问题描述
我有一个ADFS2服务器,它使用SAML2 idp作为声明提供程序,其中包含用于工件解析的SOAP绑定。 ADFS和IDP之间的通信用于解决工件正在使用相互ssl。我已将IDP ssl证书上传到ADFS服务器
可信证书存储区,并且通信正在按预期工作。
I have an ADFS2 server which uses a SAML2 idp as a claim provider with the SOAP binding for Artifact resolution. Communication between ADFS and the IDP to resolve the artifacts are using mutual ssl. I've uploaded the IDP ssl certificate to the ADFS server trusted certificates store and communication is working as expected.
另一方面,当IDP请求客户端证书时ADFS,后来找不到证书。证书(带密钥)将导入本地计算机的个人和adfs2_service \个人商店,并向所有人提供完全权限。
我已启用Schannel的日志记录并在事件vwr系统日志中看到以下错误。
On the other hand, when the IDP requests the client certificate from ADFS, the later can't find the certificate. The certificate( with the key) is imported to both local machine\personal and adfs2_service\personal stores, with full permissions to everyone. I've enabled logging for Schannel and seeing the following error in the event vwr system log.
"远程服务器已请求SSL客户端身份验证,但没有合适的客户端证书可以找到。将尝试匿名连接。此SSL连接请求可能成功或失败,具体取决于服务器的策略设置。"
"The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail, depending on the server's policy settings."
并且ADFS日志显示:"System.ServiceModel.Security.MessageSecurityException:禁止HTTP请求客户端身份验证方案'匿名'。 ---> System.Net.WebException:远程服务器返回错误:(403)Forbidden。"
And ADFS log shows: "System.ServiceModel.Security.MessageSecurityException: The HTTP request was forbidden with client authentication scheme 'Anonymous'. ---> System.Net.WebException: The remote server returned an error: (403) Forbidden."
如何找到哪个证书商店ADFS2正在使用?我以为它将是本地机器个人商店或ADFS2服务个人商店。
How can I find which certificate store ADFS2 is using? I assumed it will be the local machine personal store or the ADFS2 service personal store.
关于还能做些什么的任何想法找到证书?
Any ideas as to what else can be done to find the certificate?
谢谢,
Eitan
推荐答案
AD FS在工件解析期间不支持使用客户端证书进行身份验证。 它支持工件解析请求上的消息级签名。
AD FS does not support using client certificates for authentication during artifact resolution. It does support message-level signatures on the artifact resolution request.
您是否可以将IdP配置为允许对工件进行消息级别身份验证?或者,您可以尝试使用其他渠道来重新标记令牌,例如HTTP-POST绑定。
Can you configure your IdP to allow message-level authentication for artifacts? Alternately, you could try using a different channel for reutrning the token, like the HTTP-POST binding.
这篇关于执行SAML2 SOAP工件解析时ADFS 2相互ssl证书问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!