ADFS2.0响应时私钥不支持交换KeySpec
遇到这样的问题
我们已声明感知的 asp.net 站点和为此站点配置的 adfs 服务器
因此,我们启动了 Web 应用程序 - 将身份验证移至 adfs 服务器并移回网站 - 结果我们有错误服务器带有我们站点 url 的页面
**System.NotSupportedException: The private key does not support the exchange KeySpec.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[NotSupportedException: The private key does not support the exchange KeySpec.]
System.IdentityModel.Tokens.X509AsymmetricSecurityKey.DecryptKey(String algorithm, Byte[] keyData) +237615
System.IdentityModel.Selectors.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key) +378
Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.ReadToken(XmlReader reader) +253
Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader) +105
Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas) +282
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +312
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +1099462
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171**
Windows 日志显示,这次我们收到了这样的警告 - 正如我所建议的,与服务器错误页面中的错误完全相关
Log Name: Application
Source: ASP.NET 2.0.50727.0
Date: 3/23/2011 2:05:50 PM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: machine-name
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 3/23/2011 2:05:50 PM
Event time (UTC): 3/23/2011 2:05:50 PM
Event ID: 356af0be20744d15bba97111f6bbd475
Event sequence: 7
Event occurrence: 6
Event detail code: 0
Application information:
Application domain: /appl-domain/ClaimsAwareWebAppWithManagedSTS-1-129453622903756000
Trust level: Full
Application Virtual Path: /ClaimsAwareWebAppWithManagedSTS
Application Path: C:\tools\AdvantageSso\Using Managed STS\ClaimsAwareWebAppWithManagedSTS\
Machine name: machine-name
Process information:
Process ID: 3840
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: NotSupportedException
Exception message: The private key does not support the exchange KeySpec.
Request information:
Request URL: https://app-url/ClaimsAwareWebAppWithManagedSTS/default.aspx
Request path: /ClaimsAwareWebAppWithManagedSTS/default.aspx
User host address: host-name
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
Thread ID: 10
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.IdentityModel.Tokens.X509AsymmetricSecurityKey.DecryptKey(String algorithm, Byte[] keyData)
at System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key)
at Microsoft.IdentityModel.Tokens.EncryptedSecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
部分与空用户和 IsAuthenticated = false 非常混乱...所以这是否意味着我们不这样做未通过 ADFS 身份验证,或者它显示了所请求站点的当前结果
因此,不幸的是,我不是该领域的资深专家,并且在一周内一直在与它斗争
有人可以帮助我解决这个问题吗?
多谢
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这里似乎发生的是,您在 AD FS 中的依赖方信任被配置为使用某些证书(的公共部分)加密其令牌。它会执行此操作,并且您的 Web 应用程序会尝试使用同一证书的私钥来解密它们。
但是,证书需要支持“密钥交换”,从您的错误消息来看,您的证书似乎不支持。我不知道您从哪里获得证书,但如果您使用 IX509Enrollment,那么您需要设置KeySpec 用于 IX509PrivateKey 到 XCN_AT_KEYEXCHANGE。
您需要做对的另一件事是确保证书支持“文档签名”。为此,请确保 IX509ExtensionEnhancedKeyUsage 包含XCN_OID_KP_DOCUMENT_SIGNING 或 1.3.6.1.4.1.311.10.3.12。
此外,上述 COM 接口背后的 COM 类名称记录在 IX509EnrollmentWebClassFactory::CreateObject 页面。
What seems to happen here is that your Relying Party Trust in AD FS is configured to encrypt its tokens using (the public part of) some certificate. It does that, and your web application tries to decrypt them using the private key of that same certificate.
However, the certificate needs to support 'key exchange', and from your error message it looks like yours doesn't. I have no idea where you got your certificate from, but if you're creating it programmatically through Windows COM using IX509Enrollment, then you need to set the KeySpec for the IX509PrivateKey to XCN_AT_KEYEXCHANGE.
A different thing you need to get right, is to make sure the certificate supports 'document signing'. For that make sure the IX509ExtensionEnhancedKeyUsage contains XCN_OID_KP_DOCUMENT_SIGNING or 1.3.6.1.4.1.311.10.3.12.
Also, the COM class names behind the above COM interfaces are documented on the IX509EnrollmentWebClassFactory::CreateObject page.
您还应该检查寻址证书的(服务)用户在本地计算机上是否有足够的权限来访问证书。那是我的问题。
You should also check if the (service) user addressing the certificate has enough rights on the local machine to access the certificates. That was my problem.