Adfs:提供登录凭据后身份验证失败 [英] Adfs: Authentication fails after logon credentials are provided
本文介绍了Adfs:提供登录凭据后身份验证失败的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在开发一个SP(依赖方)。我设法在没有AuthnRequest签名的情况下使用ADFS。
但是在发送以下请求时签名,ADFS提示输入凭据,它接受正确的凭据,无法响应用户和组。我将附加
请求,响应和异常记录。
依赖方身份验证请求:
Relying Party Auth Request:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://adfs-sj1.sjlab.local/adfs/ls/" ID="_422d0bb72b1120db737695464793dedf4ea8ddd2" IssueInstant="2012-07-30T21:52:47.501Z" Version="2.0">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spid</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_422d0bb72b1120db737695464793dedf4ea8ddd2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>S5b7PCF8WscoOX++EcpyjQNW4q0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>g1PXYERi48Q/vGXNBPwZlteyihQmt3eo9+MIQlBdC8MqTsm8GdvE1Nq4osszEyprAK5Q6Uv5QV/UgctUWGV2hUxLc5bpXVwpaYaoywH0XPXArROR1EyGVz2g5YAjgGxpU0YbxJIk+2A1DblE0alYSK/88oHHcmpwp6dmgwmvfXcRA83DnVCeIZoKSPuNTqSLb6UKk+QxUABieuAb1ecsQmJsEjUXcrPq+RPL1+goNhC4/vbPatuK90ZyZe5CljwAtWXmqoBzWexxgWdzs4E9zIc/aQi/HFioGz0EnPiipgBjHRlV+Gv0iFV1dS++a24+F7H2NG6aZSGipcyj2kJMDg==</ds:SignatureValue>
</ds:Signature>
</saml2p:AuthnRequest>
来自adfs的回复:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_f66aaa60-a0de-47c4-a3e8-2a046e75989c" Version="2.0" IssueInstant="2012-07-30T21:53:54.327Z" Destination="https://sp/auth/saml/response-endpoint.do" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_422d0bb72b1120db737695464793dedf4ea8ddd2">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ADFS-SJ1.sjlab.local/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_f66aaa60-a0de-47c4-a3e8-2a046e75989c">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>MVyIqmJTc8+dFv1C1X+LNz4m2VyoSiOVkiEOu9xLGcM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Soxs08yX91iN/W3RT8iVqQUaqAmZPT7K3ct0ugD+PdVTDAHRiEqsJZPZ3A6dhaugw4IL1nZ9gFQpEjr1kn8mUiKW+joc6wS849BPEVFzRBtibFwMCT0PvHV9+NZkBcbWdrNdq9X1KzgF2I/8T/uG4j5E3QixHtiGH9eKTqAsWA3OdJi/yxQVQ/xCZxojmkCyyWbzJOzXLYd4OdmmgAhUjJj3oHwRRcx93G5jXeC4sMgvu/iLujAKcfkpuUvtAptDpkLSqudX0cex0JpabojST0+71HH3fScz77Tc4ncRQGDOACnhPntl23DlrVQrWDpXXa4NbpzQ7FbC8vP2WzzJAQ==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC5DCCAcygAwIBAgIQEOuB20rSlJZKLAd1sNl5zTANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBBREZTLVNKMS5zamxhYi5sb2NhbDAeFw0xMjA3MDkxMTIyMzRaFw0xMzA3MDkxMTIyMzRaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIEFERlMtU0oxLnNqbGFiLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApfybfzDIdxUs4L3OvyJv44M7srDZmq3uv19NxNJXh8+UcyBkyRcC2ooyQC6Hcq0cG7oFrnqIdai6s22BlWsd5fEPvlDVbylejD46NVrIhq5aRgfntYGKjGXVjOpa2/NaOIrYjtL9IQV3GgzbMsx8w+MljIP4HZklhCRJ5HN8mHdZDldPtuqEXcCDMatPSU7klMTEhao4pFYsAZmfQkQHSNeW2wg56ncrhvmnOD8FAkL4EFuydiEGB8Bl6vsLsO9WoHXCPOTvTlZj/kcKozsJzQyve8p8I4EM/1UcddFZgUfnEX6R1lv0SBN/uT93RZt/JtuBPZRunEOtRR6ZqGFZIwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBde/2bXlAjwIUDaorYvgg5kxKFpuj8b8MOxSYZHtM0l8sLhS5JSCzBp02xoyVtz2W0H7R23wv4LyWrFkeM0utZ3STS0AzFco/4g7FY3x3kNMOYt1/aM74tW0OIKRVjb8cj+jg81JLmxN/kK5u0LE+vMF1mfF5O9Xj8502QEiV27SY+X+gpu4RHjaG+g+Y5/x29btSyS8Mh94743lCFk20nIsd3B3AwyOCGFsWjelxLBe+fPGbLwfW8bhcpONkFPezOB+XNHyFfeCZb7FzYiOQhvBZXEGT84u0Ny2N+jepdVdPcLtL8HS5Obz2fUbhwbtomXZaD4ioxfaxShqXcx0IM</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
</samlp:Status>
</samlp:Response>
在adfs 2.0日志中发现异常:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.InvalidOperationException: This message cannot support the operation because it has been written.
Server stack trace:
at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
at System.ServiceModel.Channels.BinaryMessageEncoderFactory.BinaryMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
at System.ServiceModel.Channels.FramingDuplexSessionChannel.EncodeMessage(Message message)
at System.ServiceModel.Channels.FramingDuplexSessionChannel.OnSend(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
System.InvalidOperationException: This message cannot support the operation because it has been written.
Server stack trace:
at System.ServiceModel.Channels.Message.WriteMessage(XmlDictionaryWriter writer)
at System.ServiceModel.Channels.BufferedMessageWriter.WriteMessage(Message message, BufferManager bufferManager, Int32 initialOffset, Int32 maxSizeQuota)
at System.ServiceModel.Channels.BinaryMessageEncoderFactory.BinaryMessageEncoder.WriteMessage(Message message, Int32 maxMessageSize, BufferManager bufferManager, Int32 messageOffset)
at System.ServiceModel.Channels.FramingDuplexSessionChannel.EncodeMessage(Message message)
at System.ServiceModel.Channels.FramingDuplexSessionChannel.OnSend(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.OutputChannel.Send(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.DuplexChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
你能来吗?请指出我正确的方向来解决问题?请询问您是否需要更多详细信息。谢谢。
推荐答案
我遇到了完全相同的问题。你有没有设法解决它?
I am having exactly the same issue. Did you manage to resolve it?
这篇关于Adfs:提供登录凭据后身份验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文