ADFS 2.0 - 用于在不同的广告服务请求令牌

Question

我有以下情形：

活动目录1：WCF客户端，ADFS 2.0（STS）

活动目录2：WCF服务（依赖方）

我已经将RP添加到ADFS，但是当我从ADFS请求令牌时，我收到以下错误：System.ServiceModel.FaultException：ID3242：无法验证或授权安全令牌。

望着ADFS的事件日志中我找到匹配的错误：

An error occurred during an attempt to build the certificate chain for the relying party trust 'http://XXXXX/Service1/' certificate identified by thumbprint 'XXXXXXXXXXXX'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period.

You can use Windows PowerShell commands for AD FS 2.0 to configure the revocation settings for the relying party encryption certificate. Relying party trust's encryption certificate revocation settings: CheckChainExcludeRoot The following errors occurred while building the certificate chain: Unknown error. Unknown error.

User Action: Ensure that the relying party trust's encryption certificate is valid and has not been revoked. Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS 2.0 Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).

貌似ADFS不信任从RP签名证书（可以理解的，其出具的签名证书的CA一个不同的AD）。 CertificateRevokationList可从两个活动目录中访问。

我已经将CA证书添加到“本地计算机”的受信任根证书中，但我认为问题在于验证机制。

我必须配置什么才能让ADFS发出使用正确证书签名的令牌，或者如何说服ADFS证明该证书有效？

编辑：

我试图用PowerShell命令改变revokation检查：

Set-ADFSRelyingPartyTrust -SigningCertificateRevocationCheck CheckEndCert 

，但没有运气： 设置-ADFSRelyingPartyTrust：参数集不能使用指定的命名来解决参数。

At line:1 char:26 
+ Set-ADFSRelyingPartyTrust <<<< -SigningCertificateRevocationCheck CheckEndCert 
    + CategoryInfo   : InvalidArgument: (:) [Set-ADFSRelyingPartyTrust], ParameterBindingException 
    + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.IdentityServer.PowerShell.Commands.SetRelyingPartyTrustC 
    ommand 

编辑2： 这工作：

(Get-ADFSRelyingPartyTrust) | Set-ADFSRelyingPartyTrust -EncryptionCertificateRevocationCheck CheckEndCert 

，但现在我在Active Directory中1客户抱怨证书...

System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'http://XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Service1/' for target 'http://XXXXXXXXXXXXXXXXX/Service1/' failed. See inner exception for more details. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=RP-Service chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain could not be built to a trusted root authority.

Answer 1

我面对的同样的错误。什么帮助使用

Set-ADFSRelyingPartyTrust -EncryptionCertificateRevocationCheck None 

但是这只会禁用对RP部分的检查。由于我们正在谈论联邦，联邦服务器上也会发生同样的情况。所以你也必须在那里做。无论如何，它只会改变我得到的错误 - 我仍然不能联合ATM。

Answer 2

为我的作品的命令是这样的：

Set-ADFSRelyingPartyTrust -TargetName <relyingpartytrustName> -EncryptionCertificateRevocationCheck None 

我们已经好几次，结果到处安装（由ADFS生成的自签名的证书）的签名和加密证书（即服务器托管的WCF服务）。

Answer 3

也许您应该尝试将您的RP-Service证书添加到WCF客户端运行所在的机器上的Trusted People存储中。这就是我在使用自签名证书在ADFS联合下测试WCF调用时所做的。