Performance Point/Excel Services 的 Sharepoint 声明/c2wts 问题
我创建了一个自定义声明提供程序,以允许用户从现有网站登录 SharePoint。此问题包括格式为 username@domain 的 UPN 声明。用户可以正常登录,直到我在 SharePoint Web 应用程序 web.config 中的 samlSecurityTokenRequirement 下启用 mapToWindows 和 useWindowsTokenService。此时,我收到一条标准 SharePoint 错误消息,并且在跟踪中可以看到以下异常。
Exception fetching current thread user in SPUtility.CacheClaimsIdentity: Exception of type 'System.ArgumentException' was thrown.
Parameter name: identity 0.00143314303912927 0.001357
Runtime Tag(tkau) System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.
Parameter name: encodedValue
at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.DecodeClaimFromFormsSuffix(String encodedValue)
at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKey(String encodedSuffix)
at Microsoft.SharePoint.ApplicationRuntime.SPHeaderManager.AddIsapiHeaders(HttpContext context, String encodedUrl, NameValueCollection headers)
at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PreRequestExecuteAppHandler(Object oSender, EventArgs ea)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
我认为 c2wts 模拟部分工作正常,因为如果我禁用由传递的 UPN 声明表示的 AD 帐户,则在尝试以该用户身份登录时,我会在 SharePoint 中收到不同的“访问被拒绝”错误。
另外,在 SharePoint 日志中,确实显示 UPN 已转换为 Windows AD 帐户,因为我在日志中收到以下内容:
Verbose ____Current User=i:DOMAINNAME\SSO_administrator 7b4eac31-d017-429c-87f2-a3100ece6797
更新
看起来这可能不是支持在其中使用的设置SharePoint。但是,如果我关闭该设置,SharePoint 站点中嵌入的 Performance Point 和 Excel Services 报表似乎无法正常工作。我收到如下错误:
数据连接使用 Windows 身份验证,无法委派用户凭据。(Excel)$Resources:ppsma.ServerCommon, ErrorCode_DataSourceCannotGetWindowsIdentityForNonWindowsClaim;(性能点 SSRS 报告)
有办法解决这个问题吗?我需要用户的UPN是用于查询这些背后的SSAS数据的帐户,因此使用固定连接字符串是不可行的。
I have created a custom claims provider to allow users to sign into SharePoint from an existing website. This issues claims including a claim of UPN in the format username@domain. The user can log in fine until I enable mapToWindows and useWindowsTokenService under samlSecurityTokenRequirement in the SharePoint web application web.config. At this point I get a standard SharePoint error message, and the following exception is visible in the trace.
Exception fetching current thread user in SPUtility.CacheClaimsIdentity: Exception of type 'System.ArgumentException' was thrown.
Parameter name: identity 0.00143314303912927 0.001357
Runtime Tag(tkau) System.ArgumentException: Exception of type 'System.ArgumentException' was thrown.
Parameter name: encodedValue
at Microsoft.SharePoint.Administration.Claims.SPClaimEncodingManager.DecodeClaimFromFormsSuffix(String encodedValue)
at Microsoft.SharePoint.Administration.Claims.SPClaimProviderManager.GetProviderUserKey(String encodedSuffix)
at Microsoft.SharePoint.ApplicationRuntime.SPHeaderManager.AddIsapiHeaders(HttpContext context, String encodedUrl, NameValueCollection headers)
at Microsoft.SharePoint.ApplicationRuntime.SPRequestModule.PreRequestExecuteAppHandler(Object oSender, EventArgs ea)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I think that the c2wts impersonation part is working correctly because if I disable the AD account represented by the passed UPN claim then I get a different "access is denied" error shown in SharePoint when trying to log in as that user.
Also in the SharePoint log it does appear that the UPN has been converted to a Windows AD account because I get the following in the log:
Verbose ____Current User=i:DOMAINNAME\SSO_administrator 7b4eac31-d017-429c-87f2-a3100ece6797
Update
It looks like maybe this isn't a supported setting to use within SharePoint. However if I leave the setting off, it seems that Performance Point and Excel Services reports embedded in the SharePoint site do not work properly. I get errors like:
The data connection uses Windows Authentication and user credentials could not be delegated.(Excel)$Resources:ppsma.ServerCommon, ErrorCode_DataSourceCannotGetWindowsIdentityForNonWindowsClaim;(Performance Point SSRS report)
Is there a way around this? I need the user's UPN to be the account used to query the SSAS data behind these, so it is not feasible to use fixed connection strings.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我认为 SharePoint 论坛上有很多关于基于声明的访问的信息平台(日内瓦)论坛
这是一些搜索 希望对您有所帮助管理问题:
I think there are a lot of information on a SharePoint forum about Claims-based access platform (Geneva) forums
This is some of the searches which hopefully will helps you to manage the issue:
事实证明,SharePoint 中不支持 mapToWindows 配置值。您必须依赖 SharePoint 的每个部分来感知声明并自行转换令牌。这有点痛苦,因为 PerformancePoint 和 Excel Services 无法感知声明,因此如果您的 SSAS 多维数据集需要 AD 安全性,那么您最终会在使用 Windows 身份验证时陷入困境。
It turns out that the mapToWindows config value is not supported within SharePoint. You have to rely on each part of SharePoint being claims aware and converting the token themselves. This is a bit of pain because PerformancePoint and Excel Services are not claims aware, so you end up being stuck using Windows auth if your SSAS cube requires AD security.