本文介绍了ADFS V1配置文件与V2兼容的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个带有ADFS V1声明代理的简单.net应用程序(UPN是唯一的声明)。我有一个POC ADFS V2服务器,在这种情况下是IDP。登录后,我从服务器看到一个成功的身份验证令牌,但是应用程序给了我一个403,应用服务器上的事件日志显示了"客户端提供了一个无效的入站令牌作为证据。 令牌包含无效的XML或不符合受支持的ADFS令牌配置文件。  "
错误是安全事件日志。

我通过将服务器切换到新的V2来尝试在其他正在运行的ADFS V1代理上进行相同的设置,我得到了相同的所有情况都有错误。

这里是否存在兼容性问题?有没有人用V2服务器成功完成了V1代理应用程序?

这似乎是MS在检查向后兼容性时会测试的第一个用例......

I have a simple .net application with ADFS V1 Claims agent (UPN is the only claim). I have a POC ADFS V2 server which is the IDP in this scenario. And after the login i see a successful authentication token from the server, but the application gives me a 403 and the event log on the application server shows a
"The client presented an invalid inbound token as evidence.  The token contained invalid XML or did not conform to a supported ADFS token profile.  "
error is the security event log.

I tried the same set up on other working ADFS V1 agent with V1 server cases by switching the sever to the new V2 and i get the same error on all the cases.

Is there a compatibility issue here? Has any one successfully done a V1 agent application with V2 server ?

Seems like this would be the first use case MS would test when they are checking backward compatibility ......

推荐答案

  < System.Diagnostics程序>
&NBSP;&NBSP;&NBSP; <开关>
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < add name =" WebSsoDebugLevel"值= QUOT; 255" />
&NBSP;&NBSP;&NBSP; < /开关>
&NBSP;&NBSP;&NBSP; < trace autoflush =" true" indentsize = QUOT; 3英寸;>
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; <听众>
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < add name =" ADFSLogListener" type =" System.Web.Security.SingleSignOn.BoundedSizeLogFileTraceListener,System.Web.Security.SingleSignOn,Version = 1.0.0.0,Culture = neutral,PublicKeyToken = 31bf3856ad364e35,Custom = null" initializeData = QUOT; C:\logs\webagent.log" />
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < /听众>
&NBSP;&NBSP;&NBSP; < /跟踪>
&NBSP; < /system.diagnostics>

  <system.diagnostics>
    <switches>
      <add name="WebSsoDebugLevel" value="255" />
    </switches>
    <trace autoflush="true" indentsize="3">
      <listeners>
        <add name="ADFSLogListener" type="System.Web.Security.SingleSignOn.BoundedSizeLogFileTraceListener, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" initializeData="C:\logs\webagent.log" />
      </listeners>
    </trace>
  </system.diagnostics>

确保网络代理应用程序可以写入c:\ ass(可能需要将网络服务写入ACL添加到文件夹权限 - 这取决于应用程序池帐户)。

Make sure c:\logs is writeable by web agent app (likely you need to add Network Service write ACL to folder permissions - that depends on app pool account).

如果没有调试日志我可以猜测,名称标识符声明不是来自ADFS 2.0索赔发布政策。如果是这种情况,您可以设置声明转换规则 - 输入声明是ADFS UPN,输出声明应该是"名称ID"。和传出的名称标识符格式是UPN。

Without debug logs I can guess that name identifier claim is not emited from ADFS 2.0 claim issuance policy. If that's the case you can setup claim transform rule - input claim is ADFS UPN and outgoing claim should be "Name ID" and outgoing name identifier format is UPN.


这篇关于ADFS V1配置文件与V2兼容的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-18 13:18