sharepoint - 带有 SharePoint 的 ADFS 2.0 未被识别为受信任的应用程序并抛出

Question

我正在为 SharePoint 配置 POC，向第三方帐户提供商进行身份验证并遇到几个问题，并遵循 Microsoft 在 http://technet.microsoft.com/en-us/library/cc731443(v=ws.10).aspx 提供的文档.我看到的大多数文档都是针对 ADFS 2.0 RTW

问题是当我尝试访问 SharePoint 网站时，我被重定向到帐户提供商 ADFS 网站，并弹出 NTLM 提示。一旦我输入我的凭据，我就会收到以下错误

The token request for application with URL "https://spadfsweb.spdev.com/_layouts/Authenticate.aspx?Source=/" cannot be fulfilled because the URL does not identify any known trusting application.

这是我的设置

ADFS account provider(ADFS Role和DC在不同的机器上)

• Windows 2008 R2
• 已添加 ADFS 角色
• 具有以下 ADFS 参数
  • token 签名证书“​​sts.adfsaccount.spaccount.com”
  • 联合服务 URI
    • urn:federation:accountprovider
  • 联合服务端点 url
    • https://sts.adfsaccount.spaccount.com/adfs/ls/
• 导出 token 签名证书并将其导入资源合作伙伴 ADFS

ADFS 资源伙伴(ADFS 角色和 DC 在不同的机器上)

• Windows 2008 R2
• 已添加 ADFS 角色
• 具有以下 ADFS 参数
  • token 签名证书“​​sts.staging.spresource.com”
  • 联合服务 URI
    • urn:federation:resourceprovider
  • 联合服务端点 url
    • https://sts.staging.spresource.com/adfs/ls/
• 具有以下受信任的应用程序，它是 sharepoint
  • https://spadfsweb.spdev.com/_trust/，我有如下各种组合
    • > https://spadfsweb.spdev.com
    • > https://spadfsweb.spdev.com/_layouts
• 导出 token 签名证书并将其导入帐户合作伙伴 ADFS

下面是我配置 SharePoint 站点的步骤

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Data\Certs\stsadfsaccount_exporttokensign.cer")
New-SPTrustedRootAuthority -Name "Account Token Signing Cert" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "Staging Provider"-Description "User account domain from adfs to provide authenitcation" -Realm "urn:federation:resourceprovider" -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://sts.adfsaccount.spaccount.com/adfs/ls/" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

---SharePoint有资源提供者的uri，账户伙伴的签名证书和账户伙伴的adfs url

如果我做错了什么，请告诉我。

谢谢迪帕克

Answer 1

您似乎建议您使用 ADFS 1.0。事实上，如果你关注了 http://technet.microsoft.com/en-us/library/cc731443%28v=ws.10%29.aspx正如您所说，那么您已经配置了 ADFS 1.0，而不是后续的 AD FS 2.0。在我看来，任何新部署都应该使用 AD FS 2.0。

您的错误消息在 the ADFS 1.0 troubleshooting page 中有描述;引用:

Condition: server error

Error: The token request for application with URL https://... cannot be fulfilled because the URL does not identify any known trusting application

Solution: This error is returned by the resource Federation Service when the application URL does not identify any known application. Make sure that the application has been added to the trust policy for the Federation Service. For more information about how to do this, see Complete the Add Applications Wizard.

For a claims-aware application, verify that the return URL is typed correctly in the application’s web.config file and that it matches the application URL that is specified in the trust policy of the Federation Service.

For a Windows NT token-based application, verify that the return URL is typed correctly on the ADFS Web Agent tab of IIS and that it matches the application URL in the trust policy of the Federation Service.

此外，如果您还不知道，Microsoft 为 ADFS 1.0 创建了 ADFS 诊断工具；见this blog post to download .此工具可能有助于追踪此特定问题。

希望这有助于...