问题描述

如果（a）配置为发送证书，并且（b）其EE证书有多个元素，ADFS是否通常在其断言上发送多元素证书链？

Does ADFS normally send a multi-element cert chain on its assertions, if (a) configured to send certs, and (b) its EE cert has multiple elements?

假设ADFS是一个3层证书链，以ADCS管理的自签名证书为根。

lets assume ADFS sens a 3 layer cert chain, rooted at a self-signed cert managed by ADCS.

假设该网站不属于域名。

Assume the website is NOT part of the domain.

当我配置WIF 网站web.config并使用< certificatevalidation mode = NONE />时，我会在身份模型配置中使用哪个指纹？我是否放置了根证书的指纹或EE证书？

When I configure a WIF website web.config and use <certificatevalidation mode=NONE/>, which fingerprint do I use in identity model config? Do I put the root cert's fingerprint, or the EE cert?

显然，将验证模式设为= NONE，我没有放任何东西在任何Windows证书存储区（这是模式= NONE的整点）。

Obviously, having put validation mode=NONE, I dont put anything in any windows cert store (which is the whole point of mode=NONE).

我可以假设在certvalidation mode = none，WIF是STILL检查证书链和/或签名关于EE证书？

Can I assume in certvalidation mode=none that WIF is STILL checking the cert chain, and/or the signatures on the EE cert?

我可以假设，默认情况下，这些情况下的链验证逻辑大致坚持PKIX扩展档案等）？

Can I assume that, by default, the chain validation logic in these cases is roughly insisting on the PKIX profile of extensions, etc)?

推荐答案

你使用签署该令牌的证书的指纹。

You use the thumbprint of the certificate that signed the token.

这篇关于关于断言的ADFS证书链，与信任点的WIF SP应用程序配置相比的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！