堆栈内存溢出
  简体   繁体   English

SSPI协商失败WSTrustChannelFactory

[英]SSPI negotiation failed WSTrustChannelFactory

 原文  2017-09-15 15:37:23       wif/ adfs/ ws-trust/ adfs4.0

问题描述

This one has me for a while now, I am trying to build a console app that can call a .net web/wcf service SP, the first leg is to get a token from the idP (ADFS4.0) the pasted code was working fine for a whole day, at some point it stopped working with the following error: 这已经有一段时间了,我正在尝试构建一个可以调用.net Web / wcf服务SP的控制台应用程序,第一步是从IDP(ADFS4.0)中获取一个粘贴的代码正在工作的令牌一整天都很好,在某个时候它停止工作并出现以下错误:

SOAP security negotiation with 'https://adfs.domain.in/adfs/services/trust/13/windowsmixed' for target 'https://adfs.domain.in/adfs/services/trust/13/windowsmixed' failed. See inner exception for more details.

The inner error is: 内部错误是:

The Security Support Provider Interface (SSPI) negotiation failed.
NativeErrorCode: 0x80090350 -> SEC_E_DOWNGRADE_DETECTED

I have tried /13/windows and /windowstransport as well as the endpoint. 我已经尝试过/ 13 / windows和/ windowstransport以及端点。 

private static GenericXmlSecurityToken RequestSecurityToken()
{
    // set up the ws-trust channel factory
    var factory = new Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory(new WindowsWSTrustBinding(
                SecurityMode.TransportWithMessageCredential), new EndpointAddress(new Uri("https://adfs.domain.in/adfs/services/trust/13/windowsmixed"), EndpointIdentity.CreateSpnIdentity("adfs@domain.in")));
    factory.TrustVersion = TrustVersion.WSTrust13;
    var rst = new RequestSecurityToken
    {
        RequestType = RequestTypes.Issue,
        KeyType = KeyTypes.Bearer,
        AppliesTo = new System.ServiceModel.EndpointAddress(endpoint_address)
    };
    // request token and return
    return factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
}

1 个解决方案

解决方案1
 0 已采纳  2017-09-19 07:58:26

In my case, for some reason, the ADFS was available over VPN but the AD based authentication bits are not happening over VPN. 就我而言,由于某种原因,ADFS可通过VPN使用,但基于AD的身份验证位不会通过VPN发生。 That's why SEC_E_DOWNGRADE_DETECTED is coming. 这就是SEC_E_DOWNGRADE_DETECTED即将到来的原因。 In a regular non VPN environment things are good. 在常规的非VPN环境中,情况很好。

Also, another observation is once SAML token is generated over a regular enterprise network. 同样,另一个观察结果是一旦在常规企业网络上生成了SAML令牌。 Subsequent calls to generate the SAML token are going through as expected even on VPN. 即使在VPN上,后续生成SAML令牌的调用也按预期进行。

So, if you see this error just check if the network you are in is part of the domain (and not public or private network), for SSPI negotiation. 因此,如果看到此错误,请检查您所在的网络是否属于域的一部分(而不是公共或专用网络),以进行SSPI协商。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用WSTrustChannelFactory和Web代理设置 - Working with WSTrustChannelFactory and web proxy settings 在 WIF WSTrustChannelFactory 中使用 ADFS 证书 - Use of ADFS certificate in WIF WSTrustChannelFactory 参考摘要验证失败 - Digest verification failed for Reference 实施WIF ActAs方案:外发邮件的身份检查失败 - Implementing WIF ActAs Scenario: The identity check failed for the outgoing message 为IIS 7经典模式错误配置联合被动信赖方(无法执行URL) - Configuring federated passive Relying Party for IIS 7 classic mode error (Failed to Execute URL) 摘要验证失败 - Digest verification failed IDX10214:观众验证失败。 网络 - IDX10214: Audience validation failed. ADFS .Net Windows Identiy Foundation可再发行在Vista Home Premium版上失败 - Windows Identiy foundation redistributable failed on Vista Home Premium edition IIS中托管的本地STS-错误消息401.2 。:未经授权:由于服务器配置,登录失败 - Local STS hosted in IIS - Error message 401.2.: Unauthorized: Logon failed due to server configuration JwtSecurityTokenHandler()。ValidateToken()::签名验证失败...在此上下文中不支持sha256 - JwtSecurityTokenHandler().ValidateToken() :: Signature validation failed… sha256 not supported in this context
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM