Claims系列 - ID4036错误(The key needed to decrypt the encrypted security token could not be resolved from the following security key identifier)
错误现象
错误原因
a) 在SecurityTokenService.GetScope()方法中,设置了Scope.EncryptingCredentials属性为某个X509证书(公钥);
b) Relying Party应用程序中没有设置对应的证书(包含私钥)。
原因分析
从出错页面的规模信息可知, ID4036是由ID1044错误引发的。
导致ID1044异常的代码为Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)。
通过.Net Relector查看TokenReceiver.ReadToken()的内部实现如下:
1
public SecurityToken ReadToken(
string tokenXml, XmlDictionaryReaderQuotas readerQuotas)
2 {
3
//
此处无关代码被省略
4
catch (EncryptedTokenDecryptionFailedException exception)
5 {
6
string str3;
7
if (
this._serviceConfiguration.ServiceCertificate ==
null)
8 {
9 str3 = SR.GetString(
"
NoCert
",
new
object[
0]);
10 }
11
else
12 {
13 str3 =
"
[Thumbprint]
" +
this._serviceConfiguration.ServiceCertificate.Thumbprint;
14 }
15
throw DiagnosticUtil.ExceptionUtil.ThrowHelperError(
new SecurityTokenException(SR.GetString(
"
ID1044
",
new
object[] { str3 }), exception));
16 }
17
return token2;
18 }
显而易见,ID1044异常是由于this._serviceConfiguration.ServiceCertificate == null引起。
再查看TokenReceiver类,可知_serviceConfiguration是其私有字段,拍被设置的地方是在构造函数之中,并且是从外部传过来的.
1
public TokenReceiver(ServiceConfiguration serviceConfiguration)
2 {
3
if (serviceConfiguration ==
null)
4 {
5
throw DiagnosticUtil.ExceptionUtil.ThrowHelperArgumentNull(
"
serviceConfiguration
");
6 }
7
this._serviceConfiguration = serviceConfiguration;
8 }
那么此构造函数在什么地方调用的呢?从调用堆栈可知,推测可能是WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request).
打开.Net Reflector一看,果不其然:
1
private
void SignInWithResponseMessage(HttpRequest request)
2 {
3
//
省略前面的无关代码
4
5
if (!e.Cancel)
6 {
7 TokenReceiver receiver =
new TokenReceiver(
base.ServiceConfiguration);
8 IClaimsPrincipal claimsPrincipal = receiver.AuthenticateToken(e.SecurityToken,
true, HttpContext.Current.Request.RawUrl);
9
10
//
省略后面的无关代码
11
12 }
13 }
传入的参数值为base.ServiceConfiguration,即HttpModuleBase.ServiceConfiguration;其定义如下:
1
public ServiceConfiguration ServiceConfiguration
2 {
3
get
4 {
5
return
this._serviceConfiguration;
6 }
7
set
8 {
9
if (value ==
null)
10 {
11
throw DiagnosticUtil.ExceptionUtil.ThrowHelperArgumentNull(
"
value
");
12 }
13
this._serviceConfiguration = value;
14 }
15 }
由于ServiceConfiguration是可读写属性,因此可能从外部和内部设置值。
先看外部有没有可能。从调用堆栈可知,其调用都为WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args):
View Code
1
protected
virtual
void OnAuthenticateRequest(
object sender, EventArgs args)
2 {
3 HttpRequest request = HttpContext.Current.Request;
4
if (
this.CanReadSignInResponse(request))
5 {
6
try
7 {
8
this.SignInWithResponseMessage(request);
9 }
10
catch (Exception exception)
11 {
12
if (DiagnosticUtil.IsFatal(exception))
13 {
14
throw;
15 }
16
if (DiagnosticUtil.TraceUtil.ShouldTrace(TraceEventType.Warning))
17 {
18 DiagnosticUtil.TraceUtil.TraceString(TraceEventType.Warning, SR.GetString(
"
ID8020
",
new
object[] { exception }),
new
object[
0]);
19 }
20 ErrorEventArgs args2 =
new ErrorEventArgs(exception);
21
this.OnSignInError(args2);
22
