asp.net – 使用Windows凭据和.ne??t 4.5 WIF的RequestSecurityT
任何人都可以指向使用Thread.CurrentPrincipal的NT凭证作为ClaimsPrincipal主动发出RequestSecurityToken的示例代码吗?
该场景是一个启用了Windows身份验证的asp.net Web应用程序(因此有一个经过身份验证的WindowsIdentity).我的愿望是主动调用STS而不是启用passiveRedirect,并使用.Net 4.5身份库执行此操作. 大多数代码示例(例如Claims Helper for Windows Phone或Using an Active STS)使用username / pwd输入和UserNameWSTrustBinding设置凭据. 我认为该解决方案可能涉及模拟或使用从Windows标识创建的标记调用channelFactory.CreateChannelWithActAsToken(). – 当访问/ adfs / services / trust / 13 / windowsmixed端点时,以下.Net4.5代码确实获得了GenericXmlSecurityToken. public static void CallSts() { try { var wsMod = FederatedAuthentication.WSFederationAuthenticationModule; var appliesToEp = new EndpointReference(wsMod.Realm); var stsEp = new EndpointAddress(new Uri(wsMod.Issuer),EndpointIdentity.CreateSpnIdentity("stsSpn")); var msgBinding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential,false); msgBinding.Security.Message.EstablishSecurityContext = false; msgBinding.Security.Message.ClientCredentialType = MessageCredentialType.Windows; using(var factory = new WSTrustChannelFactory(msgBinding,stsEp)) { factory.Credentials.SupportInteractive = false; factory.TrustVersion = TrustVersion.WSTrust13; var myRst = new RequestSecurityToken { RequestType = RequestTypes.Issue,AppliesTo = appliesToEp,KeyType = KeyTypes.Bearer,}; var channel = factory.CreateChannel(); var stsToken = channel.Issue(myRst) as GenericXmlSecurityToken; if(stsToken != null) { Log.DebugFormat("Reply Token is {0}",stsToken.GetType().Name); var handlers = FederatedAuthentication.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers; var token = handlers.ReadToken(new XmlTextReader(new StringReader(stsToken.TokenXml.OuterXml))); var identity = handlers.ValidateToken(token).First(); //TODO write to session } else { Log.Debug("Reply Token is null."); } } } catch(Exception ex) { Log.Error("Rst.Call has failed",ex); } } 对于@leastprivilege建议,我添加以下代码: var user = Thread.CurrentPrincipal as ClaimsPrincipal; var winId = user.Identity as WindowsIdentity; if(winId != null) { // shows my domain account after I was prompted for credentials; // my domain account does not exist on the client machine,so it is a true domain credential Log.DebugFormat("WindowsIdentity Name is {0}",winId.Name); } using(winId.Impersonate()) { // again,shows my domain account Log.DebugFormat("Impersonation Context {0}",WindowsIdentity.GetCurrent(true).Name); var channel = factory.CreateChannel(); var stsToken = channel.Issue(myRst) as GenericXmlSecurityToken; // request is issued,but results in SecurityNegotiationException: The caller was not authenticated by the service. } 哪个失败,“调用者未通过服务进行身份验证”.相同的STS将在被动重定向场景中验证我的域帐户…所以尽管我知道我做错了什么,但应该识别帐户本身. 更新: 我收到一条通知,告知此问题收到了大量意见,因此我将提供以下一个解决方法: msgBinding.Security.Message.NegotiateServiceCredential = true; 到上面的ChannelBinding配置. 解决方法
嗯 – 这实际上并非无足轻重.您需要为此进行Kerberos模拟和委派.
首先是模仿.您需要在从Thread.CurrentPrincipal获得的WindowsIdentity上调用Impersonate(). 您可以通过调用WindowsIdentity.GetCurrent来确保您正在冒充.此标识必须指向客户端(而不是服务器标识). 然后在冒充时你需要发出WS-Trust请求.默认情况下,这很可能是不允许的.因此,网络管理员需要为STS配置服务器标识的委派. (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |
- asp.net – 如何将服务器时间转换为本地时间
- asp.net-mvc – 使旧会话Cookie无效 – ASP.Net标识
- ASP.Net 3.5 / 4.0 CodeBehind还是CodeFile?
- asp.net-mvc-3 – 使用Ninject获取对象的实例
- 如何使用ASP.NET Core将图像保存到数据库?
- asp.net – web.config urlmapping
- asp.net-mvc – 在MVC3中使用两个可选参数的路由不起作用
- 在我的应用程序中托管ASP.NET
- asp.net – 在不安装的情况下部署Expression Encoder SDK
- asp.net – 当主机名中有下划线时,表单身份验证无法识别为在
- asp.net-mvc – MVC @ Url.Content vs @ Url.Act
- asp.net – 在网页上播放mp3文件
- asp.net-core – asp.net核心自定义模型绑定器,仅
- asp.net – 访问.NET中的Web服务中的查询字符串(
- asp.net 3.5升级到4.0 IIS6 ReturnURL问题
- asp.net-membership – 在另一个站点中实现Umbra
- 如何在asp.net母版页中插入javascript [复制]
- asp.net – ExecuteScalar抛出NullReferenceExce
- asp.net-mvc – 在ASP.NET MVC中检测中止的请求
- 如何将组名应用于asp.net中的HTML单选按钮?