我的网站实现了基于AD FS的认证。现在我需要通过客户端以编程方式访问我的网站。我的客户端应该使用当前登录的用户上下文从ADFS服务器请求安全令牌。我已经能够成功地使用客户端的用户名和密码从adfs/services/trust/13/usernamemixed
端点请求安全令牌,并将其发布到我的网站。
不适合我的是使用DefaultNetworkCredentials
从adfs/services/trust/13/windowsmixed
端点请求相同的令牌。我得到错误The HTTP request was forbidden with client authentication scheme 'Anonymous'.
。我正在使用Microsoft.IdentityModel
SDK(而不是。net 4.5中的System.IdentityModel
)。
这是我的一段代码。
factory = new MSWSTrustChannelFactory(
new Microsoft.IdentityModel.Protocols.WSTrust.Bindings.WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential),
stsUrl);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointAddress(realm),
KeyType = KeyTypes.Bearer,
RequestDisplayToken = true
};
MSIWSTrustChannelContract channel = factory.CreateChannel();
RequestSecurityTokenResponse rstr;
SecurityToken token = channel.Issue(rst, out rstr);
我对ADFS服务器没有任何控制,也无法从那里调试出什么问题。无论我能做什么,都只能从客户端着手。任何想法是什么是错的,我的代码上面?如有任何帮助或指点,不胜感激。
我认为您需要将消息安全的establishSecurityContext设置为FALSE
binding.Security.Message.EstablishSecurityContext = false;
下面的代码为我工作。
WS2007HttpBinding binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
if (isWindowsUser)
{
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/windowsmixed");
}
else
{
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/usernamemixed");
}
factory = new WSTrustChannelFactory(binding, ep);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointReference("urn:adfsmonitor"),
KeyType = KeyTypes.Bearer,
};
IWSTrustChannelContract channel = factory.CreateChannel();
GenericXmlSecurityToken genericToken = channel.Issue(rst)
as GenericXmlSecurityToken;
return genericToken.TokenXml.InnerXml.ToString();