1. 首頁
  2. 問答
  3. 在服務器/應用程序之間共享IClaimsPrincipal/FedAuth Cookie ID1006

在服務器/應用程序之間共享IClaimsPrincipal/FedAuth Cookie ID1006

2012-11-30 113 views
3

我有一個ASP.NET應用程序使用Azure ACS(和間接ADFS)進行身份驗證 - 這一切都正常。現在我被要求將SessionToken傳遞給另一個後端服務,在那裏它可以被驗證並且提取索賠。 [長篇故事,而不是我的選擇]在服務器/應用程序之間共享IClaimsPrincipal/FedAuth Cookie ID1006

我在解密方面有問題,我確信我錯過了一些基本的東西。

要設置階段中,在解密的錯誤是:

ID1006: The format of the data is incorrect. The encryption key length is negative: '-724221793'. The cookie may have been truncated.

的ASP.NET網站使用RSA包裹ALA:

void WSFederationAuthenticationModule_OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) 
    { 
     string thumbprint = "BDE74A3EB573297C7EE79EB980B0727D73987B0D"; 

     X509Certificate2 certificate = GetCertificate(thumbprint); 

     List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] 
     { 
      new DeflateCookieTransform(), 
      new RsaEncryptionCookieTransform(certificate), 
      new RsaSignatureCookieTransform(certificate) 
     }); 

     SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); 
     e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); 
    }

(指紋是由添加了相同的值。FedUtil在web.config中

我寫的令牌:

if (Microsoft.IdentityModel.Web.FederatedAuthentication.SessionAuthenticationModule.TryReadSessionTokenFromCookie(out token)) 
{ 
    Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler th = new Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler(); 
    byte[] results = th.WriteToken(token); 
...

這給了我:

<?xml version="1.0" encoding="utf-8"?> 
<SecurityContextToken p1:Id="_53382b9e-8c4b-490e-bfd5-de2e8c0f25fe-94C8D2D9079647B013081356972DE275" 
        xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
        xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"> 
<Identifier>urn:uuid:54bd1bd7-1110-462b-847e-7f49c1043b32</Identifier> 
<Instance>urn:uuid:0462b7d7-717e-4ce2-b942-b0d6a968355b</Instance> 
<Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">AQAAANCMnd blah blah 1048 bytes total 
</Cookie> 
</SecurityContextToken>

,並與另一盒同一個證書(並作爲只是爲了測試一個文件的讀取令牌),我有:

public static void Attempt2(FileStream fileIn, X509Certificate2 certificate, out SecurityToken theToken) 
    { 
     List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] 
     { 
      new DeflateCookieTransform(), 
      new RsaSignatureCookieTransform(certificate), 
      new RsaEncryptionCookieTransform(certificate) 
     }); 

     SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); 

     // setup 
     SecurityTokenResolver resolver; 
     { 
      var token = new X509SecurityToken(certificate); 

      var tokens = new List<SecurityToken>() { token }; 

      resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false); 
     } 

     sessionHandler.Configuration = new SecurityTokenHandlerConfiguration(); 
     sessionHandler.Configuration.IssuerTokenResolver = resolver; 

     using (var reader = XmlReader.Create(fileIn)) 
     { 
      theToken = sessionHandler.ReadToken(reader); 
     } 

    }

,然後ReadToken拋出的

ID1006: The format of the data is incorrect. The encryption key length is negative: '-724221793'. The cookie may have been truncated.

一個出現FormatException在這一點上,我不知道我的總體思路是有缺陷的,或者如果我只是錯過了衆所周知的「一個利ne「修復了這一切。

哦,我在網站(.NET 4.0)中使用VS2010 SP1,並且我在解碼端嘗試了VS2010SP1 .NET 4.0和VS2012 .NET 4.5。

謝謝!

來源

2012-11-30 James

+0

是ü能解決這個問題? – user3311522

+0

我正在嘗試相同的事情。你是如何解決它的? – Ivanhoe

回答

0

您的後端服務的應用程序池帳戶是否具有讀取證書的權限?如果沒有爲後端服務的應用程序池帳戶授予對證書的讀取訪問權限。正因爲如此,我在加密/解密方面遇到了問題。

來源

2013-05-22 01:57:34 nickytonline

0

這也許會有幫助,這會變成你的FedAuth餅乾到像一個可讀的XML字符串:

<?xml version="1.0" encoding="utf-8"?> 
<SecurityContextToken p1:Id="_548a372e-1111-4df8-b610-1f9f618a5687-953155F0C35B4862A5BCE4D5D0C5ADF0" xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"> 
    <Identifier>urn:uuid:c9f9b733-1111-4b01-8af3-23c8af3e19a6</Identifier> 
    <Instance>urn:uuid:ee955207-1111-4498-afa3-4b184e97d0be</Instance> 
    <Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">long_string==</Cookie> 
</SecurityContextToken>

代碼:

private string FedAuthToXmlString(string fedAuthCombinedString) 
{ 
    // fedAuthCombinedString is from FedAuth + FedAuth1 cookies: just combine the strings 

    byte[] authBytes = Convert.FromBase64String(fedAuthCombinedString); 
    string decodedString = Encoding.UTF8.GetString(authBytes); 

    var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); 
    store.Open(OpenFlags.ReadOnly); 
    var thumbprint = "CERT_THUMBPRINT"; // from config 

    var cert = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false)[0]; 

    var sessionTransforms = new List<System.IdentityModel.CookieTransform>(new System.IdentityModel.CookieTransform[] 
    { 
     new System.IdentityModel.DeflateCookieTransform(), 
     new System.IdentityModel.RsaSignatureCookieTransform(cert), 
     new System.IdentityModel.RsaEncryptionCookieTransform(cert) 
    }); 

    SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); 

    SecurityTokenResolver resolver; 
    { 
     var token = new X509SecurityToken(cert); 
     var tokens = new List<SecurityToken>() { token }; 
     resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false); 
    } 

    sessionHandler.Configuration = new SecurityTokenHandlerConfiguration(); 
    sessionHandler.Configuration.IssuerTokenResolver = resolver; 

    var i = 0; // clear out invalid leading xml 
    while ((int)decodedString[i] != 60 && i < decodedString.Length - 1) i++; // while the first character is not < 

    store.Close(); 

    return decodedString.Substring(i); 
}

來源

2017-06-29 18:58:08 naspinski

相關問題

 相關問題