CN和主题备用名称与UPN不同的ADFS客户端证书身份验证 [英] ADFS Client Certificate Authentication with CN and Subject Alternate Name different from UPN
问题描述
我正在尝试使用客户端证书身份验证为SharePoint应用程序实施客户端身份验证.
I am trying to implement client authentication for a SharePoint application using client certificate authentication.
为用户提供的证书是由外部证书颁发机构颁发的,我们通过名称映射CN的证书值,将证书映射到Active Firectory中的用户.但是,证书的CN与Active Directory中的UPN不匹配,并且我无法控制CN的创建方式(外部CA).
The certificate for the users are issued by an external certificate authority and we map the certificate to users in the Active Firectory by name mapping the certificate value for CN. However, the CN of the certificate does not match the UPN in Active Directory and I have no control for how the CN is created (external CA).
当用户尝试通过客户端证书登录时(我们启用带有证书的外部身份验证+将所有根CA添加到Trusted存储中,以便可以信任客户端证书),系统会提示用户选择证书,然后他们会收到以下错误:
When users are trying to log in by the client certificate(we enable the external authentication withe certificate + add all root CA to the Trusted store so the client certificate can be trusted), the user gets prompted to choose the certificate and after that, they receive the the following error:
联合身份验证服务在处理WS-Trust请求时遇到错误.
The Federation Service encountered an error while processing the WS-Trust request.
请求类型:schemas.microsoft.com/idfx/requesttype/issue
Request type: schemas.microsoft.com/idfx/requesttype/issue
其他数据异常详细信息:
Additional Data Exception details:
System.ComponentModel.Win32Exception(0x80004005):用户名或密码在Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509IdentityModel.Claims.WindowsClaimsIdentity.CreateFromCertificate(X509Certificate2证书,布尔值useWindowsTokenService,字符串issuerName)在Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken令牌)在Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityTokenHandler.ValidateServer(SecurityMicrosoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request,IList 1&identityClaimSet,列表 1个附加声明)
System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate) at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate) at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CreateFromCertificate(X509Certificate2 certificate, Boolean useWindowsTokenService, String issuerName) atMicrosoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityTokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList1& identityClaimSet, List1 additionalClaims)
推荐答案
确保使用证书的指纹完成备用ID匹配.
Ensure that the Alternate ID match is done with the thumbprint of the certificate.
根据您的错误消息,一些可能的情况是:
Based on your error message some possible scenarios are:
- 您的ADFS服务帐户无法从用户读取pwdlastset值在您的子域中-检查有效权限.
- 子域中的用户从未设置过密码,或者pwdlastset的值设置为非常大或非常小的值,无法通过以下方式继续操作文件时间-如果为用户提供了身份管理工具正在写入到AD数据库中具体方式.
在子域中手动创建用户,然后查看该用户是否可以登录.如果不能,请禁用对对象的继承,并为服务帐户分配读取所有属性"权限-删除用户的所有拒绝"权限.
Manually create a user in the child domain and see if the user can login. If it cannot, disable inheritance on the object and assign read all properties permission to the service account - remove any Deny permissions from the user.
这篇关于CN和主题备用名称与UPN不同的ADFS客户端证书身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
