Nov 07 2021 01:12 AM
Following the new oidc-1-0-authentication , I managed configuring oidc authenticate in SPSE with ADFS.
I then tried third party oidc authentication in SPSE with Keycloak, but failed with following errors :
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Monitoring nasq Medium Entering Monitored Scope (Request (POST:https://teamse1/_layouts/15/Authenticate.aspx?Source=%252F)). Parent=None
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Logging Correlation Data xmnv Medium Name=Request (POST:https://teamse1/_layouts/15/Authenticate.aspx?Source=%252F) 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Asp Runtime avwhz Medium SPRequestModule.BeginRequestHandler End, SP Build Version: '16.0.14326.20450' 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Nonce Cookie 9brd4 Medium SPContextCookie : Using full host domain for cookie. CookieName: 'nSGt'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Nonce Cookie 9brdr Medium SPCryptoContextCookie : Initial Secondary certificate is null and we did not receive a secondary certificate thumbprint. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Nonce Cookie 9brc8 Medium SPNonceCookie : The Identifier is set successfully. Identifier: '', NonceToSendToIdentityProvider: '2C4E2FE7F0728A63048D3F2F9AE63C6814916757CF55CC2A-CB0F14DA2F6FF1E6302B9120B3FDACE0CE6B228FA26DC9915A3264E4EEF4FA74'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Claims Authentication 9w647 Medium Using input cookie name. CookieName: 'nSGt-2C4E2FE7F0728A63048D3F2F9AE63C6814916757CF55CC2A'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Nonce Cookie 9brbv Medium SPNonceCookie : Successfully read nonce cookie. Version: '0', Seed: '94DC58B58F1B35EFF01163B1124CC9539C338C80D3829F09', Identifier: '2C4E2FE7F0728A63048D3F2F9AE63C6814916757CF55CC2A'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Nonce Cookie 9brc8 Medium SPNonceCookie : The Identifier is set successfully. Identifier: '2C4E2FE7F0728A63048D3F2F9AE63C6814916757CF55CC2A', NonceToSendToIdentityProvider: '2C4E2FE7F0728A63048D3F2F9AE63C6814916757CF55CC2A-CB0F14DA2F6FF1E6302B9120B3FDACE0CE6B228FA26DC9915A3264E4EEF4FA74'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Claims Authentication 9w647 Medium Using input cookie name. CookieName: 'nSGt-2C4E2FE7F0728A63048D3F2F9AE63C6814916757CF55CC2A'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Authentication Authorization deffe Medium The browser does support SameSite at revision 3 of RFC6265. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Nonce Cookie 9brbj Medium SPNonceCookie : Deleted nonce cookie if present. Identifier: '2C4E2FE7F0728A63048D3F2F9AE63C6814916757CF55CC2A'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Security Token Handler 8p0r7 Medium Audience GUID matches trusted login provider default client identifier. Audience: 'new-sharepoint', provider Default Identifier: 'new-sharepoint', provider Uri: ''. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.07 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Topology aeayb Medium SecurityTokenServiceSendRequest: RemoteAddress: 'http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'System.ServiceModel.Security.IWSTrustChannelContract' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:8ed01142-6684-422a-8d99-6028560b88a0' 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.08 w3wp.exe (0x40E4) 0x33E4 SharePoint Foundation Topology aeax9 Medium SecurityTokenServiceReceiveRequest: LocalAddress: 'http://spdev-se1.:32843/SecurityTokenServiceApplication/securitytoken.svc' Channel: 'System.ServiceModel.Channels.ServiceChannel' Action: 'http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue' MessageId: 'urn:uuid:8ed01142-6684-422a-8d99-6028560b88a0' 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.08 w3wp.exe (0x40E4) 0x33E4 SharePoint Foundation Monitoring nasq Medium Entering Monitored Scope (ExecuteSecurityTokenServiceOperationServer). Parent=None 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.08 w3wp.exe (0x40E4) 0x33E4 SharePoint Foundation Security Token Service 9w6kv Medium STS Call: Creating Claims Operations Scope for Applies To Uri: 'https://teamse1/'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.08 w3wp.exe (0x40E4) 0x33E4 SharePoint Foundation Claims Authentication a6oo7 Medium Created claims operation context from uri. ContextUri: 'https://teamse1/', Source: 'SiteWithoutSiteSubscription'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.08 w3wp.exe (0x40E4) 0x33E4 SharePoint Foundation Security Token Service 9w6k3 Medium Creating SPSecurityTokenRequestContextV2 object for security token service Issue request. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.08 w3wp.exe (0x40E4) 0x33E4 SharePoint Foundation Security Token Service 9w6k0 Monitorable STS Call: Failed to issue new security token. Exception: 'System.IdentityModel.Tokens.SecurityTokenException: Validate signature failure : no found matched security key for token signature. 