從 ADFS 2.1 升級到 4.0 後出現 ADFS 錯誤
不知道有沒有人看到這個問題或者有什麼想法?
我們最近將 ADFS 從 W2008r2 上的 ADFS 2.1 遷移到 W2016 上的 ADFS 4.0。
基本功能看起來不錯,但我發現使用我的所有依賴方信任更新聯合元數據存在問題;嘗試右鍵點擊並選擇“從聯合元數據更新…”(或轉到屬性、監控、測試 URL)會出現以下錯誤:
"An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid metadata endpoint".
相關的錯誤消息是
Method not found: 'Microsoft.identitymodel.protocols.WSFederation.Metadata.MetadataBase Microsoft.Identity.Model.Protocols.WSFederation.Metadata.MetadataSerializer.ReadMetadata(System.IO.Stream)'.
不需要代理伺服器,也沒有定義代理伺服器。我可以在 ADFS 伺服器上的 IE 中瀏覽到聯邦元數據 URL,並獲得預期的 XML 頁面。我檢查了證書是否正確定義,ADFS 服務帳戶是否具有對它們的讀取權限等。
在服務啟動或嘗試測試/更新元數據時,事件日誌中沒有錯誤消息。嘗試添加新的信賴方信任會產生相同的錯誤。
我已經執行了 ADFS 診斷程序,並且 test-adfsserverhealth 給出了一個我認為是關鍵的錯誤,但我不知道下一步該去哪裡。
Name : PingFederationMetadata Result : Fail Detail : System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags) at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) --- End of inner exception stack trace --- at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size) at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult) at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx) at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state) at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result) at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size) at System.Net.ConnectStream.WriteHeaders(Boolean async) --- End of inner exception stack trace --- at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request) at System.Net.WebClient.DownloadData(Uri address) at CallSite.Target(Closure , CallSite , Object , Object ) Output : {PingFedmetadataException} ExceptionMessage :
在我發現兩個系統之間的 TLS 設置發生衝突之前,我也遇到了這個問題。託管元數據的伺服器設置為僅使用 TLS 1.2,而在 Windows Server 2016 上執行的 ADFS 伺服器設置為預設 TLS 設置。當我將 ADFS 伺服器更改為僅使用 TLS 1.2 時,問題得到了解決。