问题描述
我已按照 AD RMS 和 MIP SDK 教程进行操作,并已使用 AD RMS、ADFS 设置了环境
以下是我的代码片段:
var enginesettings = new FileEnginesettings("internal\\sysadmin",authDelegate,"","en-US");
enginesettings.Identity = new Identity("internal\\sysadmin");
enginesettings.ProtectionCloudEndpointBaseUrl = "https://adrms.server.com";
enginesettings.ProtectionOnlyEngine = true;
var fileEngine = Task.Run(async () => await fileProfile.AddEngineAsync(enginesettings)).Result;
...snip...
var fileHandlerResult = Task.Run(async () => await fileHandler.CommitAsync(protectedFilePath)).Result;
在 CommitAsync 行,用户被重定向到 ADFS 登录页面并登录 - 然后他们被重定向到“身份验证失败”页面,该页面显示:
Error details: error access_denied error_description: MSIS9622: Client authentication Failed. Please verify the credential provided for client authentication is valid.
是否需要对 MIP SDK 示例进行其他更改才能使其与 ADFS 配合使用?这是我的 AuthDelegateImplementation 的片段
public string Acquiretoken(Identity identity,string authority,string resource,string claims)
{
_app = PublicclientApplicationBuilder.Create(_appInfo.ApplicationId)
.WithAdfsAuthority("https://adfs.server.com/adfs/",false)
.WithRedirectUri("http://localhost:50069")
.Build();
var accounts = _app.GetAccountsAsync().GetAwaiter().GetResult();
// Append .default to the resource passed in to Acquiretoken().
string[] scopes = { resource[^1].Equals('/') ? $"{resource}.default" : $"{resource}/.default" };
var result = _app.AcquiretokenInteractive(scopes)
.WithAccount(accounts.FirstOrDefault())
.WithPrompt(Prompt.SelectAccount)
.ExecuteAsync()
.ConfigureAwait(false)
.GetAwaiter()
.GetResult();
return result.Accesstoken;
}
解决方法
我检查了我的 AD FS 事件查看器日志,发现该用户无权访问 api.rms.rest.com 信赖方信任 - 通过编辑访问控制策略以允许所有人进行修复。