Lync 2013 - CreateAuthBrokerSession 不接受 WebTicket
Lync 2013 - CreateAuthBrokerSession doesn't accept WebTicket
我正在尝试通过 SIP 和 HTTP 通信创建 Lync/Skype 客户端的一些基本功能。我们的工具是用 C++ 编写的。我已经完成了 NTLM 和 Kerberos 的身份验证部分,但是我在实施 TLS-DSK 身份验证时遇到了严重的问题。
我使用了这些教程:
我尝试使用我自己的 TLS 实现(基于 Windows SSPI),但我看到有一种方法可以为该部分使用 Web 服务,因为它是在 1.3.3 MS 中编写的- OCAUTHWS。在使用 Authentication Broker Service 之前,我需要访问 Web Ticket Service 来访问票证。我已经收到网票了,我签了
这是我的网络票:
<wsse:Security>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="timestamp">
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T07:47:43.3671158Z</Created>
<Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T15:44:04.3671158Z</Expires>
</wsu:Timestamp>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7" Issuer="https://lync.domain.com:4443/108486a8-f2cf-5123-84f4-1ddecb41a6e9" IssueInstant="2016-05-12T07:47:43.368Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2016-05-12T07:47:43.367Z" NotOnOrAfter="2016-05-12T15:44:04.367Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://lync.domain.com/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2016-05-12T07:47:43.368Z">
<saml:Subject>
<saml:NameIdentifier Format="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:user@domain.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256" />
<KeyInfo>
<KeyName>108486a8-f2cf-5123-84f4-1ddecb41a6e9:8d37a331603249e</KeyName>
</KeyInfo>
<e:CipherData>
<e:CipherValue>ZZ1P9UwMNA8yX3Z0l07rWUX1Cpuh+2HJYh2fjTWlhCBMpnIT3fEzog==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>/2L09RaIuIcwF5sVHrs7jmG0sXuY0x3gOGZLnUu/ziw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>6VUfrCdK1VpXSSol1XkP2Ba/2rX6dz6o1NBEMT1LYsveYaAgoy/W16gPaJFb8TloqMZ8R+FE91opbSkSjbzwCNW+0q/SuJNYyk0j1tfdpk+URP1xpMq+P1wUVhoj++t9QAuL9ztY7YJ4IFm6nsDzq6LAZ+Ji3InbpGDmOPE/bU8lyqXaJbn6DWnPno+XrkRhSveVN1Twx7sqkbcEPRnMC089iTtNphTPJwNjeB2nRgqEsv4eSrHWB3o2wxs0rq4Xy5LnDhAbvH6hYmuLhwt5U4gDR72JTW65GuLGj5UrIv7xJVpK/O6ghp+JGCaJaP7EI2lQpztlkr7t1jpYXgANFw==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">WeGZMVqOctvQlI9rdMdRF8ArzLA=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</saml:Assertion>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#timestamp">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>YLf+iJEV9ZI7QqX4gl8WWRyrJcY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>WgXPtLNvWPal9becoTXQq+liku0=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference wsse:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
我在 GetAndPublishCert 中使用它并且工作正常(200 OK)。但是,当我将同一张票传递给身份验证代理服务时,它会给我 500 内部服务器错误。
这是我的要求:
POST /Reach/sip.svc/AuthBroker HTTP/1.1
Host: lync.domain.com
Content-Type: text/xml
Content-Length: 5175
SOAPAction: "http://tempuri.org/IAuthBroker/CreateAuthBrokerSession"
User-Agent: Hypersoft
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<soap:Header>
<wsa:Action>http://tempuri.org/IAuthBroker/CreateAuthBrokerSession</wsa:Action>
<wsa:MessageID>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</wsa:MessageID>
<wsa:To>https://lync.domain.com/Reach/sip.svc/AuthBroker</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
+ above WebTicket
</soap:Header>
<soap:Body>
<a:CreateAuthBrokerSession xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:a="http://tempuri.org/">
<a:supportedHashAlgorithms>
<string>SHA1</string>
<string>SHA256</string>
<string>SHA384</string>
<string>SHA512</string>
</a:supportedHashAlgorithms>
</a:CreateAuthBrokerSession>
</soap:Body>
</soap:Envelope>
这是我从服务器收到的:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 572
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/8.5
X-MS-Server-Fqdn: lync.domain.com
X-MS-Correlation-Id: 2147501677
client-request-id: 6801bbde-5331-4a0d-80d4-f490186e18a1
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Powered-By: ARR/2.5
Date: Thu, 12 May 2016 07:48:25 GMT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<a:RelatesTo>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode>
<faultstring xml:lang="en-US">An error occurred when verifying security for the message.</faultstring>
</s:Fault>
</s:Body>
</s:Envelope>
身份验证代理服务是否需要不同的 WebTicket?如何创建会话?
