当前位置: 首页>>技术解读>>正文


为Sharepoint 2013获得401/403高信任度应用程序

webfans 技术解读 , , , , , 去评论

问题描述

我有这台Cloudshare environment包含3台机器:

  • 一个用于Sharepoint 2013(这是我安装VS2012开发的地方)

  • 另一个用于SQL Server 2012

  • 另一个用于Active Directory

我正在尝试使用server-to-server协议为Sharepoint 2013创建一个基本的高信任度应用程序。

我跟着几个指南:

当我从VS运行项目(默认模板代码)并信任应用程序时,我在以下行中获得异常:

Uri hostWeb = new Uri(Request.QueryString["SPHostUrl"]);

using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity(hostWeb, Request.LogonUserIdentity))
{
    clientContext.Load(clientContext.Web, web => web.Title);
    clientContext.ExecuteQuery(); // throws exception
    Response.Write(clientContext.Web.Title);
}

在Default.aspx.cs中

例外可以是以下任何一种:

The remote server returned an error: (403) Forbidden.

The remote server returned an error: (401) Unauthorized.

我已经尝试了几个没有运气的故障排除提示。我不是SP2013专家,所以任何帮助将不胜感激。

谢谢

UPDATE

以下是与请求相关的ULS日志条目:http://pastie.org/pastes/8395956/text

最佳解决方案

为简单起见,我将说明显而易见的!

user is not authenticated and resource requires authentication

这告诉我握手时发生了一些错误(你的证书没有被发送或者是错误的),因为它是一个微软产品,最好的地方是看看msdn。

说清楚请阅读:

The following step is optional. However, we recommend that you develop and test with HTTPS turned on. Turning off HTTPS might cause you as a developer to miss certain issues when building an app that would occur during a production deployment where HTTPS is required.

现在你看了笔记,看了你的问题!

OAuth now requires SharePoint to run HTTPS, not only for your service but also for SharePoint 2013. You’ll get a 403 (forbidden) message when attempting to make a call to SharePoint by using a test certificate.

On the computer where you have SharePoint 2013 installed, you can turn off the HTTPS requirement during development by using the following Windows PowerShell cmdlets.

这就是你的问题!在开发过程中绕过它:

这在powershell中用于测试/开发:

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $true
$serviceConfig.Update()

一旦完成返回它是如何!

$serviceConfig = Get-SPSecurityTokenServiceConfig
$serviceConfig.AllowOAuthOverHttp = $false
$serviceConfig.Update()

现在我还要注意:

In a high-trust app, there is no context token, even if you use the appredirect.aspx file. The context token is specific to configurations that use Windows Azure Access Control Service (ACS). However, an access token is still required. If you’re using a high-trust configuration, your web application has to authenticate the user in the same way that SharePoint 2013 does (that is, the app is responsible for creating the user portion of the access token).

你使用tokenhelper类来获取clientcontext吗?

        using (var clientContext = TokenHelper.GetS2SClientContextWithWindowsIdentity(hostWeb, Request.LogonUserIdentity))
        {
            clientContext.Load(clientContext.Web, web => web.Title);
            clientContext.ExecuteQuery();
            Response.Write(clientContext.Web.Title);
        }

你还想要做什么,因为你可能需要更多的权限取决于你做什么!

To access other properties, you may need to request permissions on the host web.

http://msdn.microsoft.com/en-us/library/fp179901.aspx

希望以上回答你的问题!你需要确保上面的内容正确完成才能正常工作!


如果这仍然是一个问题,而不是由vs2012发出的guid错误,当你按F5时自动发送,这是在web.config中设置的:

<add key="IssuerId" 

将guid从大写更改为小写:

从:

<add key="IssuerId" value="F2AE6B96-1FC0-43C6-B5D0-900117C491A4"/>

<add key="IssuerId" value="f2ae6b96-1fc0-43c6-b5d0-900117c491a4"/>

显然你的guid会与上面不同;)

还要注意您需要为每个应用程序提供唯一的证书!还要确保guid与使用Get-SPTrustedSecurityTokenIssuer的powershell guid相同,应该与web.config相同!

http://www.jamestsai.net/Blog/post/SharePoint-Provider-Hosted-App-401-Unauthorized-error-on-clientContextExecuteQuery().aspx

UPDATE

刚看了你的日志文件!

