问题
I'm developing a .NET web application which uses ADFS to manage users and logins. On my personal development machine and on our testing environment everything works fine. However, after publishing the application to the target production server I'm getting the following exception:
[CryptographicException: Digest verification failed for Reference '#_ed85954d-e2b3-44a1-a455-f13b8eca5756'.]
System.IdentityModel.Reference.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource) +1124029
System.IdentityModel.StandardSignedInfo.EnsureDigestValidityIfIdMatches(String id, Object resolvedXmlSource) +92
System.IdentityModel.SignedXml.EnsureDigestValidity(String id, Object resolvedXmlSource) +33
System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement() +240
System.IdentityModel.EnvelopedSignatureReader.Read() +107
System.Xml.XmlReader.ReadEndElement() +52
System.IdentityModel.Tokens.SamlSecurityTokenHandler.ReadAssertion(XmlReader reader) +1106
System.IdentityModel.Tokens.SamlSecurityTokenHandler.ReadToken(XmlReader reader) +57
System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader) +114
System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration) +351
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +387
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +103571
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
I've tried turning on WIF and WCF logging on the ADFS, but found nothing of interest in the logs.
I realize a very similar question has been created here, however my issue seems to be caused by something different as I'm not passing claims from a DB, only from the AD itself.
Another possibility is the one described in this article... but I'm not using ISA server. If something else is changing the reply, I don't know how to find it.
I'm a bit out of ideas. Can someone help me out?
回答1:
I guess the following recent XKCD comic is at least partially true:
On the second page of Google results I came upon this blog post. The solution, as it turned out, was to uncheck the Apply link translation option in TMG for the ADFS machine.
It's a bit strange that IFD configured CRM servers (which also relied on this ADFS) worked without a hitch...
来源:https://stackoverflow.com/questions/22009596/digest-verification-failed