Identityserver4 - IIS da hosting

IIS-da IdentityServer4 bilan ASPNET CORE APP ni qanday joylashtirish mumkin. Ilovadagi dastur veb-dastur sifatida emas, balki mahalliyhost-dan yaxshi ishlaydi.

Misol uchun,

http://localhost:5000/connect/token is working but http://example.com/myauthapp/connect/token is not reachable - returning 500 - internal server error when tried from a console app using identity model or via postman. I am able to login to the app using web browser but not thru a console app or postman.

Boshqa muammolarni bartaraf qilish va men quyida topishingiz mumkin. Ishlamaydigan istisnolar yuz berdi: IDX10638: SignatureProvider yaratilmadi, "key.HasPrivateKey" noto'g'ri, imzolarni yaratib bo'lmaydi. Kalit: Microsoft.IdentityModel.Tokens.RsaSecurityKey. System.InvalidOperationException: IDX10638: SignatureProvider yaratilmadi, "key.HasPrivateKey" - noto'g'ri, imzolarni yaratib bo'lmaydi. Kalit: Microsoft.IdentityModel.Tokens.RsaSecurityKey.    Microsoft.IdentityModel.Tokens.AsimmetricSignatureProvider..ctor (XavfsizlikKey kalit, String algoritmi, BooleanCreateSignatures) da    Microsoft.IdentityModel.Tokens.CryptoProviderFactory.CreateSignatureProvider (SecurityKey kalitida, String algoritmi, Boolean willCreateSignatures) da    System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.CreateEncodedSignature da (string kiritishda, SigningCredentials signingCredentials da)    System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.WriteToken'da (SecurityToken Token)    IdentityServer4.Services.DefaultTokenCreationService.CreateJwtAsync da (JwtSecurityToken jwt)    IdentityServer4.Services.DefaultTokenCreationService.d__3.MoveNext() da --- Istisno qilingan joydan oldingi joylashuvning izining yakuni ---

Nima qilishim kerakligini maslahat bering.

2
foydalanuvchining jarayonning qanday ishlashini ko'rib chiqing, so'ngra o'sha foydalanuvchini avtomatik ravishda Windows foydalanuvchilari uchun maxsus kalit yaratish uchun ruxsat berish uchun tizimga kiring, quyidagi halim va tushuntirishni ko'ring
qo'shib qo'ydi muallif CodeCowboyOrg, manba
foydalanuvchining jarayonning qanday ishlashini ko'rib chiqing, so'ngra o'sha foydalanuvchini avtomatik ravishda Windows foydalanuvchilari uchun maxsus kalit yaratish uchun ruxsat berish uchun tizimga kiring, quyidagi halim va tushuntirishni ko'ring
qo'shib qo'ydi muallif CodeCowboyOrg, manba
foydalanuvchining jarayonning qanday ishlashini ko'rib chiqing, so'ngra o'sha foydalanuvchini avtomatik ravishda Windows foydalanuvchilari uchun maxsus kalit yaratish uchun ruxsat berish uchun tizimga kiring, quyidagi halim va tushuntirishni ko'ring
qo'shib qo'ydi muallif CodeCowboyOrg, manba
Hi @ Arun. Sinov serverimda (www) siz bilan bir xil muammo yuzaga kelgan. shuning uchun mahalliy kompyuterimda ingl. studiya buyrug'idan foydalangan holda "* .pfx" sertifikatini imzolagan va uni "AddSigningCredential" bilan identifikatsiyaga qo'shganman, va bu localhost-da yaxshi ishlaydi. Ammo test serverida (www) men hozirda hech qanday jurnallarsiz 500 xatoga yo'l qo'yaman. Saytingiz uchun * .pfx sertifikatini qanday yaratdingiz? (uni nusxalash men uchun ishlamagan yoki IIS yordamida pfx yaratish)
qo'shib qo'ydi muallif David Smit, manba
Hi @ Arun. Sinov serverimda (www) siz bilan bir xil muammo yuzaga kelgan. shuning uchun mahalliy kompyuterimda ingl. studiya buyrug'idan foydalangan holda "* .pfx" sertifikatini imzolagan va uni "AddSigningCredential" bilan identifikatsiyaga qo'shganman, va bu localhost-da yaxshi ishlaydi. Ammo test serverida (www) men hozirda hech qanday jurnallarsiz 500 xatoga yo'l qo'yaman. Saytingiz uchun * .pfx sertifikatini qanday yaratdingiz? (uni nusxalash men uchun ishlamagan yoki IIS yordamida pfx yaratish)
qo'shib qo'ydi muallif David Smit, manba
Hi @ Arun. Sinov serverimda (www) siz bilan bir xil muammo yuzaga kelgan. shuning uchun mahalliy kompyuterimda ingl. studiya buyrug'idan foydalangan holda "* .pfx" sertifikatini imzolagan va uni "AddSigningCredential" bilan identifikatsiyaga qo'shganman, va bu localhost-da yaxshi ishlaydi. Ammo test serverida (www) men hozirda hech qanday jurnallarsiz 500 xatoga yo'l qo'yaman. Saytingiz uchun * .pfx sertifikatini qanday yaratdingiz? (uni nusxalash men uchun ishlamagan yoki IIS yordamida pfx yaratish)
qo'shib qo'ydi muallif David Smit, manba
Serverda X509Certificate o'rnatilgandan keyin hammasi yaxshi ishlaydi. Quyidagi maqola uchun rahmat Jeffrey T. Fritz menga yordam berish uchun blogs.msdn.microsoft.com/webdev/2016/10/27/…
qo'shib qo'ydi muallif Arun, manba
Serverda X509Certificate o'rnatilgandan keyin hammasi yaxshi ishlaydi. Quyidagi maqola uchun rahmat Jeffrey T. Fritz menga yordam berish uchun blogs.msdn.microsoft.com/webdev/2016/10/27/…
qo'shib qo'ydi muallif Arun, manba
Serverda X509Certificate o'rnatilgandan keyin hammasi yaxshi ishlaydi. Quyidagi maqola uchun rahmat Jeffrey T. Fritz menga yordam berish uchun blogs.msdn.microsoft.com/webdev/2016/10/27/…
qo'shib qo'ydi muallif Arun, manba

