[英]SSPI negotiation failed WSTrustChannelFactory
This one has me for a while now, I am trying to build a console app that can call a .net web/wcf service SP, the first leg is to get a token from the idP (ADFS4.0) the pasted code was working fine for a whole day, at some point it stopped working with the following error: 这已经有一段时间了,我正在尝试构建一个可以调用.net Web / wcf服务SP的控制台应用程序,第一步是从IDP(ADFS4.0)中获取一个粘贴的代码正在工作的令牌一整天都很好,在某个时候它停止工作并出现以下错误:
SOAP security negotiation with 'https://adfs.domain.in/adfs/services/trust/13/windowsmixed' for target 'https://adfs.domain.in/adfs/services/trust/13/windowsmixed' failed. See inner exception for more details.
The inner error is: 内部错误是:
The Security Support Provider Interface (SSPI) negotiation failed.
NativeErrorCode: 0x80090350 -> SEC_E_DOWNGRADE_DETECTED
I have tried /13/windows and /windowstransport as well as the endpoint. 我已经尝试过/ 13 / windows和/ windowstransport以及端点。
private static GenericXmlSecurityToken RequestSecurityToken()
{
// set up the ws-trust channel factory
var factory = new Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannelFactory(new WindowsWSTrustBinding(
SecurityMode.TransportWithMessageCredential), new EndpointAddress(new Uri("https://adfs.domain.in/adfs/services/trust/13/windowsmixed"), EndpointIdentity.CreateSpnIdentity("adfs@domain.in")));
factory.TrustVersion = TrustVersion.WSTrust13;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
KeyType = KeyTypes.Bearer,
AppliesTo = new System.ServiceModel.EndpointAddress(endpoint_address)
};
// request token and return
return factory.CreateChannel().Issue(rst) as GenericXmlSecurityToken;
}
In my case, for some reason, the ADFS was available over VPN but the AD based authentication bits are not happening over VPN. 就我而言,由于某种原因,ADFS可通过VPN使用,但基于AD的身份验证位不会通过VPN发生。 That's why SEC_E_DOWNGRADE_DETECTED is coming.
这就是SEC_E_DOWNGRADE_DETECTED即将到来的原因。 In a regular non VPN environment things are good.
在常规的非VPN环境中,情况很好。
Also, another observation is once SAML token is generated over a regular enterprise network. 同样,另一个观察结果是一旦在常规企业网络上生成了SAML令牌。 Subsequent calls to generate the SAML token are going through as expected even on VPN.
即使在VPN上,后续生成SAML令牌的调用也按预期进行。
So, if you see this error just check if the network you are in is part of the domain (and not public or private network), for SSPI negotiation. 因此,如果看到此错误,请检查您所在的网络是否属于域的一部分(而不是公共或专用网络),以进行SSPI协商。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.