ADFS v2.0 错误:MSIS7042:同一客户端浏览器会话已创建“6”;最后“1”中的请求秒

发布于 2024-08-28 21:19:32 字数 968 浏览 9 评论 0原文

各位, 我有一个 ASP.NET MVC 应用程序,我正在尝试使用 ADFS v2.0(日内瓦)的候选发布版本来保护该应用程序的安全。我已将应用程序配置为依赖方信任,并使用 Fedutil.exe 修改应用程序的 Web.config,以便它具有有关Geneva 服务器的信息并使用Geneva 服务器作为其声明源。

但是,当我尝试点击 MVC 应用程序时,它会重定向到Geneva,然后(在警告我有关自签名证书的信息之后)再次将我重定向到 MVC 应用程序。接受两个自签名证书警告后,两台服务器在无限重定向循环中相互打乒乓球,直到最后Geneva发出以下消息:

相同的客户端浏览器会话在最后“1”秒内发出了“6”个请求。可能存在配置错误。请联系您的管理员了解详细信息。

除了包含上述消息的事件之外,MVC 端或Geneva 的事件日志中没有任何错误。如果有人能给我一些关于如何尝试和调试、诊断并希望解决这个问题的信息,我将永远感激不已。

同样,Geneva box 是 ADFS v2.0 候选版本,ASP.NET MVC 站点是使用最新(09 年末)版本的 Windows Identity Foundation SDK 构建的,并使用 WIF SDK 中的 FedUtil.exe 修改了 Web.config 。


所以你们都会从中得到乐趣...我在 Firefox 中尝试了同样的应用程序并且...它可以工作。系统会提示我输入域凭据,ADFS v2 服务器会重定向我一次,然后我最终会进入应用程序的主页,并显示我的帐户名和个性化问候语。 所以现在真正的问题是:为什么 IE8 会陷入无限重定向循环而 Firefox 却不会? 经过进一步的测试,我已经能够让这个场景开箱即用,无需修改 Safari 和 Firefox 上 ADFS v2 (RC) 或 WIF (RTW) 的任何默认管道内容。 IE8 是唯一在处理此身份验证场景时出现任何问题的浏览器。我已经尝试了一切,包括安装和信任自签名证书、将站点添加到我的本地 Intranet 区域、将安全性降低到较低水平,甚至将第一方和第三方 cookie 设置为始终允许。

Folks,
I've got an ASP.NET MVC application that I am attempting to secure using the Release Candidate version of ADFS v2.0 (Geneva). I have configured the application as a relying party trust, and I've used Fedutil.exe to modify the application's Web.config so that it has the information about the Geneva server and uses the Geneva server as its claims source.

However, when I try and hit the MVC app, it redirects to Geneva, which then (after warning me about self-signed certs) re-directs me to the MVC app again. After accepting both self-signed cert warnings, the two servers play ping-pong with each other in an infinite redirect loop until finally Geneva spews the following message:

The same client browser session has made '6' requests in the last '1' seconds. There could be a possible bad configuration. Contact your administrator for details.

There are no errors in the event logs on the MVC side or on Geneva except for an event containing the above message. If someone could give me some information on how to try and debug, diagnose, and hopefully fix this problem, I would be eternally grateful.

Again, the Geneva box is the ADFS v2.0 Release Candidate and the ASP.NET MVC site was built using the latest (late '09) version of the Windows Identity Foundation SDK with Web.config modified using FedUtil.exe from the WIF SDK.


So you will all get a kick out of this... I tried this same application from Firefox and ... IT WORKS. I get prompted for my domain credentials, the ADFS v2 server re-directs me ONCE and then I end up on the home page of my application, complete with my account name and personalized greeting.
So now the real issue is this: Why the hell is IE8 getting caught in an infinite redirect loop and Firefox ISN'T ??
After even further testing, I've been able to get this scenario working, out of the box, without modification of any of the default pipeline stuff from ADFS v2 (RC) or from WIF (RTW) on BOTH Safari AND Firefox. IE8 is the ONLY browser to exhibit any problem dealing with this authentication scenario. I've tried everything, including installing and trusting the self-signed certs, adding the sites to my local intranet zone and dropping security to low and even setting first AND third party cookies to always allow.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

情何以堪。 2024-09-04 21:19:32

我对 ADFS 1.0 也有同样的问题
为了解决这个问题,我确保 URL 后面有一个正斜杠“/”,它始终在 FireFox 和 IE 中工作,

例如: https://somedomain.com/Application_2/

I had the same issue with ADFS 1.0
And to resolve it, I made sure that the URL had a trailing forward slash "/" that would always work in FireFox as well as IE

eg : https://somedomain.com/Application_2/

辞慾 2024-09-04 21:19:32

事实证明,依赖方的主机名中有一个下划线(khoffman_2)。显然,下划线是非法的 DNS 字符,只有 IE 会拒绝包含下划线的信息。

我将我的计算机从 khoffman_2 重命名为 khoffman2,ADFS v2/MVC 依赖方组合在 Firefox、Safari 和 IE 上完美运行。

Turns out that the host name of the relying party had an underscore in it (khoffman_2). Apparently, the underscore is an illegal DNS character and ONLY IE will reject the information with the underscore in it.

I renamed my machine from khoffman_2 to khoffman2 and the ADFS v2/MVC relying party combination works flawlessly on Firefox, Safari, AND IE.