6 javoblar

Arun o'zining fikricha, sertifikat serverga o'rnatilishi kerak.

1. Buni birinchi marta localhost-da sinab ko'rish uchun "AddTemporarySigningCredential" emas, "AddSigningCredential" dan foydalanayotganingizga ishonch hosil qiling.

services.AddIdentityServer()
                    .AddSigningCredential(new X509Certificate2(Path.Combine(_environment.ContentRootPath, "certs", "IdentityServer4Auth.pfx")));
                    //.AddTemporarySigningCredential()
 ;
  1. Vizual studiya buyrug'ida ishlaydigan sertifikat (crets papkasini yaratib) yarating:

"C: \ Program Files (x86) \ Windows to'plamlari \ 8.1 \ bin \ x64 \ makecert" -n   "CN = IdentityServer4Auth" - sha256 -sv IdentityServer4Auth.pvk -r   IdentityServer4Auth.cer -b 01/01/2017 -e 01/01/2025

     

"C: \ Program Files (x86) \ Windows to'plamlari \ 8.1 \ bin \ x64 \ pvk2pfx" -pvk IdentityServer4Auth.pvk   -spc IdentityServer4Auth.cer -pfx IdentityServer4Auth.pfx

  1. Test on localhost

  2. If successful, deploy to iis server , install the certificate on the server by double clicking on it, and test.

  3. Make sure the application pool "load user profile" is set to true :

    • Go to IIS Manager
    • Go to the application pool instance
    • Click advanced settings
    • Under Process model, set Load User Profile to true
  4. Restart IIS

  5. If this fails with a 500, like with me (and there is no logs to help you out), try this. To fix this recreate the certificate on the server the same way as in step 2 in the certs folder . double click the cert to install. You might have to install the developer kit if you dont have visual studio installed: https://developer.microsoft.com/en-us/windows/downloads/windows-8-1-sdk

3
qo'shib qo'ydi
Rahmat @DavidSmit, men ta'qib qildim: - "foydalanuvchi profilini yuklash" dastur havuzunun rostga o'rnatilganligiga ishonch hosil qiling: IIS menejeriga o'tish Ilova havosining misoliga o'tish Kengaytirilgan sozlamalarga o'tish Jarayon modeli ostida, Foydalanuvchining profili-ni to'g'ri deb o'rnating IIS
qo'shib qo'ydi muallif Jehangir Haider, manba

Arun o'zining fikricha, sertifikat serverga o'rnatilishi kerak.

