尝试发出安全令牌请求时出现 SecurityNegotiationException
我尝试向我的 STS 发出问题请求,但不断收到以下异常:
System.ServiceModel.Security.SecurityNegotiationException' occurred in mscorlib.dll but was not handled in user code
Additional information: Could not establish secure channel for SSL/TLS with authority 'service-location-url-here'.
以下代码在模拟我自己的用户帐户运行的 asp.net 网站中运行。 STS 服务需要相互身份验证,因此我需要通过安全令牌请求发送证书。服务器日志抱怨消息中没有附加证书,因此中止操作。
我这里哪里失败了?
public class StsRequestWrapper
{
public System.IdentityModel.Tokens.SecurityToken RequestSecurityToken()
{
IgnoreCertificateValidation();
StsRequestUtil util = new StsRequestUtil();
var certificate = util.GetLocalCertificate();
var securityTokenElement = util.BuildSampleSecurityTokenElement();
var trustChannelFactory = GetTrustChannelFactory(certificate);
try
{
RequestSecurityToken rst = CreateSecurityTokenObject(securityTokenElement);
WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();
RequestSecurityTokenResponse rstr = null;
return channel.Issue(rst, out rstr);
}
finally
{
trustChannelFactory.Close();
}
}
private RequestSecurityToken CreateSecurityTokenObject(SecurityTokenElement securityToken)
{
RequestSecurityToken rst = new RequestSecurityToken()
{
AppliesTo = new EndpointAddress(new Uri(STS_CONSTANTS.APPLIES_TO_URL)),
ActAs = securityToken,
RequestType = RequestTypes.Issue,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(5)),
};
var requestClaim = new RequestClaim(STS_CONSTANTS.REQUEST_CLAIM_TYPE, false, STS_CONSTANTS.REQUEST_CLAIM_VALUE);
rst.Claims.Dialect = STS_CONSTANTS.CLAIMS_DIALECT;
rst.Claims.Add(requestClaim);
return rst;
}
private WSTrustChannelFactory GetTrustChannelFactory(X509Certificate2 localhostCertificate)
{
WS2007HttpBinding binding = new WS2007HttpBinding();
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri(STS_CONSTANTS.STS_URL)));
trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
trustChannelFactory.Credentials.ClientCertificate.Certificate = localhostCertificate;
trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
trustChannelFactory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
return trustChannelFactory;
}
private static void IgnoreCertificateValidation()
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);
}
}
I am getting trying to make an Issue request to my STS and I keep getting the following exception:
System.ServiceModel.Security.SecurityNegotiationException' occurred in mscorlib.dll but was not handled in user code
Additional information: Could not establish secure channel for SSL/TLS with authority 'service-location-url-here'.
The following code is running in an asp.net website that is running impersonating my own user account. The STS service requires mutual authentication, therefore I need to send a certificate with my security token request. The server logs are complaining that no certificate is attached to the message, therefore aborting the operation.
Where am I failing here?
public class StsRequestWrapper
{
public System.IdentityModel.Tokens.SecurityToken RequestSecurityToken()
{
IgnoreCertificateValidation();
StsRequestUtil util = new StsRequestUtil();
var certificate = util.GetLocalCertificate();
var securityTokenElement = util.BuildSampleSecurityTokenElement();
var trustChannelFactory = GetTrustChannelFactory(certificate);
try
{
RequestSecurityToken rst = CreateSecurityTokenObject(securityTokenElement);
WSTrustChannel channel = (WSTrustChannel)trustChannelFactory.CreateChannel();
RequestSecurityTokenResponse rstr = null;
return channel.Issue(rst, out rstr);
}
finally
{
trustChannelFactory.Close();
}
}
private RequestSecurityToken CreateSecurityTokenObject(SecurityTokenElement securityToken)
{
RequestSecurityToken rst = new RequestSecurityToken()
{
AppliesTo = new EndpointAddress(new Uri(STS_CONSTANTS.APPLIES_TO_URL)),
ActAs = securityToken,
RequestType = RequestTypes.Issue,
Lifetime = new Lifetime(DateTime.UtcNow, DateTime.UtcNow.AddMinutes(5)),
};
var requestClaim = new RequestClaim(STS_CONSTANTS.REQUEST_CLAIM_TYPE, false, STS_CONSTANTS.REQUEST_CLAIM_VALUE);
rst.Claims.Dialect = STS_CONSTANTS.CLAIMS_DIALECT;
rst.Claims.Add(requestClaim);
return rst;
}
private WSTrustChannelFactory GetTrustChannelFactory(X509Certificate2 localhostCertificate)
{
WS2007HttpBinding binding = new WS2007HttpBinding();
binding.Security.Mode = SecurityMode.Transport;
binding.Security.Message.ClientCredentialType = MessageCredentialType.Certificate;
var trustChannelFactory = new WSTrustChannelFactory(binding, new EndpointAddress(new Uri(STS_CONSTANTS.STS_URL)));
trustChannelFactory.TrustVersion = TrustVersion.WSTrust13;
trustChannelFactory.Credentials.ClientCertificate.Certificate = localhostCertificate;
trustChannelFactory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
trustChannelFactory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
return trustChannelFactory;
}
private static void IgnoreCertificateValidation()
{
System.Net.ServicePointManager.ServerCertificateValidationCallback = ((sender, certificate, chain, sslPolicyErrors) => true);
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
事实证明,我需要使用CertificateWSTrustBinding 而不是WS2007HttpBinding。
It turns out that I need to use CertificateWSTrustBinding instead of WS2007HttpBinding.