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateSignature(String token, TokenValidationParameters validationParameters) 在 System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken) 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(String tokenString, TokenValidationParameters validationParameters, SecurityToken& token) 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(SecurityToken token) 在 Microsoft.SharePoint.IdentityModel.SPSecurityTokenRequestContextV2..ctor(ClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor, SPSecurityTokenRequestTypeV2 overrideRequestType) 在 Microsoft.SharePoint.IdentityModel.SPSecurityTokenServiceV2.Issue(ClaimsPrincipal principal, RequestSecurityToken request)'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.08 w3wp.exe (0x40E4) 0x33E4 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope: (ExecuteSecurityTokenServiceOperationServer) 执行时间=3.7961; CPU Milliseconds=3; SQL 查询计数=0; Parent=None 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Security Token Service Caller btgia High SPSecurityContext: Request for security token failed with exception. Exception: 'System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Validate signature failure : no found matched security key for token signature. (错误详细信息等于 很可能由 IncludeExceptionDetailInFaults=true 创建的 ExceptionDetail,其值为: System.IdentityModel.Tokens.SecurityTokenException: Validate signature failure : no found matched security key for token signature. 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateSignature(String token, TokenValidationParameters validationParameters) 在 System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken) 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(String tokenString, TokenValidationParameters validationParameters, SecurityToken& token) 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(SecurityToken token) 在 Microsoft.SharePoint.IdentityModel.SPSecurityTokenRequestContextV2..ctor(ClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor, SPSecurityTokenRequestTypeV2 overrideRequestType) ...)。'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Claims Authentication 8306 Critical An exception occurred when trying to issue security token: Validate signature failure : no found matched security key for token signature.. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Claims Authentication 9w636 Unexpected Claims Saml Sign-In: Could not get local token for trusted third party token. FaultException: 'System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Validate signature failure : no found matched security key for token signature. (错误详细信息等于 很可能由 IncludeExceptionDetailInFaults=true 创建的 ExceptionDetail,其值为: System.IdentityModel.Tokens.SecurityTokenException: Validate signature failure : no found matched security key for token signature. 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateSignature(String token, TokenValidationParameters validationParameters) 在 System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken) 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(String tokenString, TokenValidationParameters validationParameters, SecurityToken& token) 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(SecurityToken token) 在 Microsoft.SharePoint.IdentityModel.SPSecurityTokenRequestContextV2..ctor(ClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor, SPSecurityTokenRequestTypeV2 overrideRequestType) ...)。'. Stack: ' 在 System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) 在 System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) 在 System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst) 在 Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) 在 Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) 在 Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.ExchangeArgumentTrustedThirdPartySessionSecurityTokenFo... 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09* w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Claims Authentication 9w636 Unexpected ...rLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments)'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Asp Runtime avwhw Medium SPRequestModule.ErrorAppHandler Begin 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation General 8nca Medium Application error when access /_layouts/15/Authenticate.aspx, Error=Validate signature failure : no found matched security key for token signature. 