1. Buni birinchi marta localhost-da sinab ko'rish uchun "AddTemporarySigningCredential" emas, "AddSigningCredential" dan foydalanayotganingizga ishonch hosil qiling.

services.AddIdentityServer()
                    .AddSigningCredential(new X509Certificate2(Path.Combine(_environment.ContentRootPath, "certs", "IdentityServer4Auth.pfx")));
                    //.AddTemporarySigningCredential()
 ;
  1. Vizual studiya buyrug'ida ishlaydigan sertifikat (crets papkasini yaratib) yarating:

"C: \ Program Files (x86) \ Windows to'plamlari \ 8.1 \ bin \ x64 \ makecert" -n   "CN = IdentityServer4Auth" - sha256 -sv IdentityServer4Auth.pvk -r   IdentityServer4Auth.cer -b 01/01/2017 -e 01/01/2025

     

"C: \ Program Files (x86) \ Windows to'plamlari \ 8.1 \ bin \ x64 \ pvk2pfx" -pvk IdentityServer4Auth.pvk   -spc IdentityServer4Auth.cer -pfx IdentityServer4Auth.pfx

  1. Test on localhost

  2. If successful, deploy to iis server , install the certificate on the server by double clicking on it, and test.

  3. Make sure the application pool "load user profile" is set to true :

    • Go to IIS Manager
    • Go to the application pool instance
    • Click advanced settings
    • Under Process model, set Load User Profile to true
  4. Restart IIS

  5. If this fails with a 500, like with me (and there is no logs to help you out), try this. To fix this recreate the certificate on the server the same way as in step 2 in the certs folder . double click the cert to install. You might have to install the developer kit if you dont have visual studio installed: https://developer.microsoft.com/en-us/windows/downloads/windows-8-1-sdk

3
qo'shib qo'ydi
Rahmat @DavidSmit, men ta'qib qildim: - "foydalanuvchi profilini yuklash" dastur havuzunun rostga o'rnatilganligiga ishonch hosil qiling: IIS menejeriga o'tish Ilova havosining misoliga o'tish Kengaytirilgan sozlamalarga o'tish Jarayon modeli ostida, Foydalanuvchining profili-ni to'g'ri deb o'rnating IIS
qo'shib qo'ydi muallif Jehangir Haider, manba

Arun o'zining fikricha, sertifikat serverga o'rnatilishi kerak.

1. Buni birinchi marta localhost-da sinab ko'rish uchun "AddTemporarySigningCredential" emas, "AddSigningCredential" dan foydalanayotganingizga ishonch hosil qiling.

services.AddIdentityServer()
                    .AddSigningCredential(new X509Certificate2(Path.Combine(_environment.ContentRootPath, "certs", "IdentityServer4Auth.pfx")));
                    //.AddTemporarySigningCredential()
 ;
  1. Vizual studiya buyrug'ida ishlaydigan sertifikat (crets papkasini yaratib) yarating:

"C: \ Program Files (x86) \ Windows to'plamlari \ 8.1 \ bin \ x64 \ makecert" -n   "CN = IdentityServer4Auth" - sha256 -sv IdentityServer4Auth.pvk -r   IdentityServer4Auth.cer -b 01/01/2017 -e 01/01/2025

     

"C: \ Program Files (x86) \ Windows to'plamlari \ 8.1 \ bin \ x64 \ pvk2pfx" -pvk IdentityServer4Auth.pvk   -spc IdentityServer4Auth.cer -pfx IdentityServer4Auth.pfx

  1. Test on localhost

  2. If successful, deploy to iis server , install the certificate on the server by double clicking on it, and test.

  3. Make sure the application pool "load user profile" is set to true :

    • Go to IIS Manager
    • Go to the application pool instance
    • Click advanced settings
    • Under Process model, set Load User Profile to true
  4. Restart IIS

  5. If this fails with a 500, like with me (and there is no logs to help you out), try this. To fix this recreate the certificate on the server the same way as in step 2 in the certs folder . double click the cert to install. You might have to install the developer kit if you dont have visual studio installed: https://developer.microsoft.com/en-us/windows/downloads/windows-8-1-sdk

3
qo'shib qo'ydi
Rahmat @DavidSmit, men ta'qib qildim: - "foydalanuvchi profilini yuklash" dastur havuzunun rostga o'rnatilganligiga ishonch hosil qiling: IIS menejeriga o'tish Ilova havosining misoliga o'tish Kengaytirilgan sozlamalarga o'tish Jarayon modeli ostida, Foydalanuvchining profili-ni to'g'ri deb o'rnating IIS
qo'shib qo'ydi muallif Jehangir Haider, manba

