MSAL 错误 - 联合 IWA 的目标主体名称不正确
MSAL Error - Target Principal Name Incorrect with Federated IWA
我有一个 AAD/AD 联合租户设置。显然 Azure 中的 AAD,本地 AD 是带有 VM 的实验室设置。我已经完成了 AADConnect 设置的一些排列,但我总是以同样的错误告终。查找它,它似乎通常与 SQLServer 相关联,但我认为这不适用于此处。我只是想使用 IWA 对此 AAD 联合应用程序进行身份验证,但无法逃脱此异常。
本地AD
Domain: vandelay.local
ADDS,ADFS,DNS: WIN-H9QGD6BJ2IN.vandelay.local
ADFS DNS: adfs.ad.vandelay.local
Alternate UPN: vandelay.firstresponse911.net
AAD Connect setup with Federation and Password Hash Sync
AAD
AADConnect 设置似乎很满意(见屏幕截图)
为应用程序添加了全局授予的管理员许可(不需要用户交互来授予权限)
与 AADConnect 同步的用户出现在具有 App 权限的门户中。
代码
// Signed into machine as steve.doe@vandelay.firstresponse911.net
static void Main(string[] args)
{
app = PublicClientApplicationBuilder.Create(CLIENT_ID)
.WithAuthority(AzureCloudInstance.AzurePublic, TENANT_ID, false)
.Build();
while (true)
{
var result = _retry.Execute((ctx) => GetToken2().GetAwaiter().GetResult(), new Context("acquireToken", new Dictionary<string, object>() { { "userId", "paul.seabury@vandelay.local" }, { "password", "AGF11nfn" } }));
Console.WriteLine($"IdTok: {ComputeSha256Hash(result.IdToken)}, Exp: {result.ExpiresOn}");
Thread.Sleep(1000 * 60 * 2);
}
}
private static Task<AuthenticationResult> GetToken2()
{
var upn = System.DirectoryServices.AccountManagement.UserPrincipal.Current;
var cachedResult = app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername(upn.UserPrincipalName).ExecuteAsync().GetAwaiter().GetResult();
return Task.FromResult(cachedResult);
}
}
异常
Microsoft.Identity.Client.MsalClientException: 'The target principal name is incorrect.'
事件日志条目在同一台客户端计算机上附带:
The Kerberos client received a
KRB_AP_ERR_MODIFIED error from the server fsgma$. The target name used
was HTTP/win-h9qgd6bj2in.vandelay.local. This indicates that the
target server failed to decrypt the ticket provided by the client.
This can occur when the target server principal name (SPN) is
registered on an account other than the account the target service is
using. Ensure that the target SPN is only registered on the account
used by the server. This error can also happen if the target service
account password is different than what is configured on the Kerberos
Key Distribution Center for that target service. Ensure that the
service on the server and the KDC are both configured to use the same
password. If the server name is not fully qualified, and the target
domain (VANDELAY.LOCAL) is different from the client domain
(VANDELAY.LOCAL), check if there are identically named server accounts
in these two domains, or use the fully-qualified name to identify the
server.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
<EventID Qualifiers="16384">4</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-10-30T15:24:32.660502800Z" />
<EventRecordID>3393</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>DESKTOP-BJ6P4H4.vandelay.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Server">fsgma$</Data>
<Data Name="TargetRealm">VANDELAY.LOCAL</Data>
<Data Name="Targetname">HTTP/win-h9qgd6bj2in.vandelay.local</Data>
<Data Name="ClientRealm">VANDELAY.LOCAL</Data>
<Binary />
</EventData>
</Event>
Http 流量
看起来 MSAL 代码成功要求 AAD 对此应用程序进行身份验证,它通过发现将响应发送回本地联合 ADFS 服务器。获取本地元数据后,MSAL 代码尝试 3 次从 windowstransport 终结点获取令牌。第一次尝试没有授权 header,第二次和第三次尝试有不同的授权(协商)headers 和编码数据,但它们都以 401.
