ADAL 能否与集成身份验证的 Azure AD (Connect) 直通身份验证一起使用
Can ADAL be used with Azure AD (Connect) Passthrough Authentication for Integrated Auth
调用 AcquireToken 时出现错误,即静默身份验证不能用于托管用户
我有以下重现错误的代码:
$nuGetPackages = "$env:temp\packages"
$clientVersion = '3.14.2'
$libPath = Join-Path $nuGetPackages "Microsoft.IdentityModel.Clients.ActiveDirectory.$clientVersion\lib"
if (!(Test-Path $libPath)) {
Write-Host "Installing Microsoft.IdentityModel.Clients.ActiveDirectory module"
Install-Package -Name 'Microsoft.IdentityModel.Clients.ActiveDirectory' -RequiredVersion $clientVersion -ProviderName NuGet -Destination $nuGetPackages -Source http://www.nuget.org/api/v2/ -Force | Out-Null
}
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$tenantName = [string]::Join('.',([System.DirectoryServices.AccountManagement.UserPrincipal]::Current.DistinguishedName.Split(',') |? { $_.Split('=')[0] -eq 'dc' } |% { $_.Split('=')[1] }))
$authority = "https://login.windows.net/$tenantName"
$resourceAppIdUri = "https://management.core.windows.net/"
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # common app id
Get-ChildItem $libPath -Filter net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll |% { [System.Reflection.Assembly]::LoadFrom($_.FullName) | Out-Null }
try {
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $env:USERNAME@$tenantName
$creds.UserAuthType
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$task = $authContext.AcquireTokenAsync($resourceAppIdUri, $clientId, $creds)
$task.Wait()
$authResult = $task.Result
$authResult
return $authResult.AccessToken
} catch {
throw $_.Exception.ToString()
}
产生错误
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: password_required_for_managed_user: Password is required for managed user
此错误表示您没有为此方法提供密码。如果您想使用 资源所有者密码凭证流 获取访问令牌,我们应该通过 UserPasswordCredential class 提供用户名和密码。
下面是适合我的代码示例:
$nuGetPackages = "$env:temp\packages"
$clientVersion = '3.14.2'
$libPath = Join-Path $nuGetPackages "Microsoft.IdentityModel.Clients.ActiveDirectory.$clientVersion\lib"
if (!(Test-Path $libPath)) {
Write-Host "Installing Microsoft.IdentityModel.Clients.ActiveDirectory module"
Install-Package -Name 'Microsoft.IdentityModel.Clients.ActiveDirectory' -RequiredVersion $clientVersion -ProviderName NuGet -Destination $nuGetPackages -Source http://www.nuget.org/api/v2/ -Force | Out-Null
}
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$tenantName = [string]::Join('.',([System.DirectoryServices.AccountManagement.UserPrincipal]::Current.DistinguishedName.Split(',') |? { $_.Split('=')[0] -eq 'dc' } |% { $_.Split('=')[1] }))
$authority = "https://login.windows.net/$tenantName"
$resourceAppIdUri = "https://management.core.windows.net/"
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # common app id
Get-ChildItem $libPath -Filter net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll |% { [System.Reflection.Assembly]::LoadFrom($_.FullName) | Out-Null }
try {
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential" -ArgumentList '{username}', '{password}'
#$creds.UserAuthType
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$task = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions]::AcquireTokenAsync($authContext,$resourceAppIdUri, $clientId, $creds)
#$task = $authContext.AcquireTokenAsync($resourceAppIdUri, $clientId, $creds)
$task.Wait()
$authResult = $task.Result
$authResult
return $authResult.AccessToken
} catch {
throw $_.Exception.ToString()
}
它不是像 ADFS 那样真正的静默身份验证(意味着它会弹出 windows 并且不能与非交互式服务帐户一起使用),但使用 PromptBehavior.None 或自动允许传递(或密码同步)Azure 无缝 SSO 工作(无密码提示)