Birinchidan, mahalliy taraqqiyot kompyuteri ustida ishlaydigan va QS yoki ishlab chiqarish muhitida IIS ostida ishlamaydigan bir oz fon. Identity Server 4 xizmatini shu kabi qo'shganda, Vaqtinchalik imzo sertifikatidan foydalanayotgan bo'lsangiz,

services.AddIdentityServer().AddTemporarySigningCredential();

So'ngra "Vaqtinchalik sertifikat" yaratish uchun ID4 uchun maxsus kalit mavjud bo'lganidek, " Process " ning " Foydalanuvchi bilan " ishlashiga ishonchingiz komil bo'lishi kerak. Shuning uchun xato xabari bor

SignatureProvider, key.HasPrivateKey '- noto'g'ri yaratolmaydi   imzolar. Kalit: Microsoft.IdentityModel.Tokens.RsaSecurityKey.

enter image description here

Windowsda ushbu maxsus kaliti avtomatik ravishda Windows tomonidan ishlab chiqariladi va foydalanuvchining % APPDATA% \ Microsoft \ Crypto \ RSA papkasida yoki C: \ Users \ Username \ AppData \ Roaming \ Microsoft \ Crypto \ RSA -ni tanlang. Ushbu maxsus kalitning etishmayotganligining sababi, ehtimol, sizning Process (Process) ishlayotgan foydalanuvchi bu kompyuterga hech qachon kirmaganligi sababli bo'lishi mumkin.

Bunday holatda ehtimoliy echim bu Serverda Jurnalni bajaradigan foydalanuvchi sifatida bir marta kirish. IIS ichidagi Ilovalar pulining juda yuqori imtiyozlarga ega bo'lgan "xizmat ko'rsatilmaydigan" foydalanuvchi sifatida ishlayotgan va foydalanuvchining hech qachon Serverning o'zi tomonidan interaktiv tarzda tizimga kiritilmagan bo'lsa, Private Key katalogi to'liq etishmayapti. Bundan tashqari, ishlab chiqarish kompyuterida ishlaydigan yoki "QA Server" da ishlamayotgan bo'lsa, nima uchun " localhost " ishlash kompyuteringizda ishlaydi.

Windows-ning shaxsiy kalitni qanday qilib va ​​qaerda yaratganligi haqida batafsil ma'lumotni ushbu havola orqali topishingiz mumkin. Shuningdek, Devid Smith tomonidan Vaqtinchalik hisobga olish ma'lumotlarini ishlatish o'rniga Maxsus Kalit faylini aniq ko'rsatish uchun tavsiya etilgan. Kodni o'zgartirishga ruxsat berilsa, bu toza echim.

services.AddIdentityServer()
                    .AddSigningCredential(new X509Certificate2("C:\Certs\IdentityServer4PrivateKeyFile.pfx")));
1
qo'shib qo'ydi

Birinchidan, mahalliy taraqqiyot kompyuteri ustida ishlaydigan va QS yoki ishlab chiqarish muhitida IIS ostida ishlamaydigan bir oz fon. Identity Server 4 xizmatini shu kabi qo'shganda, Vaqtinchalik imzo sertifikatidan foydalanayotgan bo'lsangiz,

services.AddIdentityServer().AddTemporarySigningCredential();

So'ngra "Vaqtinchalik sertifikat" yaratish uchun ID4 uchun maxsus kalit mavjud bo'lganidek, " Process " ning " Foydalanuvchi bilan " ishlashiga ishonchingiz komil bo'lishi kerak. Shuning uchun xato xabari bor

SignatureProvider, key.HasPrivateKey '- noto'g'ri yaratolmaydi   imzolar. Kalit: Microsoft.IdentityModel.Tokens.RsaSecurityKey.

enter image description here

Windowsda ushbu maxsus kaliti avtomatik ravishda Windows tomonidan ishlab chiqariladi va foydalanuvchining % APPDATA% \ Microsoft \ Crypto \ RSA papkasida yoki C: \ Users \ Username \ AppData \ Roaming \ Microsoft \ Crypto \ RSA -ni tanlang. Ushbu maxsus kalitning etishmayotganligining sababi, ehtimol, sizning Process (Process) ishlayotgan foydalanuvchi bu kompyuterga hech qachon kirmaganligi sababli bo'lishi mumkin.