通过身份验证直接打破失败!你用什么方法? NTLM? kerbos?等…

这是了解如何设置服务器场和身份验证的基础知识!

现在,错误的外观可能会出现几个问题!我建议你仔细阅读下面的链接!我强烈建议您一旦阅读了链接,如果您的设置中的所有内容都正确无法运行New-SPTrustedSecurityTokenIssuer,则可以在页面底部的最后一个链接中找到此示例!这可能会解决令牌部分的问题以及两个服务器之间的正确握手(相互验证)。

1)由于不兼容的安全设置,令牌未被发送!

If you are using Windows claims mode for user authentication and the web application is configured to use only Kerberos authentication without falling back to NTLM as the authentication protocol, then app authentication does not work.

http://technet.microsoft.com/en-us/library/ee806870.aspx

和/或

2)你使用服务器到服务器auth,这是可能出错的地方!你的个人资料已经同步?

对于2013服务器到服务器,请确保组成员身份与User Profile Service应用程序同步。

If a user profile exists for a user and the relevant group memberships are not synchronized, access may be denied when the user is supposed to be granted access for a given resource. Therefore, make sure that group memberships are synchronized with the User Profile service application.

http://technet.microsoft.com/en-us/library/jj219806.aspx

现在这需要服务器到服务器设置才能工作!

Server-to-server authentication allows for servers that are capable of server-to-server authentication to access and request resources from one another on behalf of users. Therefore, the server that runs SharePoint Server 2013 and that services the incoming resource request must be able to complete two tasks:

To rehydrate a user’s identity, a server that can perform server-to-server authentication requests access to SharePoint resources. SharePoint Server 2013 takes the claims from the incoming security token and resolves it to a specific SharePoint user. By default, SharePoint Server 2013 uses the built-in User Profile service application to resolve the identity.

而上述结果是:

If a user profile and the relevant group memberships for the user are not synchronized, SharePoint Server 2013 may incorrectly deny access to a given resource. Therefore, make sure that group memberships are synchronized with the User Profile service application. For Windows claims, the User Profile service application imports the four key user attributes previously described and group memberships.

http://technet.microsoft.com/en-us/library/jj729797.aspx

point is是令牌并且身份验证无法正常工作,因为您的安装类型或配置设置错误!知道你做了什么将决定它出错的地方!显然看起来服务器到服务器auth被拒绝,因为令牌没有正确发送。

如果您认为身份验证协议正确,则可以在阅读上述链接后按照本指南操作:

http://technet.microsoft.com/en-us/library/jj655400.aspx

上面的链接解释并演示了特定senarios的服务器到服务器步骤

在两个服务器之间创建信任(在服务器到服务器主体之间创建信任。)

按照本指南!使用New-SPTrustedSecurityTokenIssuer

http://technet.microsoft.com/en-us/library/jj219695.aspx

抱歉长文和很多链接!作为服务器到服务器,日志是通用/设置我可以给你一个明确的答案!但我所知道的是两个服务器之间的握手是错误的,这意味着你已经错过了初始设置的一些东西!上面的链接应该有希望解决您的握手之间的问题,以传递正确的凭据,以正常工作!

次佳解决方案

我有类似的问题。我没有使用ClientContext或TokenHelper,而是切换到了新的SharePointContext,您可以在这里阅读:http://blogs.msdn.com/b/kaevans/archive/2013/09/24/introducing-sharepointcontext-for-provider-hosted-sharepoint-apps.aspx

一旦我进行了这个切换,我的401和403问题就消失了。新的SharePointContext使用底层TokenHelper,因此请确保您还拥有最新版本的TokenHelper文件。

参考资料

本文由朵颐IT整理自网络, 文章地址: https://duoyit.com/article/2668.html,转载请务必附带本地址声明。