S2S授权仅在用户在SharePoint中具有活动会话时才起作用? [英] S2S authorization only working when user has an active session in SharePoint?
问题描述
我正在开发一个使用高信任度S2S授权的提供商托管应用(如果我的术语不太正确,请原谅我)代表用户访问SharePoint。
I am working on a provider hosted app that uses high-trust S2S authorization (please pardon me if my terminology isn't quite right) to access SharePoint on the user's behalf.
在我的测试环境中,我发现当用户从"网站内容"中打开应用时效果很好,但如果他们直接导航到应用(例如,在新的隐身浏览器窗口中转到其网址),则似乎应用程序和
SharePoint之间的通信失败。 SharePoint不接受身份验证令牌,并且查询SharePoint的尝试最终会因403错误而失败。
In my test environment, I've found that this works well when the user opens the app from Site Contents, but if they navigate directly to the app (e.g. by going to its URL in a fresh incognito browser window), it seems that communication between the app and SharePoint fails. The auth token is not accepted by SharePoint, and the attempt to query SharePoint ultimately fails with a 403 error.
查看ULS日志,看起来事情开始出现问题在我的应用程序到SharePoint的请求中:
Looking at the ULS logs, it looks like things start to go awry about this point in the request from my app to SharePoint:
01/02/2019 06:23:39.65 w3wp.exe (0x4EB4) 0x6244 SharePoint Foundation Claims Authentication ajrho Monitorable security token '0e.t|----|me@mydomain.com687bb741-e682-48b6-b72e-6575d11a7d11_Default' is found in the local cache, but it is expired. Returing Null.. fa11b29e-5847-40c4-86b7-eb4646643db2
01/02/2019 06:23:39.65 w3wp.exe (0x4EB4) 0x6244 SharePoint Foundation Application Authentication ajwp0 Medium SPApplicationAuthenticationModule: User token does not exist in token cache. fa11b29e-5847-40c4-86b7-eb4646643db2如果我刚登录SharePoint,请返回我尝试使用该应用程序的浏览器选项卡,然后刷新选项卡,然后一切正常,而不是上面的,ULS日志显示这种性质的东西:
If I then just log into SharePoint, go back to the browser tab where I was trying to use the app, and refresh the tab, then everything works, and instead of the above, the ULS logs show something along this nature:
01/02/2019 06:27:36.73 w3wp.exe (0x4EB4) 0x313C SharePoint Foundation Application Authentication ajwpw Medium SPApplicationAuthenticationModule: Attached actor identity to current thread. Actor Identity:0i.t|ms.sp.ext|f211d2dc-c1a6-421e-a9b3-c5811fe686dc@6331799e-6148-4554-a694-7d6783098c44. 3412b29e-1829-40c4-86b7-e2cdf5c17d0b
01/02/2019 06:27:36.73 w3wp.exe (0x4EB4) 0x313C SharePoint Foundation Application Authentication ahkpt Medium SPApplicationAuthenticationModule Authentication finished successfully for user:0e.t|-----|me@mydomain.com and actor: 3412b29e-1829-40c4-86b7-e2cdf5c17d0b我觉得这很令人费解,因为我认为S2S模型会允许该应用即使他们在最近几分钟内没有真正访问过SharePoint,也要代表用户行事,但似乎这不起作用。
I find this puzzling because I would have thought the S2S model would allow the app to act on the user's behalf even if they hadn't actually accessed SharePoint in the last few minutes, but it seems that this doesn't work.
是否有可能出现问题我的配置,或者我生成访问令牌的方式,如果是这样,我该如何排除故障? FWIW,我目前正在尝试使用SharePoint和我的应用程序使用ADFS
对用户进行身份验证(使用类似于所描述的内容
here ),但是当我同时设置了SharePoint和应用程序时,我也遇到了同样的问题最多使用由AD支持的Windows身份验证。
Is it possible that there's something wrong with my configuration, or with the way I am generating the access tokens, and if so, how can I troubleshoot it? FWIW, I'm currently attempting this with both SharePoint and my app authenticating the user with ADFS (using something like what's described here), but I have witnessed the same problem when both SharePoint and the app are set up to use Windows authentication backed by AD.
推荐答案
不确定为什么你关心这个场景(首先使用没有登录SharePoint的加载项),因为最终用户不知道url参数部分。
当我在我的本地(先前部署的高信任提供商托管加载项)中测试过,如果我直接使用SPHostUrl参数访问该网站,它可以正常工作。
我的开发环境使用Windows身份验证和提供程序托管的加载项启用自动登录。
https://hightrustaddin2/pages/default.aspx?SPHostUrl = http%3A%2F%2Fsp%3A12001
最好的问候,
Lee
这篇关于S2S授权仅在用户在SharePoint中具有活动会话时才起作用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