if (!args2.Cancel)
23 {
24
throw;
25 }
26 }
27 }
28 }
从其实现看,并没有设置ServiceConfiguration值的地方;回过头再看HttpModuleBase,可知设置的地方是Init()函数:
2 {
3 this._serviceConfiguration = FederatedAuthentication.ServiceConfiguration;
4 this.InitializeModule(context);
5 }
并且直接引用了FederatedAuthentication.ServiceConfiguration属性。再查看这个属性的定义:
2 {
3 get
4 {
5 lock (_serviceConfigurationLock)
6 {
7 if (_serviceConfiguration == null)
8 {
9 _serviceConfiguration = new ServiceConfiguration();
10 ServiceConfigurationCreatedEventArgs e = new ServiceConfigurationCreatedEventArgs(_serviceConfiguration);
11 EventHandler<ServiceConfigurationCreatedEventArgs> serviceConfigurationCreated = ServiceConfigurationCreated;
12 if (serviceConfigurationCreated != null)
13 {
14 serviceConfigurationCreated( null, e);
15 }
16 _serviceConfiguration = e.ServiceConfiguration;
17 if (!_serviceConfiguration.IsInitialized)
18 {
19 _serviceConfiguration.Initialize();
20 }
21 }
22 return _serviceConfiguration;
23 }
24 }
25 }
从代码中可得到两点信息:1)_serviceConfiguration是在第一次请求时new出来的; 2)在第一次请求时会触发ServiceConfigurationCreated事件,并可访问到
_serviceConfiguration。
再看ServiceConfiguration的构造函数:
View Code
2 {
3 this._certificateValidationMode = DefaultCertificateValidationMode;
4 this._claimsAuthenticationManager = new ClaimsAuthenticationManager();
5 this._claimsAuthorizationManager = new ClaimsAuthorizationManager();
6 this._exceptionMapper = new ExceptionMapper();
7 this._revocationMode = DefaultRevocationMode;
8 this._serviceName = DefaultServiceName;
9 this._serviceMaxClockSkew = DefaultMaxClockSkew;
10 this._trustedStoreLocation = DefaultTrustedStoreLocation;
11 MicrosoftIdentityModelSection current = MicrosoftIdentityModelSection.Current;
12 ServiceElement element = (current != null) ? current.ServiceElements.GetElement(DefaultServiceName) : null;
13 this.LoadConfiguration(element);
14 }
注意到最后调用了LoadConfiguration进行初始化,再看其内部实现:
2 {
3 if (element != null)
4 {
5
6 // 省略前面无关代码
7 if (( this._serviceCertificate == null) && element.ServiceCertificate.IsConfigured)
8 {
9 this._serviceCertificate = GetServiceCertificate(element);
10 }
11 // 省略后面无关代码
12 }
13 this._securityTokenHandlerCollectionManager = this.LoadHandlers(element);
14 }
再看GetServiceCertificate()
2 {
3 X509Certificate2 certificate2;
4 try
5 {
6 X509Certificate2 certificate = element.ServiceCertificate.GetCertificate();
7 if (certificate != null)
8 {
9 X509Util.EnsureAndGetPrivateRSAKey(certificate);
10 }
11 certificate2 = certificate;
12 }
13 catch (ArgumentException exception)
14 {
15 throw DiagnosticUtil.ExceptionUtil.ThrowHelperConfigurationError(element, " serviceCertificate ", exception);
16 }
17 return certificate2;
18 }
至此, 终于知道X509证书默认是从ServiceElement即配置文件中的<microsoft.identitymodel><service><servicecertificate>节点。由此我们可得到如下两种解决方案:
解决方案
1 设置配置文件中的<microsoft.identitymodel><service><servicecertificate>节点
a)找开Relying Party应用程序的配置文件;
b)设置X509证书如下:
2 在FederatedAuthentication.ServiceConfigurationCreated事件处理函数中设置
a) 在Relying Party工程中添加Global.asax文件(如果不存在的话);
b) 添加Application_Start事件处理函数
