通过网络浏览器(IE或Chrome)使用ADFS登录应用程序时遇到问题。我想使用 ADFS SAML 自动透明地登录用户(当前登录的用户),而无需输入这些标识符。
所以我有 2 台运行 Windows 2016 服务器的服务器: - 第一个 Serv1:具有活动目录的域控制器 - 第二个 Serv2:ADFS 服务器 (4.0),它加入了控制器 Serv1
当我尝试访问我的应用程序时,我遇到以下错误:
发生错误。有关详细信息,请与管理员联系
活动 ID: 00000000-0000-0000-d000-0080000000fa 信赖方: preprod.xxxxxxxxx.com - DMS 错误时间:2019 年 6 月 10 日星期一 13:27:07 GMT Cookie:已启用 用户代理字符串:Mozilla/5.0 (Windows NT 10.0; 赢64;x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.80 野生动物园/537.36
我们可以在 ADFS 服务器上的 ADFS 事件日志中看到以下内容:
联合被动请求期间遇到错误。
其他数据
协议名称:萨姆尔
信赖方: https://preprod.xxxxxxxxx.com:443/auth/saml/metadata/alias/dms
异常详情: Microsoft.身份服务器.身份验证失败异常: MSIS3111: 非 AD FS 不支持域用户。--->System.IdentityModel.Tokens.SecurityTokenValidationException: MSIS3111:AD FS 不支持非域用户。 在 Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ProcessPrincipal(IClaimsPrincipal 传入校长)在 Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback 回调, 对象状态)在 Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback 回调, 对象状态)在 Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken 请求,IList
1& identityClaimSet, List1 个附加索赔) 在 Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList1& identityClaimCollection) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList1& identityClaimCollection) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri&replyTo, IList'1& identityClaimCollection) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSignOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken&ssoSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext 上下文)在 Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext 上下文)System.IdentityModel.Tokens.SecurityTokenValidationException: MSIS3111:AD FS 不支持非域用户。 在 Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ProcessPrincipal(IClaimsPrincipal 传入校长)在 Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback 回调, 对象状态)在 Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback 回调, 对象状态)在 Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken 请求,IList
1& identityClaimSet, List1 附加索赔)在 Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList'1& identityClaimCollection)
在另一台机器上,我有这个错误:
https://srv-adfs.ppppppppp.local/adfs/ls/wia?SAMLRequest=jZJBb4JAEIXv%2FRVk77CAaHQjGFtjamJTIthDb8OyIhV26c5i%2BvOLotFeTJO57GTmm5f3djr7qSvrKDSWSobEc1xiCclVXsoiJNt0aY%2FJLHqaItSV37B5a%2FZyI75bgcaaIwptur0XJbGthU6EPpZcbDfrkOyNaZBR2mjRaJU7SuW6PAqHq5oFwYBCR6InKk2SdwpVCUjzGom16NClBHPWc6WgPtrZobEh36GTAT%2B0TaFV2zjIeU1PXVohJdZSaS7OIkOygwoFsVaLkMA%2By3aDcTH0vvKxnweBPxZ8UnDu8WGWdTMYA2In77aF2IqVRAPShMR3vYntjmzPTb2AdeX7zmjgfRIr1soorqrnUvaWtVoyBVgik1ALZIazZP62Zr7jsqwfQvaaprEdvycpsT6u1vsn67swJLLe7Mes5nKYRH027KxY3xMeA%2BCaHon%2Bn1UtDORg4BbYlN6fjy7Pvz8l%2BgU%3D&RelayState=%7C%7Cbackup-webclient&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=SxWuSQC3I77BXcfCxR%2Bicp1ES%2FgrQDZdx8W8XPxC51JRmNeVxfXI%2BDWgCV8bMrTl%2BYc8I6VZPJxDVPPzTQEZihQaXl0ib2Q268OiNwU1bN9pDL6EpuMM9nCxuEQEdtW58M%2F%2Bjs07j1Rp40VD8AVbvQrpv67AgXXdLWGrSSvZHPwrHLy8fhpSDmg57F8g1zD5%2BMpijrx%2F4n5e8MIK6fBUDPWfAaWCjXgHoo%2B7PFr%2Fp8w5MMa9ZPLDg7yQrMGSQ3on1UxpM091Uu85S%2ByI0aYDHmgZk%2BmGwBUblDWleenUwyAMjopZ3TJx4%2Feng2uBD8%2FbLfWUmbitMMMdsLbIOEb%2Bng%3D%3D&client-request-id=00000000-0000-0000-1201-0080000000dc
HTTP 400 错误请求 找不到网页
你对这个问题有想法吗? 谢谢
我通过将 SPN(服务主体名称)设置为 ADFS 服务帐户解决了这个问题 HTTP/FQDN