id4037:无法从以下安全密钥标识符解析验证签名所需的密钥 [英] id4037: The key needed to verify the signature could not be resolved from the following security key identifier
问题描述
我正在尝试将2个adfs实例链接在一起。我们有一个受一个ADFS保护的应用程序和另一个也使用ADFS保护应用程序的AD中的用户。现在我尝试将一个ADFS保护的应用程序授予其他ADFS中的用户
。
I am trying to chain 2 adfs instances together. We have an application protected by one ADFS and users that are in another AD that also uses ADFS to protect applications. Now I am trying to give access to an application protected by one ADFS to the users in the Other ADFS.
在AD中具有AD用户的ADFS中,我已设置新的RelyingParty是另一个ADFS实例。
In the ADFS that has the users in AD, I have set up a new RelyingParty that is the other ADFS instance.
在保护应用程序的ADFS中,我设置了一个声明提供者信任,我通过指向ID的元数据来做到这一点。 ADFS实例。这似乎正在起作用。
In the ADFS that protects the application I have set up a Claims Provider trust, I did this by pointing at the metadata of the ID ADFS instance. This seems to be working.
现在,当我尝试访问受保护的应用程序时,我收到SSO证书的证书错误,我点击那些然后它将我弹回RP ADFS并显示一个页面,让我可以选择AD或我的ID ADFS实例。我选择刚刚设置的
ID ADFS,点击继续,它会将我弹回登录页面。登录后,它会将我反弹回RP ADFS服务器,然后出现错误,带有参考编号。当我在事件日志中查找引用号时,我看到
2或3错误。其他人已经发布了这个,但知道一个人有答案。
Now when I try to access my protected application, I get certificate errors for the SSO certs, I click through those then it bounces me to the RP ADFS and a page displays giving me the choice of authentication either AD or my ID ADFS instance. I choose the ID ADFS that I have just set up, click continue and it bounces me to the log in page. After logging in it bounces me back to the RP ADFS server and then I get an error, with a reference number. When I look up the reference number in the event log I see either 2 or 3 errors. Others have posted about this but know one has had an answer.
第一个是关于撤销列表
尝试构建声明提供程序信任的证书链时发生错误"http://dev-sso.xxxxxxx.com/adfs/services / trust'由thumbprint'54xxxxxxxxxxxxxxxxxxxxxxE28C9A57481'识别的证书。可能的原因是证书
已被撤销,证书链无法按照声明提供商信任的签名证书吊销设置或证书不在其有效期内进行验证。
An error occurred during an attempt to build the certificate chain for the claims provider trust 'http://dev-sso.xxxxxxx.com/adfs/services/trust' certificate identified by thumbprint '54xxxxxxxxxxxxxxxxxxxxxxE28C9A57481'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period.
第二个是
联合服务在处理WS-Trust请求时遇到错误。
The Federation Service encountered an error while processing the WS-Trust request.
请求类型:http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
其他数据
异常详细信息:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException:ID4037:无法解析验证签名所需的密钥来自以下安全密钥标识符'SecurityKeyIdentifier
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
(
IsReadOnly = False,
IsReadOnly = False,
Count = 1,
Count = 1,
Clause [0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
)
"。确保使用所需的密钥填充SecurityTokenResolver。
'. Ensure that the SecurityTokenResolver is populated with the required key.
在Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
在Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
在Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
在System.Xml.XmlReader.ReadEndElement()
at System.Xml.XmlReader.ReadEndElement()
在Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)
在Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)
在Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
在Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml,SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
在Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
在Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request,IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
在Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal,RequestSecurityToken请求,AsyncCallback回调,对象状态)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
在Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal,RequestSecurityToken请求,AsyncCallback回调,对象状态)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
在Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext,AsyncCallback asyncCallback,Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
在Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext,AsyncCallback asyncCallback,Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
在Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract,DispatchContext dispatchContext,MessageVersion messageVersion,WSTrustResponseSerializer responseSerializer,WSTrustSerializationContext
serializationContext,AsyncCallback asyncCallback,Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)
  在Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(消息requestMessage,WSTrustRequestSerializer requestSerializer,WSTrustResponseSerializer responseSerializer,String requestAction,String responseAction,
String trustNamespace,AsyncCallback callback,Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException:ID4037:密钥需要验证签名无法从以下安全密钥标识符'SecurityKeyIdentifier
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException:ID4037:无法从以下安全密钥标识符'SecurityKeyIdentifier
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
谢谢Noel
默认情况下,ADFS将尝试验证声明提供程序的证书(CRL检查,有效日期,链验证等);看起来在这种情况下它无法做到这一点。 您可以使用Set-AdfsClaimsProviderTrust -SigningCertificateRevocationCheck修复基础问题或调整证书策略
。
By default ADFS will try to verify the claims provider's certificate (CRL check, validity dates, chain verification, etc.); it looks like it is not able to do so in this case. You can either fix the underlying issue or adjust the certificate policy with with Set-AdfsClaimsProviderTrust -SigningCertificateRevocationCheck.
http://technet.microsoft.com/en-us /library/ee892351.aspx
http://technet.microsoft.com/en-us/library/ee892351.aspx
这篇关于id4037:无法从以下安全密钥标识符解析验证签名所需的密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!