【发布时间】:2016-08-22 15:07:12
【问题描述】:
我正在尝试让 ADFS 3.0 在我的 NGINX 代理后面工作,以便将我的本地 AD 与我的 office365 帐户联合起来。 一切似乎都很好,但有些问题仍未得到解答: 1- 有一篇文章 (https://technet.microsoft.com/it-it/library/hh852618(v=ws.10).aspx) 解释了第三部分 adfs 代理在 adfs 2.0 上的行为,但我在 ADFS 3.0 上找不到相同的行为。 特别是那些文章告诉“外联网的 MEX 信息是不同的。为了适应这一点,所有对 URL /adfs/services/trust/mex 的外部请求必须重新路由到后面的 /adfs/services/trust/proxymex -结束 STS。”在 adfs 3.0 上仍然如此吗? 我的nginx配置如下,够了吗?
upstream adfsup {
server mydc03.mydomain.local:443;
server mydc01.mydomain.local:443;
keepalive 100;
}
server {
listen 443;
server_name adfs.mypubdomain.it;
ssl on;
ssl_certificate /etc/letsencrypt/live/adfs.mypubdomain.it/cert.pem;
#ssl_certificate /ssl/adfs_mypubdomain_it.pem;
ssl_certificate_key /etc/letsencrypt/live/adfs.mypubdomain.it/privkey.pem;
#ssl_certificate_key /ssl/adfs_mypubdomain_it.key;
location / {
proxy_pass https://adfsup; # my existing apache instance
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-MS-Proxy mypubrp0v;
proxy_http_version 1.1;
#proxy_next_upstream error timeout invalid_header http_500 http_503;
proxy_next_upstream error timeout invalid_header http_503;
proxy_connect_timeout 2;
}
}
2- 在 nginx 日志上我可以看到很多 500 错误: "POST /adfs/services/trust/2005/usernamemixed HTTP/1.1" 500 1025 "-" "-" "-" 并在对应于事件 id 342 的 evt 日志上的 adfs 机器上
Token validation failed.
Additional Data
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
myuser@mydomain.it-The user name or password is incorrect
Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: myuser@mydomain.it ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
我可以在 rca 测试 (https://www.testconnectivity.microsoft.com/?testid=SingleSignOn) 上提供错误密码来重现此错误,但我认为错误的密码引发异常是不正常的。 顺便说一句,我所有的用户似乎都很好,并且通过 ADFS 登录的工作正常,有人知道我该如何纠正这种情况吗? 谢谢 洛伦佐
【问题讨论】:
标签: nginx office365 adfs trust adfs3.0