1. 首頁
  2. 問答
  3. 實施WIF ActA場景:傳出消息的身份檢查失敗

實施WIF ActA場景:傳出消息的身份檢查失敗

2012-09-26 56 views
0

所以我試圖從網站使用WCF服務,並將站點從STS獲取的IClaimsIdentity傳遞給該服務。實施WIF ActA場景:傳出消息的身份檢查失敗

當我試圖通過ACTAS通道來調用服務的方法,我在客戶端上下面的錯誤(查看跟蹤日誌,它從來沒有獲取到服務,和STS通過所有令牌發送正確):

傳出消息的身份檢查失敗。預期的 標識爲 '標識(http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint)'爲 'http://localhost/MyWCFHost/MyService.svc '目標端點。

我有一個自定義IssuedTokenForCertificate結合,所有的證書確定,據我所看到的,它應該工作,但沒有骰子。我會很感激另一雙眼睛在看着我的配置和幫助:

消費網站配置:

<system.serviceModel> 
    <bindings> 
     <customBinding> 
     <binding name="CustomBinding_IMyService"> 
      <security defaultAlgorithmSuite="Default" authenticationMode="IssuedTokenForCertificate" 
      requireDerivedKeys="true" includeTimestamp="true" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10" 
      requireSignatureConfirmation="true"> 
      <issuedTokenParameters tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"> 
       <additionalRequestParameters> 
       <trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> 
        <trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType> 
        <trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType> 
       </trust:SecondaryParameters> 
       </additionalRequestParameters> 
       <issuer address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc" 
       binding="ws2007HttpBinding" bindingConfiguration="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc"> 
       </issuer> 
       <issuerMetadata address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc/mex" /> 
      </issuedTokenParameters> 
      <localClientSettings detectReplays="true" /> 
      <localServiceSettings detectReplays="true" /> 
      </security> 
      <textMessageEncoding /> 
      <httpTransport /> 
     </binding> 
     </customBinding> 
     <ws2007HttpBinding> 
     <binding name="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc"> 
      <security> 
      <message establishSecurityContext="false" /> 
      </security> 
     </binding> 
     </ws2007HttpBinding> 
    </bindings> 
    <client> 
     <endpoint address="http://localhost/MyWCFHost/MyService.svc" binding="customBinding" 
     bindingConfiguration="CustomBinding_IMyService" contract="MyService.IMyService" 
     name="CustomBinding_IMyService"> 
     <identity> 
      <!--<certificate encodedValue="AwAAAAEAAAAUAAAAV2ILlfzl9NIHEiGv1rUCSitq8I0gAAAAAQAAAP8BAAAwggH7MIIBaKADAgECAhBTTBmG1HyUkEDVFmVUxfDLMAkGBSsOAwIdBQAwFTETMBEGA1UEAxMKRXRhbmEgUm9vdDAeFw0xMjA5MjExMjE2MDRaFw0zOTEyMzEyMzU5NTlaMB8xHTAbBgNVBAMTFEV0YW5hIFNUUyBFbmNyeXB0aW9uMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0lbzr1b1aNiXGhwKMTO58QbLbbKoUtTRkA4egMlmip1Vm46BnscWAMvXA5kyzuqK6Cw/5bel15i0pZXR4kjByKbSr65V0/ODGrkUHaYb5vT8RzCczYcgzJmPGWawMYYJT8PXLXHkFmZZGXFZhiUBzyNMWh8YH16I/wFtUgmaBAQIDAQABo0owSDBGBgNVHQEEPzA9gBAV68U+Vhoc0Nu9qPJXfJSRoRcwFTETMBEGA1UEAxMKRXRhbmEgUm9vdIIQgnOTDbZVCaJFTK8PPAGynTAJBgUrDgMCHQUAA4GBACHLr32oqkFjKGN/fqk2VnsNNIs9niHQ4Q6UbJ252YWf4wFIz9Ho/+ZdFxC4tSHxa/IMH0kzYpRL5p61Zd8/QeryWCStqvoNPwyapaY3g0Pkm6dy6NJ82kX5eJxLjdJp8MVadPJs4VA7Smf+e9lMMoONAGP07AvzAVhtiYK2yMmH" />--> 
      <certificateReference findValue="57620B95FCE5F4D2071221AFD6B5024A2B6AF08D" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" /> 
     </identity> 
     </endpoint> 
    </client> 
    </system.serviceModel>