在 System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) 在 System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) 在 System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst) 在 Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) 在 Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) 在 Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.ExchangeArgumentTrustedThirdPartySessionSecurityTokenForLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments) 在 Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnSessionSecurityTokenCreated(SessionSecurityTokenCreatedEventArgs eventArgs) 在 System.IdentityModel.Services.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) 在 System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) 在 System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) 在 Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnAuthenticateRequest(Object sender, EventArgs eventArgs) 在 System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 在 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) 在 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Runtime tkau Unexpected System.ServiceModel.FaultException`1[[System.ServiceModel.ExceptionDetail, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]: Validate signature failure : no found matched security key for token signature. 在 System.ServiceModel.Security.WSTrustChannel.ReadResponse(Message response) 在 System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) 在 System.ServiceModel.Security.WSTrustChannel.Issue(RequestSecurityToken rst) 在 Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo, SPRequestSecurityTokenProperties properties) 在 Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) 在 Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.ExchangeArgumentTrustedThirdPartySessionSecurityTokenForLocalToken(SecurityToken thirdPartyToken, SessionSecurityTokenCreatedEventArgs arguments) 在 Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnSessionSecurityTokenCreated(SessionSecurityTokenCreatedEventArgs eventArgs) 在 System.IdentityModel.Services.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) 在 System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) 在 System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) 在 Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModuleV2.OnAuthenticateRequest(Object sender, EventArgs eventArgs) 在 System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 在 System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) 在 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously... 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09* w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Runtime tkau Unexpected ...) 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation General ajlz0 High Getting Error Message for Exception System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Validate signature failure : no found matched security key for token signature. (错误详细信息等于 很可能由 IncludeExceptionDetailInFaults=true 创建的 ExceptionDetail,其值为: System.IdentityModel.Tokens.SecurityTokenException: Validate signature failure : no found matched security key for token signature. 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateSignature(String token, TokenValidationParameters validationParameters) 在 System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateToken(String securityToken, TokenValidationParameters validationParameters, SecurityToken& validatedToken) 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(String tokenString, TokenValidationParameters validationParameters, SecurityToken& token) 在 Microsoft.SharePoint.IdentityModel.SPOpenIDSecurityTokenHandlerV2.ValidateToken(SecurityToken token) 在 Microsoft.SharePoint.IdentityModel.SPSecurityTokenRequestContextV2..ctor(ClaimsIdentity identity, RequestSecurityToken request, Boolean initializeForActor, SPSecurityTokenRequestTypeV2 overrideRequestType) ...)。 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation General aat87 Monitorable 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Authentication Authorization agb9s Medium Non-OAuth request. IsAuthenticated=False, UserIdentityName=, ClaimsCount=0 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.09 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation General agxkz High calling GetCurrentGenericSetupPath for a versioned path: TEMPLATE\LAYOUTS 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Application Authentication 9s97c Medium SPApplicationAuthenticationModuleV2.IsBearerChallengeRequested: Return 'False'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Application Authentication 9s97n Medium The request isn't made to a page which allows NeverAuth to be specified in the query string 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Claims Authentication crpqx Medium STS setting for SuppressModernAuthForOfficeClients:'True'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Application Authentication 9s976 Medium IsClaimsTrustedAuthenticationOnly: 'False', IsOfficeClientIDCRLRequest: 'False', HasSPTrustedSecurityTokenIssuer: 'False', ForceIdcrlForOfficeClients: 'True'. 