我找到了出现错误 500 的原因。AuthBroker 不需要 WebTicket 签名,因此必须删除带有 "Signature" 的部分。同样在 header 中,属性 "ReplyTo" 必须删除。
现在我的所有经纪人活动都获得 200 OK。
我正在尝试通过 SIP 和 HTTP 通信创建 Lync/Skype 客户端的一些基本功能。我们的工具是用 C++ 编写的。我已经完成了 NTLM 和 Kerberos 的身份验证部分,但是我在实施 TLS-DSK 身份验证时遇到了严重的问题。
我使用了这些教程:
我尝试使用我自己的 TLS 实现(基于 Windows SSPI),但我看到有一种方法可以为该部分使用 Web 服务,因为它是在 1.3.3 MS 中编写的- OCAUTHWS。在使用 Authentication Broker Service 之前,我需要访问 Web Ticket Service 来访问票证。我已经收到网票了,我签了
这是我的网络票:
<wsse:Security>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="timestamp">
<Created xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T07:47:43.3671158Z</Created>
<Expires xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2016-05-12T15:44:04.3671158Z</Expires>
</wsu:Timestamp>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7" Issuer="https://lync.domain.com:4443/108486a8-f2cf-5123-84f4-1ddecb41a6e9" IssueInstant="2016-05-12T07:47:43.368Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2016-05-12T07:47:43.367Z" NotOnOrAfter="2016-05-12T15:44:04.367Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://lync.domain.com/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2016-05-12T07:47:43.368Z">
<saml:Subject>
<saml:NameIdentifier Format="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/uri">sip:user@domain.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#kw-aes256" />
<KeyInfo>
<KeyName>108486a8-f2cf-5123-84f4-1ddecb41a6e9:8d37a331603249e</KeyName>
</KeyInfo>
<e:CipherData>
<e:CipherValue>ZZ1P9UwMNA8yX3Z0l07rWUX1Cpuh+2HJYh2fjTWlhCBMpnIT3fEzog==</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<DigestValue>/2L09RaIuIcwF5sVHrs7jmG0sXuY0x3gOGZLnUu/ziw=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>6VUfrCdK1VpXSSol1XkP2Ba/2rX6dz6o1NBEMT1LYsveYaAgoy/W16gPaJFb8TloqMZ8R+FE91opbSkSjbzwCNW+0q/SuJNYyk0j1tfdpk+URP1xpMq+P1wUVhoj++t9QAuL9ztY7YJ4IFm6nsDzq6LAZ+Ji3InbpGDmOPE/bU8lyqXaJbn6DWnPno+XrkRhSveVN1Twx7sqkbcEPRnMC089iTtNphTPJwNjeB2nRgqEsv4eSrHWB3o2wxs0rq4Xy5LnDhAbvH6hYmuLhwt5U4gDR72JTW65GuLGj5UrIv7xJVpK/O6ghp+JGCaJaP7EI2lQpztlkr7t1jpYXgANFw==</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">WeGZMVqOctvQlI9rdMdRF8ArzLA=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</saml:Assertion>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#timestamp">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>YLf+iJEV9ZI7QqX4gl8WWRyrJcY=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>WgXPtLNvWPal9becoTXQq+liku0=</SignatureValue>
<KeyInfo>
<wsse:SecurityTokenReference wsse:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">SamlSecurityToken-f6da603d-3938-4556-90b6-f3e3e450b6d7</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</KeyInfo>
</Signature>
</wsse:Security>
我在 GetAndPublishCert 中使用它并且工作正常(200 OK)。但是,当我将同一张票传递给身份验证代理服务时,它会给我 500 内部服务器错误。
这是我的要求:
POST /Reach/sip.svc/AuthBroker HTTP/1.1
Host: lync.domain.com
Content-Type: text/xml
Content-Length: 5175
SOAPAction: "http://tempuri.org/IAuthBroker/CreateAuthBrokerSession"
User-Agent: Hypersoft
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<soap:Header>
<wsa:Action>http://tempuri.org/IAuthBroker/CreateAuthBrokerSession</wsa:Action>
<wsa:MessageID>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</wsa:MessageID>
<wsa:To>https://lync.domain.com/Reach/sip.svc/AuthBroker</wsa:To>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
+ above WebTicket
</soap:Header>
<soap:Body>
<a:CreateAuthBrokerSession xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:a="http://tempuri.org/">
<a:supportedHashAlgorithms>
<string>SHA1</string>
<string>SHA256</string>
<string>SHA384</string>
<string>SHA512</string>
</a:supportedHashAlgorithms>
</a:CreateAuthBrokerSession>
</soap:Body>
</soap:Envelope>
这是我从服务器收到的:
HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 572
Content-Type: text/xml; charset=utf-8
Server: Microsoft-IIS/8.5
X-MS-Server-Fqdn: lync.domain.com
X-MS-Correlation-Id: 2147501677
client-request-id: 6801bbde-5331-4a0d-80d4-f490186e18a1
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Powered-By: ARR/2.5
Date: Thu, 12 May 2016 07:48:25 GMT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<a:RelatesTo>uuid:70de6ed0-5279-44db-956a-84109a5a1a95</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<faultcode xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</faultcode>
<faultstring xml:lang="en-US">An error occurred when verifying security for the message.</faultstring>
</s:Fault>
</s:Body>
</s:Envelope>
身份验证代理服务是否需要不同的 WebTicket?如何创建会话?
我找到了出现错误 500 的原因。AuthBroker 不需要 WebTicket 签名,因此必须删除带有 "Signature" 的部分。同样在 header 中,属性 "ReplyTo" 必须删除。
现在我的所有经纪人活动都获得 200 OK。