My web site implements AD FS based authentication. Now I need to programmatically access my web site through a client. My client should request the security token from the ADFS server using the currently logged on user's context. I have been successfully able to request the security token from the adfs/services/trust/13/usernamemixed
endpoint using username and password from the client and post it to my website.
What is not working for me is requesting the same token from the adfs/services/trust/13/windowsmixed
endpoint using the DefaultNetworkCredentials
. I get the error The HTTP request was forbidden with client authentication scheme 'Anonymous'.
. I am using Microsoft.IdentityModel
SDK (instead of System.IdentityModel
in .NET 4.5).
Here's a snippet of my code.
factory = new MSWSTrustChannelFactory(
new Microsoft.IdentityModel.Protocols.WSTrust.Bindings.WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential),
stsUrl);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointAddress(realm),
KeyType = KeyTypes.Bearer,
RequestDisplayToken = true
};
MSIWSTrustChannelContract channel = factory.CreateChannel();
RequestSecurityTokenResponse rstr;
SecurityToken token = channel.Issue(rst, out rstr);
I don't have any control on the ADFS server and can't debug what is going wrong from there. Whatever I can do is only from the client end. Any idea what is going wrong with my code above? Any help or pointers are greatly appreciated.
I think you need to set establishSecurityContext of message security as FALSE
binding.Security.Message.EstablishSecurityContext = false;
Following code works for me .
WS2007HttpBinding binding = new WS2007HttpBinding(SecurityMode.TransportWithMessageCredential);
binding.Security.Message.EstablishSecurityContext = false;
binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.None;
if (isWindowsUser)
{
binding.Security.Message.ClientCredentialType = MessageCredentialType.Windows;
ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/windowsmixed");
}
else
{
binding.Security.Message.ClientCredentialType = MessageCredentialType.UserName;
ep = new EndpointAddress("https://abc.com/adfs/services/trust/13/usernamemixed");
}
factory = new WSTrustChannelFactory(binding, ep);
factory.TrustVersion = TrustVersion.WSTrust13;
factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials;
var rst = new RequestSecurityToken
{
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointReference("urn:adfsmonitor"),
KeyType = KeyTypes.Bearer,
};
IWSTrustChannelContract channel = factory.CreateChannel();
GenericXmlSecurityToken genericToken = channel.Issue(rst)
as GenericXmlSecurityToken;
return genericToken.TokenXml.InnerXml.ToString();
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.