Sharepoint和ADFS 2.0连接到第二个域 [英] Sharepoint and ADFS 2.0 connect to second domain

问题描述

你好



我想设置sharepoint服务器来对ADFS 2.0进行身份验证。



我的环境：

域-A：DC 2008 R2，SQL 2005 SP3，Sharepoint 2010，ADFS 2.0（一台计算机是DC和web / sharepoint / SQL / ADFS服务器） - 计算机-A



域B：DC 2008 R2，ADFS 2.0（一台计算机是DC和Web / ADFS服务器和CAauthority） - 计算机-B¥


首先，我按照此博客上的说明进行操作
http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID= 33 ¥b $ b我已经能够成功验证ADFS 2.0服务器。一切正常，我可以使用我的电子邮件地址通过adfs 2.0服务器登录。



$
然后我添加第二个域名（域名 - B）并且我想验证针对该域的sharepoint（电子邮件地址声明）。

我按照这篇文章中的说明进行了
http://social.msdn.microsoft.com/Forums/en/Geneva/thread/80b87eaa-155b-45c3-b367-a1a509325f3d 。



在计算机A上我操作了ADFS控制台，在关系/索赔提供商信任下增加了新信任

（元数据信任https：//computer-b.domain-b.uni-mb .si / federationmetadata / 2007-06 / federationmetadata.xml）

并创建新的"passthrough或过滤传入的声明"规则，类型是电子邮件地址。



在计算机-b上我操作ADFS控制台，在信任关系/信赖方信任下添加新信任

 （元数据https://computer-a.domain-a.uni-mb.si/federationmetadata/2007-06/federationmetadata.xml）并添加规则"将ldap属性作为声明发送"， 

LDAP属性是电子邮件地址，传出声明类型是电子邮件地址。



所有证书都是用计算机-b CA签名的，我把这个证书在计算机上的thrusted root证书颁发机构-a。



如果我想从domain-b以用户身份登录（电子邮件地址是administrator@domain-b.uni -mb.si，我在dsa.msc中设置了这个。我在网络浏览器中只看到错误。
$


我在计算机上的事件日志中收到此消息-br />
（"尝试发出安全令牌时发生异常：受信任的登录提供程序未提供此服务器场接受的令牌。"）：）
---- ---------------------- ------------------------------------------------ <无线电通信/>
- 系统

- 提供商

[名称] Microsoft-SharePoint产品-SharePoint Foundation

[Guid] {6FB7E0CD- 52E7-47DD-997A-241563931FC2}



EventID 8306



版本14



等级2



任务47



操作码0



关键字0x4000000000000000



- TimeCreated

[SystemTime] 2010-09-01T08 ：06：28.804710900Z



EventRecordID 21955
$


- 相关数
[ ActivityID] {5B2CA12F-7D02-4182-8605-CF4BB9278FF0}



- 执行

[ProcessID] 2532

[ThreadID] 4516



频道申请



电脑电脑-a.domain-a.uni- mb.si



- 保证金
[用户ID] S-1-5-21-3413159994-3418066149-3671445478-1109


- EventData

string0受信任的l ogin提供商没有提供此农场接受的令牌。

------------------------------ ------------------------------------------------ <无线电通信/>
我做错了什么？



我也想降档ADFS" http：// technet。 microsoft.com/en-us/library/ff641696(WS.10).aspx "但是我的ADFS 2.0
跟踪日志在两台计算机上都是空的。

我没有看到任何声明。任何线索？如何启用调试跟踪？

Hello

I want to set-up sharepoint server to authenticate against ADFS 2.0.

My enviroment:
Domain-A: DC 2008 R2, SQL 2005 SP3, Sharepoint 2010, ADFS 2.0 (one computer is DC and web/sharepoint/SQL/ADFS server) - computer-A

Domain-B: DC 2008 R2, ADFS 2.0 (one computer is DC and web/ADFS server and CAauthority) - computer-B

First I followed the instructions on this blog http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=33
and I've been able to successfully authenticate against ADFS 2.0 server. Everything works, I am able to login through adfs 2.0 server with my email address.


Then I add the second domain (domain-B) and I want to authenticate sharepoint against that domain (email address claims).
I followed the instruction on this post http://social.msdn.microsoft.com/Forums/en/Geneva/thread/80b87eaa-155b-45c3-b367-a1a509325f3d.

On computer-A I oppened the ADFS console, add new trust under relationship/claims provider trust
(metadata trust https://computer-b.domain-b.uni-mb.si/federationmetadata/2007-06/federationmetadata.xml)
and create new "passthrough or filter an incoming claim" rule, type is email addresses.

On computer-b I oppened the ADFS console, add new trust under trust relationship/relying party trust
 (metadata https://computer-a.domain-a.uni-mb.si/federationmetadata/2007-06/federationmetadata.xml) and add rule "send ldap attributes as claims", 
LDAP attribute is email address, outgoing claim type is email address.

All certificates are signed with the computer-b CA, and I put this cert in the thrusted root certification authority on computer-a.

If I want to login as a user from domain-b (email address is administrator@domain-b.uni-mb.si, I set this in dsa.msc) I see only error in my web browser.