调用 AcquireToken 时出现错误,即静默身份验证不能用于托管用户
我有以下重现错误的代码:
$nuGetPackages = "$env:temp\packages"
$clientVersion = '3.14.2'
$libPath = Join-Path $nuGetPackages "Microsoft.IdentityModel.Clients.ActiveDirectory.$clientVersion\lib"
if (!(Test-Path $libPath)) {
Write-Host "Installing Microsoft.IdentityModel.Clients.ActiveDirectory module"
Install-Package -Name 'Microsoft.IdentityModel.Clients.ActiveDirectory' -RequiredVersion $clientVersion -ProviderName NuGet -Destination $nuGetPackages -Source http://www.nuget.org/api/v2/ -Force | Out-Null
}
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$tenantName = [string]::Join('.',([System.DirectoryServices.AccountManagement.UserPrincipal]::Current.DistinguishedName.Split(',') |? { $_.Split('=')[0] -eq 'dc' } |% { $_.Split('=')[1] }))
$authority = "https://login.windows.net/$tenantName"
$resourceAppIdUri = "https://management.core.windows.net/"
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # common app id
Get-ChildItem $libPath -Filter net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll |% { [System.Reflection.Assembly]::LoadFrom($_.FullName) | Out-Null }
try {
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserCredential" -ArgumentList $env:USERNAME@$tenantName
$creds.UserAuthType
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$task = $authContext.AcquireTokenAsync($resourceAppIdUri, $clientId, $creds)
$task.Wait()
$authResult = $task.Result
$authResult
return $authResult.AccessToken
} catch {
throw $_.Exception.ToString()
}
产生错误
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: password_required_for_managed_user: Password is required for managed user
此错误表示您没有为此方法提供密码。如果您想使用 资源所有者密码凭证流 获取访问令牌,我们应该通过 UserPasswordCredential class 提供用户名和密码。
下面是适合我的代码示例:
$nuGetPackages = "$env:temp\packages"
$clientVersion = '3.14.2'
$libPath = Join-Path $nuGetPackages "Microsoft.IdentityModel.Clients.ActiveDirectory.$clientVersion\lib"
if (!(Test-Path $libPath)) {
Write-Host "Installing Microsoft.IdentityModel.Clients.ActiveDirectory module"
Install-Package -Name 'Microsoft.IdentityModel.Clients.ActiveDirectory' -RequiredVersion $clientVersion -ProviderName NuGet -Destination $nuGetPackages -Source http://www.nuget.org/api/v2/ -Force | Out-Null
}
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$tenantName = [string]::Join('.',([System.DirectoryServices.AccountManagement.UserPrincipal]::Current.DistinguishedName.Split(',') |? { $_.Split('=')[0] -eq 'dc' } |% { $_.Split('=')[1] }))
$authority = "https://login.windows.net/$tenantName"
$resourceAppIdUri = "https://management.core.windows.net/"
$clientId = "1950a258-227b-4e31-a9cf-717495945fc2" # common app id
Get-ChildItem $libPath -Filter net45\Microsoft.IdentityModel.Clients.ActiveDirectory.dll |% { [System.Reflection.Assembly]::LoadFrom($_.FullName) | Out-Null }
try {
$creds = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserPasswordCredential" -ArgumentList '{username}', '{password}'
#$creds.UserAuthType
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$task = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContextIntegratedAuthExtensions]::AcquireTokenAsync($authContext,$resourceAppIdUri, $clientId, $creds)
#$task = $authContext.AcquireTokenAsync($resourceAppIdUri, $clientId, $creds)
$task.Wait()
$authResult = $task.Result
$authResult
return $authResult.AccessToken
} catch {
throw $_.Exception.ToString()
}
它不是像 ADFS 那样真正的静默身份验证(意味着它会弹出 windows 并且不能与非交互式服务帐户一起使用),但使用 PromptBehavior.None 或自动允许传递(或密码同步)Azure 无缝 SSO 工作(无密码提示)