WCF服務的配置:

<system.serviceModel> 
    <diagnostics> 
     <messageLogging logMalformedMessages="true" logMessagesAtTransportLevel="true" /> 
    </diagnostics> 
    <services> 
     <service name="RPWCFApp.MyService" behaviorConfiguration="MyServiceBehaviour"> 
     <endpoint address="" binding="customBinding" bindingConfiguration="CustomBindingConfiguration_IssuedTokenOverTransport" contract="RPWCFApp.IMyService" /> 
     <endpoint address="mex" binding="mexHttpBinding" contract="IMetadataExchange" /> 
     </service> 
    </services> 
    <behaviors> 
     <serviceBehaviors> 
     <behavior name="MyServiceBehaviour"> 
      <federatedServiceHostConfiguration /> 
      <serviceMetadata httpGetEnabled="true" /> 
      <serviceDebug includeExceptionDetailInFaults="false" /> 
      <serviceCredentials> 
      <serviceCertificate findValue="81A5DB3796F48B00FAC37CE67D7D8CA43078B996" storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" /> 
      </serviceCredentials> 
     </behavior> 
     </serviceBehaviors> 
    </behaviors> 
    <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> 
    <extensions> 
     <behaviorExtensions> 
     <add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> 
     </behaviorExtensions> 
    </extensions> 

    <bindings> 
     <customBinding> 
     <binding name="CustomBindingConfiguration_IssuedTokenOverTransport"> 
      <security authenticationMode="IssuedTokenForCertificate" messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"> 
      <issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"> 
       <issuer address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc" binding="ws2007HttpBinding" bindingConfiguration="IssuedTokenBinding" /> 
       <issuerMetadata address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc/mex" /> 
      </issuedTokenParameters> 
      </security> 
      <textMessageEncoding /> 
      <httpTransport /> 
     </binding> 
     </customBinding> 
     <ws2007HttpBinding> 
     <binding name="IssuedTokenBinding"> 
      <security mode="TransportWithMessageCredential"> 
      <message clientCredentialType="Windows" establishSecurityContext="false" /> 
      </security> 
     </binding> 
     </ws2007HttpBinding> 
    </bindings> 
    </system.serviceModel>

來源

2012-09-26 Veli Gebrev

回答

0

整理出通過改變結合我的問題在服務配置ws2007FederationHttpBinding而不是CustomBinding並更新我的客戶服務參考。

<bindings> 
    <ws2007FederationHttpBinding> 
    <binding name="serviceBinding" receiveTimeout="05:00:00" sendTimeout="05:00:00"> 
     <security mode="Message"> 
     <message> 
      <issuerMetadata address="http://localhost/MyCompany.SecurityTokenService/ActAsIssuer.svc/mex"/> 
     </message> 
     </security> 
    </binding> 
    </ws2007FederationHttpBinding> 
</bindings>

然後,因爲我使用的是自簽名的證書,我不得不使用在客戶端的配置如下終結點行爲來改變certificateValidationMode:

<behaviors> 
    <endpointBehaviors> 
    <behavior name="MyServiceBehavior" > 
     <clientCredentials> 
     <serviceCertificate> 
      <authentication certificateValidationMode="PeerOrChainTrust"/> 
     </serviceCertificate> 
     </clientCredentials> 
    </behavior> 
    </endpointBehaviors> 
</behaviors>

最後我必須確保我的證書在受信任的人們存儲,最後我得到正確的IClaimsIdentity調用:)服務

希望這有助於有人在那裏的時候,因爲它驅使我堅果一會兒......

來源

2012-09-27 08:01:00

+0

可以請你分享這裏的服務配置和客戶端配置.....就像你在你的問題 –

+0

@anilpurswani中所做的那樣,不幸的是,這個項目相關的項目早已完成並交付,而且我無法再訪問代碼。 –

相關問題

 相關問題