使用Azure广告在两个.NET Core应用程序和.NET Framework应用程序不同的应用程序池相同的域之间共享会话-IDX20804错误 [英] Share session between two .NET Core app and .NET Framework app different application pool same domain using azure ad - IDX20804 error

问题描述

我有一个.NET Core应用程序和另一个.NET Framework应用程序，它在IIS的同一站点(域)下运行.两者都运行良好.但是，当我在.NET Core应用程序上使用天蓝色广告添加身份验证时，出现了一些错误(如下所示).

I have a .NET Core application and another .NET Framework application running under the same site (domain) on IIS. Both are working perfectly. But when I add authentication with azure ad on the .NET Core app, I am having some errors (shown below).

.NET Framework应用规范:

.NET Framework app specs:

• 已在SAML 2.0中使用身份验证
• 此应用程序中没有任何更改
• 具有自己的web.config文件
• 拥有自己的应用程序池
• 登录正常

.NET Core应用规范:

.NET Core app specs:

• 使用.net core 3.1
• 使用Azure AD对用户进行身份验证
• 在appsettings.json文件中正确设置了TenantId和ClientId
• 具有自己的web.config文件
• 拥有自己的应用程序池
• 使用azure Ad在本地(可以使用Visual Studio使用iis Express)进行身份验证正常登录

IIS网站结构-屏幕截图

应用程序池-屏幕截图

步骤:

1. 使用saml成功登录
2. 成功进入.NET Framework应用程序
3. 点击.net核心应用程序
4. 加载一段时间并出现3个错误:

An unhandled exception has occurred while executing the request.

Exception: 
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/blablabla/.well-known/openid-configuration'.
 ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://login.microsoftonline.com/blablabla/.well-known/openid-configuration'.
 ---> System.Threading.Tasks.TaskCanceledException: The operation was canceled.
   at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean allowHttp2, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.GetHttpConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.DiagnosticsHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
   at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
   at Microsoft.AspNetCore.Mvc.ChallengeResult.ExecuteResultAsync(ActionContext context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAlwaysRunResultFilters>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeFilterPipelineAsync>g__Awaited|19_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeAsync>g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)
   at Microsoft.AspNetCore.Routing.EndpointMiddleware.<Invoke>g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

在获得上述错误日志之前，在事件查看器中，我有一些警告:

Before getting the above errors logs, in the event viewer I have some warnings :

EventId: 50

Using an in-memory repository. Keys will not be persisted to storage.

Category: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager
EventId: 59

Neither user profile nor HKLM registry available. Using an ephemeral key repository. Protected data will be unavailable when application exits.

Category: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager
EventId: 35

No XML encryptor configured. Key {blablabla} may be persisted to storage in unencrypted form.

不确定这些警告是什么.也许他们可以指导正确的问题.

Not sure about what are these warnings. Maybe they can maybe guide to the right problem.

此外，这是错误日志之前的最后一条日志，表明该应用程序已成功启动.

Also, this is the last log before the error log which shows that the app is successfully started.

Application 'X:\inetpub\wwwroot\MyApp\' started successfully.

我认为他们可以在两个应用程序之间共享会话，因为它们属于同一域.

I assumed they were able to share the session between the two applications since they are under the same domain.

是否缺少某些东西?

推荐答案

不，不是.要在应用程序之间共享会话，关键是要在cookie之间共享cookie，而不是在同一域下.共享Cookie的关键点是用于加密和解密数据的同一密钥，就像在事件查看器中看到的一样.原因是会话将使用aspnet.session cookie来跟踪每个连接的会话，此cookie由asp.net核心加密.为了能够在应用程序之间共享会话，您的应用程序应该能够共享密钥以解密和加密数据.这些在asp.net核心中的部分称为数据保护.您似乎尚未配置数据保护密钥.您可以参考此文档了解更多信息

No, they are not. to share session between application, the key point is to share cookie between cookie, not under the same domain. and the key point to share cookie is the same key to encrypt and decrypt data,just like what you see in the event viewer. The reason is that session will use a aspnet.session cookie to track every connection's session, this cookie is encrypted by asp.net core. To enable to share session between application, your application should be able to share the key to decrypt and encrypt data. these part in asp.net core is called data protection. looks you have not configured the data protection key. You can refer to this document for more detail

这篇关于使用Azure广告在两个.NET Core应用程序和.NET Framework应用程序不同的应用程序池相同的域之间共享会话-IDX20804错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！