0

How can I specify the service identity principal name in the WCF client config for the issuer STS when binding using WS-Federation?

I have an application pool running under a domain account on a front end server trying to authenticate using federation to backend services on an app server (running under domain accnts) using an STS also running on the app server and under a domain account.

In order to use Kerberos correctly I need to set the userprincipal name of the STS on the frontend client. I can't see how to do that.

I am experiencing a connected problem, which is that fallback to NTLM does not work when the issuer is specified using FQDN, and Kerberos fails (SSPI negotiation failed) I think because I have no issuer principal name in the config. If I set the issuer using IP address instead, then authentication to STS succeeds using NTLM, I think, so I have a workaround.

The STS is issuing tokens on the basis of Windows auth on that endpoint. It has other endpoints for forms-type auth and so on.

Possibly a related problem on our network is that silverlight clients that call back to web services are not working without the servers being manually added to Local Intranet zone in IE. Seems as though for some reason the app servers are not considered as being on same domain. Any clues much appreciated!

4

1 に答える 1

0

STS のユーザー プリンシパル名の設定に関する解決策を見つけました。フェデレーション バインディングの issuer 要素に設定する必要がありました: OK、なぜこれを以前に見つけることができなかったのかわかりませんが、月曜日の朝、最初に答えがすぐに表示されます: http://msdn.microsoft.com /en-us/library/aa347735.aspx

wsfederation の issuer 要素は、ユーザー プリンシパル名を設定できるエンドポイント構成です。

上記のリンクのスキーマは次のとおりです。

<issuer address="Uri" >
   <headers>
      <add name="String"
                 namespace="String" />
   </headers>
   <identity>
           <certificate encodedValue="String"/>
      <certificateReference findValue="String" 
         isChainIncluded="Boolean"
         storeName="AddressBook/AuthRoot/CertificateAuthority/Disallowed/My/Root/TrustedPeople/TrustedPublisher"
         storeLocation="LocalMachine/CurrentUser"
                  x509FindType=System.Security.Cryptography.X509certificates.X509findtype/>
      <dns value="String"/>
      <rsa value="String"/>
      <servicePrincipalName value="String"/>
      <usePrincipalName value="String"/>
   </identity>
</issuer>

ネットワークの問題に関しては、これは DNS の問題でした。エイリアスの代わりに使用される PTR。

于 2012-03-19T08:43:12.607 に答える