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Asp Runtime avwh5 Medium SPRequestModule.PreSendRequestHeaders End 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Asp Runtime avwhx Medium SPRequestModule.ErrorAppHandler End 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Asp Runtime avwia Medium SPRequestModule.PostLogRequestHandler Begin 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Asp Runtime avwib Medium SPRequestModule.PostLogRequestHandler End 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Asp Runtime avwic Medium SPRequestModule.EndRequestHandler Begin 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Micro Trace uls4 Medium Micro Trace Tags: 0 avwhy,0 nasq,0 avwhz,0 9brd4,0 9brdr,0 9brc8,0 9w647,0 9brbv,0 9brc8,0 9w647,0 deffe,0 9brbj,2 8p0r7,0 aeayb,11 btgia,0 9w636,0 avwhw,0 8nca,0 tkau,0 ajlz0,1 aat87,5 agb9s,0 agxkz,1 9s97c,0 9s97n,0 crpqx,0 9s976,0 avwh5,0 avwhx,0 avwia,0 avwib,0 avwic 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Runtime aoxsq Medium Sending HTTP response 200 for HTTP POST request 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Unified Audit bm7sm High SPRequestModule::CreatePageViewedAuditEntry: Required parameters not set properly,exiting creating PageViewed SPUnifiedAuditEntry 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope: (Request (POST:https://teamse1/_layouts/15/Authenticate.aspx?Source=%252F)) 执行时间=29.1365; CPU Milliseconds=18; SQL 查询计数=0; Parent=None 28bc00a0-1979-300a-3da4-d9c46cbf4124
11/07/2021 16:48:29.10 w3wp.exe (0x0C38) 0x4AB0 SharePoint Foundation Asp Runtime avwid Medium SPRequestModule.EndRequestHandler End 28bc00a0-1979-300a-3da4-d9c46cbf4124
Through browser F12 debug, the authentication flow had successfully gone from Keycloak to Sharepoint : _layouts/15/Authenticate.aspx?Source=%2F, and id_token successfully generated and could be verified through https://jwt.ms/
How to integrate 3rd party oidc server with SPSE?
Nov 08 2021 08:43 PM
Hi @jinzhong he, this may be difficult to diagnose through a message board. Can you open a support case with Microsoft Support? They can then work with you to investigate the issue.
Nov 09 2021 12:08 AM - edited Nov 09 2021 12:14 AM
Hi @Troy Starr ,this is just an POC environment so we don't bother to do so.
It seems that the authentication flow failed at last step, i.e. when posting back to: /_layouts/15/Authenticate.aspx
The error was:
Claims Saml Sign-In: Could not get local token for trusted third party token. FaultException: 'System.ServiceModel.FaultException`1[System.ServiceModel.ExceptionDetail]: Validate signature failure : no found matched security key for token signature.
STS Call: Failed to issue new security token. Exception:
'System.IdentityModel.Tokens.SecurityTokenException: Validate signature failure : no found matched security key for token signature.
Nov 09 2021 11:10 PM
Nov 10 2021 06:58 AM
Hi @Steve Zhang ,
The sample token has been sent to you.
Thank you for taking the trouble to help me spot the problem.
Nov 11 2021 05:21 AM
Nov 11 2021 10:33 PM
Nov 12 2021 12:24 AM
Jan 04 2022 02:01 AM
Hi,
We are running into a similar scenario.
@jinzhong he& @Steve Zhang : Did you get the full SharePoint SE / KeyCloak integration working / issues faced & solutions ?
Can you please share installation steps details ?
That would be very helpful. Thanks.
Jan 04 2022 04:08 AM
@cangot We identified the problem with Jinzhong, we will have a fix soon.
I don't have a steps for configuration in hand, but you can follow the doc we published (OpenID Connect 1.0 authentication - SharePoint Server | Microsoft Docs). It will be similar for 3rd party OIDC IDP. I think Jinzhong was following that as well.
Jan 06 2022 01:52 AM
Jan 07 2022 12:14 PM
We're having this issue in Keycloak and Red Hat SSO (RH-SSO) as well when attempting to implement OIDC in Sharepoint Subscription Edition.
We've found the cause of the issue. It is caused by an incomplete OIDC client implementation in Sharepoint subscription edition. Sharepoint is failing to perform proper OIDC Token validation steps for the ID and Access tokens it receives. And instead depends on a manual one-time import of the signing certificate, with the administrator manually browsing to the JWKS URL to acquire the Identity providers signing certificate. This is supposed to be done dynamically by the OIDC client.
Notice this manual step in the official documentation that is required when initially configuring Sharepoint OIDC https://docs.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/oidc-1-0-authentication :
"Open jwks_uri (https://login.microsoftonline.com/common/discovery/keys), and save the x5c certificate string of the first key for later use in SharePoint setup (if the first key doesn’t work, try the second or third key)."
