问题描述
我有一个带有ADFS V1声明代理的简单.net应用程序(UPN是唯一的声明)。我有一个POC ADFS V2服务器,在这种情况下是IDP。登录后,我从服务器看到一个成功的身份验证令牌,但是应用程序给了我一个403,应用服务器上的事件日志显示了"客户端提供了一个无效的入站令牌作为证据。 令牌包含无效的XML或不符合受支持的ADFS令牌配置文件。 "
错误是安全事件日志。
我通过将服务器切换到新的V2来尝试在其他正在运行的ADFS V1代理上进行相同的设置,我得到了相同的所有情况都有错误。
这里是否存在兼容性问题?有没有人用V2服务器成功完成了V1代理应用程序?
这似乎是MS在检查向后兼容性时会测试的第一个用例......
I have a simple .net application with ADFS V1 Claims agent (UPN is the only claim). I have a POC ADFS V2 server which is the IDP in this scenario. And after the login i see a successful authentication token from the server, but the application gives me a 403 and the event log on the application server shows a
"The client presented an invalid inbound token as evidence. The token contained invalid XML or did not conform to a supported ADFS token profile. "
error is the security event log.
I tried the same set up on other working ADFS V1 agent with V1 server cases by switching the sever to the new V2 and i get the same error on all the cases.
Is there a compatibility issue here? Has any one successfully done a V1 agent application with V2 server ?
Seems like this would be the first use case MS would test when they are checking backward compatibility ......
推荐答案
< System.Diagnostics程序>
&NBSP;&NBSP;&NBSP; <开关>
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < add name =" WebSsoDebugLevel"值= QUOT; 255" />
&NBSP;&NBSP;&NBSP; < /开关>
&NBSP;&NBSP;&NBSP; < trace autoflush =" true" indentsize = QUOT; 3英寸;>
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; <听众>
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < add name =" ADFSLogListener" type =" System.Web.Security.SingleSignOn.BoundedSizeLogFileTraceListener,System.Web.Security.SingleSignOn,Version = 1.0.0.0,Culture = neutral,PublicKeyToken = 31bf3856ad364e35,Custom = null" initializeData = QUOT; C:\logs\webagent.log" />
&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; < /听众>
&NBSP;&NBSP;&NBSP; < /跟踪>
&NBSP; < /system.diagnostics>
<system.diagnostics>
<switches>
<add name="WebSsoDebugLevel" value="255" />
</switches>
<trace autoflush="true" indentsize="3">
<listeners>
<add name="ADFSLogListener" type="System.Web.Security.SingleSignOn.BoundedSizeLogFileTraceListener, System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" initializeData="C:\logs\webagent.log" />
</listeners>
</trace>
</system.diagnostics>
确保网络代理应用程序可以写入c:\ ass(可能需要将网络服务写入ACL添加到文件夹权限 - 这取决于应用程序池帐户)。
Make sure c:\logs is writeable by web agent app (likely you need to add Network Service write ACL to folder permissions - that depends on app pool account).
如果没有调试日志我可以猜测,名称标识符声明不是来自ADFS 2.0索赔发布政策。如果是这种情况,您可以设置声明转换规则 - 输入声明是ADFS UPN,输出声明应该是"名称ID"。和传出的名称标识符格式是UPN。
Without debug logs I can guess that name identifier claim is not emited from ADFS 2.0 claim issuance policy. If that's the case you can setup claim transform rule - input claim is ADFS UPN and outgoing claim should be "Name ID" and outgoing name identifier format is UPN.
这篇关于ADFS V1配置文件与V2兼容的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!