失败
发布的请求如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
<wsa:messageID>urn:uuid:42420a0c-3505-455f-914d-639c5685b43d</wsa:messageID>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To s:mustUnderstand="1">https://adfs.ad.vandelay.local/adfs/services/trust/2005/windowstransport</wsa:To>
</s:Header>
<s:Body>
<wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference>
<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
序列如下所示:
您似乎在 DNS 中使用 CNAME 来解析 adfs 场名称 --> 您应该使用主机 A 记录
Kerberos 客户端在请求 Kerberos Service Ticket
之前首先将 Web 服务的名称解析为 A 记录
这可以解释您看到的 kerberos 错误
“Kerberos 客户端从服务器 fsgma$ 收到 KRB_AP_ERR_MODIFIED 错误。使用的目标名称是 HTTP/win-h9qgd6bj2in。vandelay.local。”
我有一个 AAD/AD 联合租户设置。显然 Azure 中的 AAD,本地 AD 是带有 VM 的实验室设置。我已经完成了 AADConnect 设置的一些排列,但我总是以同样的错误告终。查找它,它似乎通常与 SQLServer 相关联,但我认为这不适用于此处。我只是想使用 IWA 对此 AAD 联合应用程序进行身份验证,但无法逃脱此异常。
本地AD
Domain: vandelay.local
ADDS,ADFS,DNS: WIN-H9QGD6BJ2IN.vandelay.local
ADFS DNS: adfs.ad.vandelay.local
Alternate UPN: vandelay.firstresponse911.net
AAD Connect setup with Federation and Password Hash Sync
AAD
AADConnect 设置似乎很满意(见屏幕截图) 为应用程序添加了全局授予的管理员许可(不需要用户交互来授予权限) 与 AADConnect 同步的用户出现在具有 App 权限的门户中。
代码
// Signed into machine as steve.doe@vandelay.firstresponse911.net
static void Main(string[] args)
{
app = PublicClientApplicationBuilder.Create(CLIENT_ID)
.WithAuthority(AzureCloudInstance.AzurePublic, TENANT_ID, false)
.Build();
while (true)
{
var result = _retry.Execute((ctx) => GetToken2().GetAwaiter().GetResult(), new Context("acquireToken", new Dictionary<string, object>() { { "userId", "paul.seabury@vandelay.local" }, { "password", "AGF11nfn" } }));
Console.WriteLine($"IdTok: {ComputeSha256Hash(result.IdToken)}, Exp: {result.ExpiresOn}");
Thread.Sleep(1000 * 60 * 2);
}
}
private static Task<AuthenticationResult> GetToken2()
{
var upn = System.DirectoryServices.AccountManagement.UserPrincipal.Current;
var cachedResult = app.AcquireTokenByIntegratedWindowsAuth(scopes).WithUsername(upn.UserPrincipalName).ExecuteAsync().GetAwaiter().GetResult();
return Task.FromResult(cachedResult);
}
}
异常
Microsoft.Identity.Client.MsalClientException: 'The target principal name is incorrect.'
事件日志条目在同一台客户端计算机上附带:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server fsgma$. The target name used was HTTP/win-h9qgd6bj2in.vandelay.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (VANDELAY.LOCAL) is different from the client domain (VANDELAY.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
<EventID Qualifiers="16384">4</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2020-10-30T15:24:32.660502800Z" />
<EventRecordID>3393</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>DESKTOP-BJ6P4H4.vandelay.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="Server">fsgma$</Data>
<Data Name="TargetRealm">VANDELAY.LOCAL</Data>
<Data Name="Targetname">HTTP/win-h9qgd6bj2in.vandelay.local</Data>
<Data Name="ClientRealm">VANDELAY.LOCAL</Data>
<Binary />
</EventData>
</Event>
Http 流量
看起来 MSAL 代码成功要求 AAD 对此应用程序进行身份验证,它通过发现将响应发送回本地联合 ADFS 服务器。获取本地元数据后,MSAL 代码尝试 3 次从 windowstransport 终结点获取令牌。第一次尝试没有授权 header,第二次和第三次尝试有不同的授权(协商)headers 和编码数据,但它们都以 401.
失败发布的请求如下所示:
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>
<wsa:messageID>urn:uuid:42420a0c-3505-455f-914d-639c5685b43d</wsa:messageID>
<wsa:ReplyTo>
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To s:mustUnderstand="1">https://adfs.ad.vandelay.local/adfs/services/trust/2005/windowstransport</wsa:To>
</s:Header>
<s:Body>
<wst:RequestSecurityToken xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference>
<wsa:Address>urn:federation:MicrosoftOnline</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
序列如下所示:
您似乎在 DNS 中使用 CNAME 来解析 adfs 场名称 --> 您应该使用主机 A 记录 Kerberos 客户端在请求 Kerberos Service Ticket
之前首先将 Web 服务的名称解析为 A 记录这可以解释您看到的 kerberos 错误
“Kerberos 客户端从服务器 fsgma$ 收到 KRB_AP_ERR_MODIFIED 错误。使用的目标名称是 HTTP/win-h9qgd6bj2in。vandelay.local。”