Then later in the documentation, the manually acquired cert is used to add a new SP Trusted Identity Token Issuer:
# Public key of the AAD OIDC signing certificate. Please replace <x5c cert string> with the encoded cert string which you get from x5c certificate string of the keys of jwks_uri from Step #1
$encodedCertStr = <x5c cert string>
$signingCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 @(,[System.Convert]::FromBase64String($encodedCertStr))
# Create a new SPTrustedIdentityTokenIssuer in SharePoint
New-SPTrustedIdentityTokenIssuer -Name "contoso.local" -Description "contoso.local" -ImportTrustCertificate $signingCert -ClaimsMappings $email -IdentifierClaim $email.InputClaimType -RegisteredIssuerName $registeredissuernameurl -AuthorizationEndPointUri $authendpointurl -SignOutUrl $signouturl -DefaultClientIdentifier $clientIdentifier
Notice the ambiguity of the documentation quote that further highlights the root problem: "if the first key doesn’t work, try the second or third key". This ambiguity makes clear the fact that Sharepoint is not able to dynamically lookup the certificate to use from the JWKS URL the way OIDC specifies. The administrator performs the lookup manually during configuration. This precludes ever changing the Identity Provider signing keys, as changing the signing key would require another manual import of the new signing certificate. Changing signing keys is designed to be transparent and possible without breaking client applications per the OIDC spec.
The OIDC spec says the dynamic lookup of the certificate is done by the OIDC Client using the 'kid' value in the ID or Access Token it receives, it is supposed to compare the kid value to the list of certificates provided by the identity provider at the JWKS URL to dynamically discover the x5c certificate to use for the validation. This step is entirely skipped by Sharepoint Subscription Edition.
The only reason OIDC works at all in Sharepoint Subscription Edition, and only when using ADFS or Azure AD, is from these coincidental behaviors:
1. The signing cert is manually imported in advance by the administrator by interactively visiting the JWKS URL of the Identity Provider, and manually providing that certificate to New-SPTrustedIdentityTokenIssuer powershell command. But even this manual step results in ambiguous results per the documentation: "if the first key doesn’t work, try the second or third key". As there may be multiple signing certificates in use by the IdP.
2. ADFS and Azure AD always use the x5t thumbprint of the signing certificate as the kid value (key id). This allows sharepoint to simply match the kid value from the ID or Access Token to the thumbprint of the certificate in sharepoint's local Certificate Trust storage, bypassing the proper OIDC spec which states sharepoint should lookup the certificate via the JWKS URL, and match the results using the kid value in the access/id token.
Even with the non OIDC compliant manual certificate import step, Keycloak still doesn't work with Sharepoint. This is further highlighting sharepoint's OIDC logic deficiency: Keycloak uses a unique GUID for the kid, instead of the x5t value (this is compliant behavior, the x5t value simply needs to be unique. ADFS and Azure AD always use x5t as the kid value, which is also compliant behavior as the x5t value is a sha1 hash, which is generally unique). So even if you perform the manual JWKS certificate import when setting up Keycloak as sharepoint OIDC Identity Provider, Sharepoint is unable to match the 'kid' value from Keycloak to its local certificate store, as sharepoint only stores the sha1 thumbprint, not the kid value from the Identity Provider. Sharepoint is making the incorrect assumption that the kid value is always the sha1 thumbprint of the signing certificate, this assumption is only valid for IdP's that use the sha1 thumbprint as the kid value, as is the case with ADFS and Azure AD.
In conclusion, point 1 is the real issue that needs fixed. Sharepoint needs to follow the OIDC specification and dynamically query the JWKS URL to discover the certificates used by the Identity Provider, and then match the 'kid' value from the ID / Access Token to get the proper certificate to use for validation dynamically.