I get this message in eventlog on computer-a
("An exception occurred when trying to issue security token: The trusted login provider did not supply a token accepted by this farm.."):
--------------------------------------------------------------------------
- System
- Provider
[ Name] Microsoft-SharePoint Products-SharePoint Foundation
[ Guid] {6FB7E0CD-52E7-47DD-997A-241563931FC2}

EventID 8306

Version 14

Level 2

Task 47

Opcode 0

Keywords 0x4000000000000000

- TimeCreated
[ SystemTime] 2010-09-01T08:06:28.804710900Z

EventRecordID 21955

- Correlation
[ ActivityID] {5B2CA12F-7D02-4182-8605-CF4BB9278FF0}

- Execution
[ ProcessID] 2532
[ ThreadID] 4516

Channel Application

Computer computer-a.domain-a.uni-mb.si

- Security
[ UserID] S-1-5-21-3413159994-3418066149-3671445478-1109

- EventData
string0 The trusted login provider did not supply a token accepted by this farm.
------------------------------------------------------------------------------
What did I mis?

I also want to degug ADFS "http://technet.microsoft.com/en-us/library/ff641696(WS.10).aspx" but my ADFS 2.0 tracing log is empty on both computers.
I don't see any claims. Any clue? How to enable debug tracing?

推荐答案

我找到了解决方案：

I've found the solution:

 

Domain-A：DC 2008 R2，SQL 2005 SP3，Sharepoint 2010，ADFS 2.0（一台计算机是DC和web / sharepoint / SQL / ADFS服务器） - 计算机-A

Domain-A: DC 2008 R2, SQL 2005 SP3, Sharepoint 2010, ADFS 2.0 (one computer is DC and web/sharepoint/SQL/ADFS server) - computer-A

 

域-B：DC 2008 R2，ADFS 2.0（一台计算机是DC和Web / ADFS服务器和CAauthority） - 计算机-B

Domain-B: DC 2008 R2, ADFS 2.0 (one computer is DC and web/ADFS server and CAauthority) - computer-B

 

首先，我按照此博客上的说明进行操作
http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=33

First I followed the instructions on this blog http://blogs.pointbridge.com/Blogs/nielsen_travis/Pages/Post.aspx?_ID=33

我已成功通过身份验证ADFS 2.0服务器。

and I've been able to successfully authenticate against ADFS 2.0 server.

一切正常，我可以通过我的电子邮件地址登录adfs 2.0服务器。

Everything works, I am able to login through adfs 2.0 server with my email address.

 

然后我添加第二个域（domain-B）我想验证针对该域的sharepoint（电子邮件地址声明）。

Then I add the second domain (domain-B) and I want to authenticate sharepoint against that domain (email address claims).

我按照这篇文章中的说明
http://social.msdn.microsoft.com/Forums/en/Geneva/thread/80b87eaa-155b-45c3-b367-a1a509325f3d 。

I followed the instruction on this post http://social.msdn.microsoft.com/Forums/en/Geneva/thread/80b87eaa-155b-45c3-b367-a1a509325f3d .

 

在计算机A上我操作了ADFS控制台，在关系/索赔提供商信任下添加新信任

（元数据信任https：// computer- b.domain-b.uni-mb.si/federationmetadata/2007-06/federationmetadata.xml）

On computer-A I oppened the ADFS console, add new trust under relationship/claims provider trust
(metadata trust https://computer-b.domain-b.uni-mb.si/federationmetadata/2007-06/federationmetadata.xml)

并创建新的"直通或过滤传入的声明"规则，类型是电子邮件地址。然后我在关系/依赖方下添加第二个"passthrough或过滤传入的声明"。规则，类型是电子邮件地址。

and create new "passthrough or filter an incoming claim" rule, type is email addresses. Then I add under relationship/relying party the second "passthrough or filter an incoming claim" rule, type is email address.

 

在计算机-b上我操作了ADFS控制台，在信任关系/信赖方下添加新信任trust  

（元数据https://computer-a.domain-a.uni-mb.si/federationmetadata/2007-06/federationmetadata。 xml）并添加规则"将ldap属性作为声明发送"，LDAP属性是电子邮件地址，传出声明类型是电子邮件地址。

On computer-b I oppened the ADFS console, add new trust under trust relationship/relying party trust 
(metadata https://computer-a.domain-a.uni-mb.si/federationmetadata/2007-06/federationmetadata.xml) and add rule "send ldap attributes as claims", LDAP attribute is email address, outgoing claim type is email address.

 

我的联合会工作。

 

是否有食谱秘诀如何创建群组声明（两个域名，sharepoint 2010）？

Is there cookbook recipe how to create group claim (two domains, sharepoint 2010)?

 

我还开了一个新帖子
http ：//social.msdn.microsoft.com/Forums/en/Geneva/thread/33fc091b-505c-481c-a61c-a8541a5ccf23 ，

因为我还没有ge ADFS调试跟踪日志中的任何内容。

I also started a new thread http://social.msdn.microsoft.com/Forums/en/Geneva/thread/33fc091b-505c-481c-a61c-a8541a5ccf23 ,
becuase I still didn't get anything in the ADFS debug tracing log.

这篇关于Sharepoint和ADFS 2.0连接到第二个域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！