我有以下情形:ADFS 2.0 - 用於在不同的廣告服務請求令牌
活動目錄1:WCF客戶端,ADFS 2.0(STS)
活動目錄2:WCF服務(依賴方)
我已經將RP添加到ADFS,但是當我從ADFS請求令牌時,我收到以下錯誤:System.ServiceModel.FaultException:ID3242:無法驗證或授權安全令牌。
望着ADFS的事件日誌中我找到匹配的錯誤:
An error occurred during an attempt to build the certificate chain for the relying party trust 'http://XXXXX/Service1/' certificate identified by thumbprint 'XXXXXXXXXXXX'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.
You can use Windows PowerShell commands for AD FS 2.0 to configure the revocation settings for the relying party encryption certificate. Relying party trust's encryption certificate revocation settings: CheckChainExcludeRoot The following errors occurred while building the certificate chain: Unknown error. Unknown error.
User Action: Ensure that the relying party trust's encryption certificate is valid and has not been revoked. Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS 2.0 Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
貌似ADFS不信任從RP簽名證書(可以理解的,其出具的簽名證書的CA一個不同的AD)。 CertificateRevokationList可從兩個活動目錄中訪問。
我已經將CA證書添加到「本地計算機」的受信任根證書中,但我認爲問題在於驗證機制。
我必須配置什麼才能讓ADFS發出使用正確證書籤名的令牌,或者如何說服ADFS證明該證書有效?
編輯:
我試圖用PowerShell命令改變revokation檢查:
Set-ADFSRelyingPartyTrust -SigningCertificateRevocationCheck CheckEndCert
,但沒有運氣: 設置-ADFSRelyingPartyTrust:參數集不能使用指定的命名來解決參數。
At line:1 char:26
+ Set-ADFSRelyingPartyTrust <<<< -SigningCertificateRevocationCheck CheckEndCert
+ CategoryInfo : InvalidArgument: (:) [Set-ADFSRelyingPartyTrust], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.IdentityServer.PowerShell.Commands.SetRelyingPartyTrustC
ommand
編輯2: 這工作:
(Get-ADFSRelyingPartyTrust) | Set-ADFSRelyingPartyTrust -EncryptionCertificateRevocationCheck CheckEndCert
,但現在我在Active Directory中1客戶抱怨證書...
System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Service1/' for target 'http://XXXXXXXXXXXXXXXXX/Service1/' failed. See inner exception for more details. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=RP-Service chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.
這就是我在編輯2中寫的內容。您還可以嘗試將支票設置爲CheckEndCert。 – flayn 2012-08-16 08:00:24