇关于来自AD FS的信赖方信任错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！