Sharepoint 2013-联合设置-将错误的用户名发送到IIS Web服务器 [英] Sharepoint 2013 - Federated setup - sends incorrect username to IIS webserver
问题描述
你好,
客户拥有Sharepoint 2013,并已与受信任的身份提供者配置联盟.
客户有一个处理某些Sharepoint功能的IIS Web服务器.
该特定的IIS Web服务器不是Sharepoint站点,而只是IIS服务器.它配置有基本身份验证.
当用户使用联盟身份登录到Sharepoint时,Sharepoint网站上的某些元素将从此IIS Web服务器中拉出.
Hello,
A customer has Sharepoint 2013 and has configured federation with a trusted identity provider.
The customer has an IIS webserver that handles some of the Sharepoint functionality.
This specific IIS webserver is not a Sharepoint site, just an IIS server. It is configured with basic authentication.
When the user has logged into Sharepoint with federation, some elements on the Sharepoint site is pulled from this IIS webserver.
我收到未经授权的错误.
在浏览器中,我可以看到以下内容:
I get unauthorized error.
In the browser, I can see the following:
获取/api/wizdom/branding/relations/%7Bc2069413-4121-4011-8319-8b84d29fedbf%7D/2/23-11-201720103A51/?webServerRelativeUrl =%2F& SPHostUrl = https%3A%2F%2Fvores. fmk.dk& SPLocale = da-dk& WizdomVersion = 6.24.0.3& cacheTimestamp = 2017-11-01T12:07:51.4864741Z& SPCacheKey =& SPLanguage = da-DK& SPClientTag = 0& userLoginName = am-wsfed- idp& SPLocale =& null HTTP/1.1
GET /api/wizdom/branding/relations/%7Bc2069413-4121-4011-8319-8b84d29fedbf%7D/2/23-11-201720103A51/?webServerRelativeUrl=%2F&SPHostUrl=https%3A%2F%2Fvores.fmk.dk&SPLocale=da-dk&WizdomVersion=6.24.0.3&cacheTimestamp=2017-11-01T12:07:51.4864741Z&SPCacheKey=&SPLanguage=da-DK&SPClientTag=0&userLoginName=am-wsfed-idp&SPLocale=&null HTTP/1.1
可以看出,指定了userLoginName = am-wsfed-idp. am-wsfed-idp是我在Sharepoint中进行的IDP配置的名称,如下所示:
$ ap = New-SPTrustedIdentityTokenIssuer-名称"AM-WSFED-IDP"; -描述"AM WSFED联合服务器"; -Realm $ realm -ImportTrustCertificate $ cert -ClaimsMappings $ map1,$ map2,$ map3 -SignInUrl $ signinurl -IdentifierClaim $ map2.InputClaimType
因此,它发送的是SPTrustedIdentityTokenIssuer的名称,而不是向用户发送真实的凭据(例如DOMAIN \ user1).
有人知道什么地方可能出问题了吗?
提前谢谢,
雅各布.
As it can be seen, the userLoginName=am-wsfed-idp is specified. am-wsfed-idp is the name of the IDP configuration I made in Sharepoint, like so:
$ap = New-SPTrustedIdentityTokenIssuer -Name "AM-WSFED-IDP" -Description "AM WSFED Federated Server" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1, $map2, $map3 -SignInUrl $signinurl -IdentifierClaim $map2.InputClaimType
So, instead of sending the users real credentials, which should be for example DOMAIN\user1 it sends the name of the SPTrustedIdentityTokenIssuer.
Anyone got an idea what might be wrong?
Thanks in advance,
Jacob.
推荐答案
您的IIS应用程序需要成为依赖方信任的一部分/必须配置为接受Claim令牌.您不能使用基本身份验证,因为来自TIP的令牌不包含密码.您只能将令牌身份从SharePoint传递到IIS- 或使用OAuth.
Your IIS application would need to be part of a relying party trust/be configured to accept Claim tokens. You can't use Basic auth because the token from the TIP doesn't contain a password. You can only pass the token identity from SharePoint to IIS -- or use OAuth.
这篇关于Sharepoint 2013-联合设置-将错误的用户名发送到IIS Web服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