阳光①夏 2024-09-04 21:19:32

虽然这不是您的问题,但我们遇到了与您所描述的相同的问题。我们的解决方案是:

  1. 在 IIS 中启用基本身份验证(这没有解决任何问题,但接下来的 2 个步骤是必需的)
  2. 在 IIS 中禁用 Windows 身份验证(这解决了某些 IE 浏览器的问题,但不是全部)
  3. 在 IIS 中禁用匿名访问(这解决了其余 IE 浏览器的问题)

While this isn't your problem, we have had identical problems to what you described. Our solution was to:

  1. Enabled Basic Authentication in IIS (this solved nothing but was required for the next 2 steps)
  2. Disable Windows Authentication in IIS (this solved the problem for some IE browsers but not all)
  3. Disable Anonymous Access in IIS (this solved the problem for the rest of the IE browsers)
淡墨 2024-09-04 21:19:32

贾西迪安的答案很接近。

就我而言,我只需要:

  • Windows 身份验证 ->已禁用

  • 匿名身份验证 ->已启用

  • ASP.NET 模拟 ->禁用

  • 表单验证 ->已禁用

  • Windows 身份验证 ->已禁用

Jaxidian's answer is close.

In my case I only had to:

  • Windows Authentication -> Disabled

  • Anonymous Auth -> Enabled

  • ASP.NET Impersonation -> Disabled

  • Forms Auth -> Disabled

  • Windows Auth -> Disabled

反话 2024-09-04 21:19:32

当用户无权访问页面时,可能会发生此循环。

我们的 MVC 控制器上有一个自定义授权属性,如果配置文件中的 UseADFS 设置为 true,则该属性会根据提供的声明检查用户是否处于某个角色中。我认为此设置设置为 true,但令人困惑的是,我在访问该页面时不断收到 adfs 循环,因为我位于有权访问该页面的组中。

故障排除的关键是制作一个显示我的 adfs 声明的网页,而无需进行身份验证。

@if (User.Identity.IsAuthenticated)
{
    <div>UserName: @User.Identity.Name;</div>

    var claimsIdentity = User.Identity as System.Security.Claims.ClaimsIdentity;
    <table>
        @foreach (var claim in claimsIdentity.Claims)
        {
        <tr><td>@claim.Type</td><td>@claim.Value</td></tr>
        }
    </table>


}

我注意到我正在登录 ADFS,并且我的声明已设置,因此 ADFS 正在运行。实际问题是我的配置文件有 UserADFS="true" 而不是 UseADFS="true" 这基本上导致我的自定义授权代码在授权时返回 false。因此,该页面不断将我转发回 adfs 以再次进行身份验证。

无论如何,如果用户没有正确的声明来访问该页面,那么也可能会发生此 adfs 登录循环。

另外,如果您编写了自定义授权属性,请务必查看以下链接,其中描述了如何防止循环。

通过 ADFS 声明使用 .Net MVC 授权属性重定向循环

来自该链接的 AuthorizeAttribute 的自定义 HandleUnauthorizedRequest 处理程序代码:

 protected override void HandleUnauthorizedRequest System.Web.Mvc.AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.IsAuthenticated)
        {
            //One Strategy:
            //filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);

            //Another Strategy:
            filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                    new
                    {
                        controller = "u",
                        action = "LoginStatus",
                        errorMessage = "Error occurred during authorization or you do not have sufficient priviliges to view this page."
                    })
                );
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }

This loop can occur when a user is not authorized to access a page.

We had a custom authorization attribute on our MVC controller that checks to see if the user was in a role based on the claims provided if the setting for UseADFS was true in the config files. I thought this setting was set to true and was confounded that I kept getting the adfs loop when accessing the page because I was in the groups that were authorized to access the page.

The key to troubleshooting was to make a web page that displayed my adfs claims without necessarily requiring authentication.

@if (User.Identity.IsAuthenticated)
{
    <div>UserName: @User.Identity.Name;</div>

    var claimsIdentity = User.Identity as System.Security.Claims.ClaimsIdentity;
    <table>
        @foreach (var claim in claimsIdentity.Claims)
        {
        <tr><td>@claim.Type</td><td>@claim.Value</td></tr>
        }
    </table>


}

I noticed that I was getting logged into ADFS, and my claims were getting set, so ADFS was working. The actual issue was my config file had UserADFS="true" instead of UseADFS="true" which basically caused my custom authorization code to return false on authorization. Therefore, the page kept forwarding me back to adfs to authenticate again.

Anyways, if a user does not have the correct claims to access the page, then this adfs login loop can occur, as well.

Also, if you wrote a custom authorize attribute be sure to check out the following link which describes how to prevent the loop.

Redirect loop with .Net MVC Authorize attribute with ADFS Claims

Custom HandleUnauthorizedRequest handler code for AuthorizeAttribute from that link:

 protected override void HandleUnauthorizedRequest System.Web.Mvc.AuthorizationContext filterContext)
    {
        if (filterContext.HttpContext.Request.IsAuthenticated)
        {
            //One Strategy:
            //filterContext.Result = new System.Web.Mvc.HttpStatusCodeResult((int)System.Net.HttpStatusCode.Forbidden);

            //Another Strategy:
            filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary(
                    new
                    {
                        controller = "u",
                        action = "LoginStatus",
                        errorMessage = "Error occurred during authorization or you do not have sufficient priviliges to view this page."
                    })
                );
        }
        else
        {
            base.HandleUnauthorizedRequest(filterContext);
        }
    }
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文