2016-05-12 58 views
1

我試圖通過SIP和HTTP通信創建Lync/Skype客戶端的一些基本功能。我們的工具是用C++編寫的。我已經完成了NTLM和Kerberos的認證部分,但是我在實現TLS-DSK認證方面遇到了嚴重的問題。Lync 2013 - CreateAuthBrokerSession不接受WebTicket

我用這些教程:

MS-SIPAE

MS-OCAUTHWS

我想用我自己的TLS實現(基於視窗SSPI)工作,但我看到有使用Web服務的方式對於這一部分,正如1.3.3 MS-OCAUTHWS中所寫。在使用身份驗證代理服務之前,我需要訪問Web票務服務才能訪問票證。我已經收到了網絡票,我簽了字。

這裏是我的網頁票:

<wsse:Security> 
    <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="timestamp"> 
     <Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T07:47:43.3671158Z</Created> 
     <Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T15:44:04.3671158Z</Expires> 
    </wsu:Timestamp> 
    <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7" Issuer="https://lync.domain.com:4443/108486a8-f2cf-5123-84f4-1ddecb41a6e9" IssueInstant="2016-05-12T07:47:43.368Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> 
     <saml:Conditions NotBefore="2016-05-12T07:47:43.367Z" NotOnOrAfter="2016-05-12T15:44:04.367Z"> 
      <saml:AudienceRestrictionCondition> 
       <saml:Audience>https://lync.domain.com/</saml:Audience> 
      </saml:AudienceRestrictionCondition> 
     </saml:Conditions> 
     <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2016-05-12T07:47:43.368Z"> 
      <saml:Subject> 
       <saml:NameIdentifier Format="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:[email protected]</saml:NameIdentifier> 
       <saml:SubjectConfirmation> 
        <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod> 
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> 
         <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> 
          <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256" /> 
          <KeyInfo> 
           <KeyName>108486a8-f2cf-5123-84f4-1ddecb41a6e9:8d37a331603249e</KeyName> 
          </KeyInfo> 
          <e:CipherData> 
           <e:CipherValue>ZZ1P9UwMNA8yX3Z0l07rWUX1Cpuh+2HJYh2fjTWlhCBMpnIT3fEzog==</e:CipherValue> 
          </e:CipherData> 
         </e:EncryptedKey> 
        </KeyInfo> 
       </saml:SubjectConfirmation> 
      </saml:Subject> 
     </saml:AuthenticationStatement> 
     <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 
      <SignedInfo> 
       <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
       <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> 
       <Reference URI="#SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7"> 
        <Transforms> 
         <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> 
         <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> 
        </Transforms> 
        <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> 
        <DigestValue>/2L09RaIuIcwF5sVHrs7jmG0sXuY0x3gOGZLnUu/ziw=</DigestValue> 
       </Reference> 
      </SignedInfo> 
      <SignatureValue>6VUfrCdK1VpXSSol1XkP2Ba/2rX6dz6o1NBEMT1LYsveYaAgoy/W16gPaJFb8TloqMZ8R+FE91opbSkSjbzwCNW+0q/SuJNYyk0j1tfdpk+URP1xpMq+P1wUVhoj++t9QAuL9ztY7YJ4IFm6nsDzq6LAZ+Ji3InbpGDmOPE/bU8lyqXaJbn6DWnPno+XrkRhSveVN1Twx7sqkbcEPRnMC089iTtNphTPJwNjeB2nRgqEsv4eSrHWB3o2wxs0rq4Xy5LnDhAbvH6hYmuLhwt5U4gDR72JTW65GuLGj5UrIv7xJVpK/O6ghp+JGCaJaP7EI2lQpztlkr7t1jpYXgANFw==</SignatureValue> 
      <KeyInfo> 
       <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">WeGZMVqOctvQlI9rdMdRF8ArzLA=</o:KeyIdentifier> 
       </o:SecurityTokenReference> 
      </KeyInfo> 
     </Signature> 
    </saml:Assertion> 
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> 
     <SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> 
      <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> 
      <Reference URI="#timestamp"> 
       <Transforms> 
        <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> 
       </Transforms> 
       <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> 
       <DigestValue>YLf+iJEV9ZI7QqX4gl8WWRyrJcY=</DigestValue> 
      </Reference> 
     </SignedInfo> 
     <SignatureValue>WgXPtLNvWPal9becoTXQq+liku0=</SignatureValue> 
     <KeyInfo> 
      <wsse:SecurityTokenReference wsse:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"> 
       <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7</wsse:KeyIdentifier> 
      </wsse:SecurityTokenReference> 
     </KeyInfo> 
    </Signature> 
</wsse:Security> 

我用它在GetAndPublishCert它工作得很好(200 OK)。但是,當我將相同的故障單傳遞給身份驗證代理服務時,它會給我500內部服務器錯誤。

這裏是我的要求:

POST /Reach/sip.svc/AuthBroker HTTP/1.1 
Host: lync.domain.com 
Content-Type: text/xml 
Content-Length: 5175 
SOAPAction: "http://tempuri.org/IAuthBroker/CreateAuthBrokerSession" 
User-Agent: Hypersoft 

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> 
    <soap:Header> 
     <wsa:Action>http://tempuri.org/IAuthBroker/CreateAuthBrokerSession</wsa:Action> 
     <wsa:MessageID>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</wsa:MessageID> 
     <wsa:To>https://lync.domain.com/Reach/sip.svc/AuthBroker</wsa:To> 
     <wsa:ReplyTo> 
      <wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address> 
     </wsa:ReplyTo> 

     + above WebTicket 

    </soap:Header> 
    <soap:Body> 
     <a:CreateAuthBrokerSession xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:a="http://tempuri.org/"> 
      <a:supportedHashAlgorithms> 
       <string>SHA1</string> 
       <string>SHA256</string> 
       <string>SHA384</string> 
       <string>SHA512</string> 
      </a:supportedHashAlgorithms> 
     </a:CreateAuthBrokerSession> 
    </soap:Body> 
</soap:Envelope> 

這是我從服務器接收的內容:

HTTP/1.1 500 Internal Server Error 
Cache-Control: private 
Content-Length: 572 
Content-Type: text/xml; charset=utf-8 
Server: Microsoft-IIS/8.5 
X-MS-Server-Fqdn: lync.domain.com 
X-MS-Correlation-Id: 2147501677 
client-request-id: 6801bbde-5331-4a0d-80d4-f490186e18a1 
Strict-Transport-Security: max-age=31536000; includeSubDomains 
X-Content-Type-Options: nosniff 
X-Powered-By: ARR/2.5 
Date: Thu, 12 May 2016 07:48:25 GMT 

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing"> 
    <s:Header> 
     <a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action> 
     <a:RelatesTo>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</a:RelatesTo> 
    </s:Header> 
    <s:Body> 
     <s:Fault> 
      <faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode> 
      <faultstring xml:lang="en-US">An error occurred when verifying security for the message.</faultstring> 
     </s:Fault> 
    </s:Body> 
</s:Envelope> 

我是否需要身份驗證代理服務不同WebTicket?如何創建會話?

回答

0

我找到了我得到錯誤500的原因。AuthBroker不需要WebTicket簽名,所以帶有「簽名」的部分必須被刪除。同樣在標題中,必須刪除屬性「ReplyTo」。

現在我得到200 OK所有經紀人活動。