1. 首页
  2. 问答
  3. 在服务器/应用程序之间共享IClaimsPrincipal/FedAuth Cookie ID1006

在服务器/应用程序之间共享IClaimsPrincipal/FedAuth Cookie ID1006

2012-11-30 81 views
3

我有一个ASP.NET应用程序使用Azure ACS(和间接ADFS)进行身份验证 - 这一切都正常。现在我被要求将SessionToken传递给另一个后端服务,在那里它可以被验证并且提取索赔。 [长篇故事,而不是我的选择]在服务器/应用程序之间共享IClaimsPrincipal/FedAuth Cookie ID1006

我在解密方面有问题,我确信我错过了一些基本的东西。

要设置阶段中,在解密的错误是:

ID1006: The format of the data is incorrect. The encryption key length is negative: '-724221793'. The cookie may have been truncated.

的ASP.NET网站使用RSA包裹ALA:

void WSFederationAuthenticationModule_OnServiceConfigurationCreated(object sender, ServiceConfigurationCreatedEventArgs e) 
    { 
     string thumbprint = "BDE74A3EB573297C7EE79EB980B0727D73987B0D"; 

     X509Certificate2 certificate = GetCertificate(thumbprint); 

     List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] 
     { 
      new DeflateCookieTransform(), 
      new RsaEncryptionCookieTransform(certificate), 
      new RsaSignatureCookieTransform(certificate) 
     }); 

     SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); 
     e.ServiceConfiguration.SecurityTokenHandlers.AddOrReplace(sessionHandler); 
    }

(指纹是由添加了相同的值。FedUtil在web.config中

我写的令牌:

if (Microsoft.IdentityModel.Web.FederatedAuthentication.SessionAuthenticationModule.TryReadSessionTokenFromCookie(out token)) 
{ 
    Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler th = new Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler(); 
    byte[] results = th.WriteToken(token); 
...

这给了我:

<?xml version="1.0" encoding="utf-8"?> 
<SecurityContextToken p1:Id="_53382b9e-8c4b-490e-bfd5-de2e8c0f25fe-94C8D2D9079647B013081356972DE275" 
        xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
        xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"> 
<Identifier>urn:uuid:54bd1bd7-1110-462b-847e-7f49c1043b32</Identifier> 
<Instance>urn:uuid:0462b7d7-717e-4ce2-b942-b0d6a968355b</Instance> 
<Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">AQAAANCMnd blah blah 1048 bytes total 
</Cookie> 
</SecurityContextToken>

,并与另一盒同一个证书(并作为只是为了测试一个文件的读取令牌),我有:

public static void Attempt2(FileStream fileIn, X509Certificate2 certificate, out SecurityToken theToken) 
    { 
     List<CookieTransform> sessionTransforms = new List<CookieTransform>(new CookieTransform[] 
     { 
      new DeflateCookieTransform(), 
      new RsaSignatureCookieTransform(certificate), 
      new RsaEncryptionCookieTransform(certificate) 
     }); 

     SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); 

     // setup 
     SecurityTokenResolver resolver; 
     { 
      var token = new X509SecurityToken(certificate); 

      var tokens = new List<SecurityToken>() { token }; 

      resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false); 
     } 

     sessionHandler.Configuration = new SecurityTokenHandlerConfiguration(); 
     sessionHandler.Configuration.IssuerTokenResolver = resolver; 

     using (var reader = XmlReader.Create(fileIn)) 
     { 
      theToken = sessionHandler.ReadToken(reader); 
     } 

    }

,然后ReadToken抛出的

ID1006: The format of the data is incorrect. The encryption key length is negative: '-724221793'. The cookie may have been truncated.

一个出现FormatException在这一点上,我不知道我的总体思路是有缺陷的,或者如果我只是错过了众所周知的“一个利ne“修复了这一切。

哦,我在网站(.NET 4.0)中使用VS2010 SP1,并且我在解码端尝试了VS2010SP1 .NET 4.0和VS2012 .NET 4.5。

谢谢!

来源

2012-11-30 James

+0

是ü能解决这个问题? – user3311522

+0

我正在尝试相同的事情。你是如何解决它的? – Ivanhoe

回答

0

您的后端服务的应用程序池帐户是否具有读取证书的权限?如果没有为后端服务的应用程序池帐户授予对证书的读取访问权限。正因为如此,我在加密/解密方面遇到了问题。

来源

2013-05-22 01:57:34 nickytonline

0

这也许会有帮助,这会变成你的FedAuth饼干到像一个可读的XML字符串:

<?xml version="1.0" encoding="utf-8"?> 
<SecurityContextToken p1:Id="_548a372e-1111-4df8-b610-1f9f618a5687-953155F0C35B4862A5BCE4D5D0C5ADF0" xmlns:p1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"> 
    <Identifier>urn:uuid:c9f9b733-1111-4b01-8af3-23c8af3e19a6</Identifier> 
    <Instance>urn:uuid:ee955207-1111-4498-afa3-4b184e97d0be</Instance> 
    <Cookie xmlns="http://schemas.microsoft.com/ws/2006/05/security">long_string==</Cookie> 
</SecurityContextToken>

代码:

private string FedAuthToXmlString(string fedAuthCombinedString) 
{ 
    // fedAuthCombinedString is from FedAuth + FedAuth1 cookies: just combine the strings 

    byte[] authBytes = Convert.FromBase64String(fedAuthCombinedString); 
    string decodedString = Encoding.UTF8.GetString(authBytes); 

    var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); 
    store.Open(OpenFlags.ReadOnly); 
    var thumbprint = "CERT_THUMBPRINT"; // from config 

    var cert = store.Certificates.Find(X509FindType.FindByThumbprint, thumbprint, false)[0]; 

    var sessionTransforms = new List<System.IdentityModel.CookieTransform>(new System.IdentityModel.CookieTransform[] 
    { 
     new System.IdentityModel.DeflateCookieTransform(), 
     new System.IdentityModel.RsaSignatureCookieTransform(cert), 
     new System.IdentityModel.RsaEncryptionCookieTransform(cert) 
    }); 

    SessionSecurityTokenHandler sessionHandler = new SessionSecurityTokenHandler(sessionTransforms.AsReadOnly()); 

    SecurityTokenResolver resolver; 
    { 
     var token = new X509SecurityToken(cert); 
     var tokens = new List<SecurityToken>() { token }; 
     resolver = SecurityTokenResolver.CreateDefaultSecurityTokenResolver(tokens.AsReadOnly(), false); 
    } 

    sessionHandler.Configuration = new SecurityTokenHandlerConfiguration(); 
    sessionHandler.Configuration.IssuerTokenResolver = resolver; 

    var i = 0; // clear out invalid leading xml 
    while ((int)decodedString[i] != 60 && i < decodedString.Length - 1) i++; // while the first character is not < 

    store.Close(); 

    return decodedString.Substring(i); 
}

来源

2017-06-29 18:58:08 naspinski

相关问题

 相关问题