我試圖通過SIP和HTTP通信創建Lync/Skype客戶端的一些基本功能。我們的工具是用C++編寫的。我已經完成了NTLM和Kerberos的認證部分,但是我在實現TLS-DSK認證方面遇到了嚴重的問題。Lync 2013 - CreateAuthBrokerSession不接受WebTicket
我用這些教程:
我想用我自己的TLS實現(基於視窗SSPI)工作,但我看到有使用Web服務的方式對於這一部分,正如1.3.3 MS-OCAUTHWS中所寫。在使用身份驗證代理服務之前,我需要訪問Web票務服務才能訪問票證。我已經收到了網絡票,我簽了字。
這裏是我的網頁票:
<wsse:Security>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="timestamp">
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T07:47:43.3671158Z</Created>
<Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T15:44:04.3671158Z</Expires>
</wsu:Timestamp>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7" Issuer="https://lync.domain.com:4443/108486a8-f2cf-5123-84f4-1ddecb41a6e9" IssueInstant="2016-05-12T07:47:43.368Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2016-05-12T07:47:43.367Z" NotOnOrAfter="2016-05-12T15:44:04.367Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://lync.domain.com/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2016-05-12T07:47:43.368Z">
<saml:Subject>
<saml:NameIdentifier Format="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:[email protected]</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256" />
<KeyInfo>
<KeyName>108486a8-f2cf-5123-84f4-1ddecb41a6e9:8d37a331603249e</KeyName>
</KeyInfo>
<e:CipherData>
<e:CipherValue>ZZ1P9UwMNA8yX3Z0l07rWUX1Cpuh+2HJYh2fjTWlhCBMpnIT3fEzog==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>/2L09RaIuIcwF5sVHrs7jmG0sXuY0x3gOGZLnUu/ziw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>6VUfrCdK1VpXSSol1XkP2Ba/2rX6dz6o1NBEMT1LYsveYaAgoy/W16gPaJFb8TloqMZ8R+FE91opbSkSjbzwCNW+0q/SuJNYyk0j1tfdpk+URP1xpMq+P1wUVhoj++t9QAuL9ztY7YJ4IFm6nsDzq6LAZ+Ji3InbpGDmOPE/bU8lyqXaJbn6DWnPno+XrkRhSveVN1Twx7sqkbcEPRnMC089iTtNphTPJwNjeB2nRgqEsv4eSrHWB3o2wxs0rq4Xy5LnDhAbvH6hYmuLhwt5U4gDR72JTW65GuLGj5UrIv7xJVpK/O6ghp+JGCaJaP7EI2lQpztlkr7t1jpYXgANFw==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">WeGZMVqOctvQlI9rdMdRF8ArzLA=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</saml:Assertion>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#timestamp">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>YLf+iJEV9ZI7QqX4gl8WWRyrJcY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>WgXPtLNvWPal9becoTXQq+liku0=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference wsse:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
我用它在GetAndPublishCert它工作得很好(200 OK)。但是,當我將相同的故障單傳遞給身份驗證代理服務時,它會給我500內部服務器錯誤。
這裏是我的要求:
POST /Reach/sip.svc/AuthBroker HTTP/1.1
Host: lync.domain.com
Content-Type: text/xml
Content-Length: 5175
SOAPAction: "http://tempuri.org/IAuthBroker/CreateAuthBrokerSession"
User-Agent: Hypersoft
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<soap:Header>
<wsa:Action>http://tempuri.org/IAuthBroker/CreateAuthBrokerSession</wsa:Action>
<wsa:MessageID>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</wsa:MessageID>
<wsa:To>https://lync.domain.com/Reach/sip.svc/AuthBroker</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
+ above WebTicket
</soap:Header>
<soap:Body>
<a:CreateAuthBrokerSession xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:a="http://tempuri.org/">
<a:supportedHashAlgorithms>
<string>SHA1</string>
<string>SHA256</string>
<string>SHA384</string>
<string>SHA512</string>
</a:supportedHashAlgorithms>
</a:CreateAuthBrokerSession>
</soap:Body>
</soap:Envelope>
這是我從服務器接收的內容:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 572
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/8.5
X-MS-Server-Fqdn: lync.domain.com
X-MS-Correlation-Id: 2147501677
client-request-id: 6801bbde-5331-4a0d-80d4-f490186e18a1
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Powered-By: ARR/2.5
Date: Thu, 12 May 2016 07:48:25 GMT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<a:RelatesTo>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode>
<faultstring xml:lang="en-US">An error occurred when verifying security for the message.</faultstring>
</s:Fault>
</s:Body>
</s:Envelope>
我是否需要身份驗證代理服務不同WebTicket?如何創建會話?