Bunday holatda ehtimoliy echim bu Serverda Jurnalni bajaradigan foydalanuvchi sifatida bir marta kirish. IIS ichidagi Ilovalar pulining juda yuqori imtiyozlarga ega bo'lgan "xizmat ko'rsatilmaydigan" foydalanuvchi sifatida ishlayotgan va foydalanuvchining hech qachon Serverning o'zi tomonidan interaktiv tarzda tizimga kiritilmagan bo'lsa, Private Key katalogi to'liq etishmayapti. Bundan tashqari, ishlab chiqarish kompyuterida ishlaydigan yoki "QA Server" da ishlamayotgan bo'lsa, nima uchun " localhost " ishlash kompyuteringizda ishlaydi.

Windows-ning shaxsiy kalitni qanday qilib va ​​qaerda yaratganligi haqida batafsil ma'lumotni ushbu havola orqali topishingiz mumkin. Shuningdek, Devid Smith tomonidan Vaqtinchalik hisobga olish ma'lumotlarini ishlatish o'rniga Maxsus Kalit faylini aniq ko'rsatish uchun tavsiya etilgan. Kodni o'zgartirishga ruxsat berilsa, bu toza echim.

services.AddIdentityServer()
                    .AddSigningCredential(new X509Certificate2("C:\Certs\IdentityServer4PrivateKeyFile.pfx")));
1
qo'shib qo'ydi

Birinchidan, mahalliy taraqqiyot kompyuteri ustida ishlaydigan va QS yoki ishlab chiqarish muhitida IIS ostida ishlamaydigan bir oz fon. Identity Server 4 xizmatini shu kabi qo'shganda, Vaqtinchalik imzo sertifikatidan foydalanayotgan bo'lsangiz,

services.AddIdentityServer().AddTemporarySigningCredential();

So'ngra "Vaqtinchalik sertifikat" yaratish uchun ID4 uchun maxsus kalit mavjud bo'lganidek, " Process " ning " Foydalanuvchi bilan " ishlashiga ishonchingiz komil bo'lishi kerak. Shuning uchun xato xabari bor

SignatureProvider, key.HasPrivateKey '- noto'g'ri yaratolmaydi   imzolar. Kalit: Microsoft.IdentityModel.Tokens.RsaSecurityKey.

enter image description here

Windowsda ushbu maxsus kaliti avtomatik ravishda Windows tomonidan ishlab chiqariladi va foydalanuvchining % APPDATA% \ Microsoft \ Crypto \ RSA papkasida yoki C: \ Users \ Username \ AppData \ Roaming \ Microsoft \ Crypto \ RSA -ni tanlang. Ushbu maxsus kalitning etishmayotganligining sababi, ehtimol, sizning Process (Process) ishlayotgan foydalanuvchi bu kompyuterga hech qachon kirmaganligi sababli bo'lishi mumkin.

Bunday holatda ehtimoliy echim bu Serverda Jurnalni bajaradigan foydalanuvchi sifatida bir marta kirish. IIS ichidagi Ilovalar pulining juda yuqori imtiyozlarga ega bo'lgan "xizmat ko'rsatilmaydigan" foydalanuvchi sifatida ishlayotgan va foydalanuvchining hech qachon Serverning o'zi tomonidan interaktiv tarzda tizimga kiritilmagan bo'lsa, Private Key katalogi to'liq etishmayapti. Bundan tashqari, ishlab chiqarish kompyuterida ishlaydigan yoki "QA Server" da ishlamayotgan bo'lsa, nima uchun " localhost " ishlash kompyuteringizda ishlaydi.

Windows-ning shaxsiy kalitni qanday qilib va ​​qaerda yaratganligi haqida batafsil ma'lumotni ushbu havola orqali topishingiz mumkin. Shuningdek, Devid Smith tomonidan Vaqtinchalik hisobga olish ma'lumotlarini ishlatish o'rniga Maxsus Kalit faylini aniq ko'rsatish uchun tavsiya etilgan. Kodni o'zgartirishga ruxsat berilsa, bu toza echim.

services.AddIdentityServer()
                    .AddSigningCredential(new X509Certificate2("C:\Certs\IdentityServer4PrivateKeyFile.pfx")));
1
qo'shib qo'ydi