Alternatively the issue can be mostly worked-around by changing Keycloak to always use the sha1 thumbprint of the certificate as the "kid" value of OIDC tokens (would have to be done in code, it is not configurable to change the kid format in Keycloak runtime settings). But this still would require the non standard manual import of the signing certificate into sharepoint. So this work around still leaves the root problem unsolved, which is sharepoint does not dynamically lookup the JWKS URL, and instead depends on one-time administrator manual lookup and import of the signing cert from the JWKS url of the Identity Provider. This work-around also precludes the ability to ever change the signing certificate without manually re-importing the certificate and re-configuring Sharepoint from powershell. This work-around simply makes Keycloak behave like ADFS and Azure AD. If point 1 is fixed, then the work-around is no longer needed for Keycloak, as sharepoint will no longer make the assumption that the kid value always matches the cert thumbprint. It will be able to lookup the validation certificate no matter what kid format is used by an IdP.
Jan 09 2022 08:28 PM - edited Jan 09 2022 08:55 PM
Hi @bdecamp
Thank you very much for the details about what you observed. From the manual configuration step, certificate need to be provided. In that flow, we currently support one certificate in that parameter set. We have the work in the backlog to improve the manual setup already.
And for the problem of x5t kid vs GUID kid, as SharePoint can't afford to validate token by calling JWKS url frequently, we store the certificate locally from what metadata endpoint provided. In the validate flow, we are not using kid. We are using the stored certificate to validate the token. So it doesn't matter what is the format of kid. But the requirement is certificate must be in x5c format currently. Could you please check if it works?
BTW, Jinzhong's problem is a different one. We have the fix and will be published soon, hopefully in February.
Jan 10 2022 08:02 AM - edited Jan 10 2022 09:15 AM
"In the validate flow, we are not using kid." this doesn't make sense; the kid is required to be used to be able to lookup the proper x5c cert to use for validation, either from a cached copy of the JWKS url contents, or from the JWKS url directly. The kid in the token header is what's used to lookup the correct x5c certificate to use to validate. Sounds like sharepoint is taking a shortcut and not correctly looking up the x5c cert to use, as I discussed in my post.
Either way, looking forward to an eventual fix for this critical issue. We have many OIDC applications deployed against ADFS and Keycloak. Only Sharepoint has an issue when configured with Keycloak.
Please let us know what the issue is for Jinzhong, as we could use a workaround in the meantime.
For reference, below is the overview of how an OIDC client application is supposed to validate an incoming OIDC ID or Access token. There is simply no way to follow the OIDC standard, and have this statement be true: "In the validate flow, we are not using kid."
Take note of steps 3, get the kid value, step 4, match it to the data from the JWKS (directly or cached), and 5, get the x5c certificate for that specific kid (key id).
(from: https://auth0.com/blog/navigating-rs256-and-jwks/)
Here are the steps for validating the JWT:
Jan 11 2022 06:28 PM - edited Jan 16 2022 07:09 PM
Thank you very much bdecamp. We've put the kid work into backlog and we will work on it with priority.
For Jinzhong's problem, the issue happens when the claims include special characters such as CR, LF, space and etc. The characters are wrongly treated. I just checked the release schedule, it may not catch up Feb PU. It will be in March PU. To workaround this problem, you can check if you can remove these kind of characters from the claim in the response. After the workaround, it should work although we don't respect kid currently.
Jan 31 2022 08:59 PM
Feb 07 2022 10:40 PM
@Hasan Köroğlu and @bdecamp ,
We are working on the fix of Kid. Due to the requirement of security strengthening, we can't immediately update certificate cache when kid doesn't match because user auth flow are running in normal user credential.
Instead, we can run a timer job in the background to regularly refresh certificate from metadata endpoint. Admin can set when timer job gets run and in which frequency. Does it work for your scenario?
Thanks
Steve
Feb 07 2022 11:11 PM
Feb 08 2022 07:29 PM
Removing spaces should be done by IDP
For example,
{"alg":"RS256","typ":"JWT","kid":"xxx"}. This claim works
{"alg":"RS256","typ" : "JWT","kid" : "xxx"}. This will cause Validate signature failure because there are extra space before and after ":".
Mar 08 2022 10:17 PM
Hi Steve,
The March CU has been released, but i couldn't see any solution for our problem. Can you share the roadmap for this issue with us?
Thanks.