Active-Directory

從 ADFS 2.1 升級到 4.0 後出現 ADFS 錯誤

  • August 7, 2020

不知道有沒有人看到這個問題或者有什麼想法?

我們最近將 ADFS 從 W2008r2 上的 ADFS 2.1 遷移到 W2016 上的 ADFS 4.0。

基本功能看起來不錯,但我發現使用我的所有依賴方信任更新聯合元數據存在問題;嘗試右鍵點擊並選擇“從聯合元數據更新…”(或轉到屬性、監控、測試 URL)會出現以下錯誤:

"An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid metadata endpoint".

相關的錯誤消息是

Method not found: 'Microsoft.identitymodel.protocols.WSFederation.Metadata.MetadataBase Microsoft.Identity.Model.Protocols.WSFederation.Metadata.MetadataSerializer.ReadMetadata(System.IO.Stream)'.

不需要代理伺服器,也沒有定義代理伺服器。我可以在 ADFS 伺服器上的 IE 中瀏覽到聯邦元數據 URL,並獲得預期的 XML 頁面。我檢查了證書是否正確定義,ADFS 服務帳戶是否具有對它們的讀取權限等。

在服務啟動或嘗試測試/更新元數據時,事件日誌中沒有錯誤消息。嘗試添加新的信賴方信任會產生相同的錯誤。

我已經執行了 ADFS 診斷程序,並且 test-adfsserverhealth 給出了一個我認為是關鍵的錯誤,但我不知道下一步該去哪裡。

Name             : PingFederationMetadata
Result           : Fail
Detail           : System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a
                  send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing
                  connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An
                  existing connection was forcibly closed by the remote host
                     at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags
                  socketFlags)
                     at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                     --- End of inner exception stack trace ---
                     at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                     at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
                     at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest
                  asyncRequest)
                     at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer,
                  AsyncProtocolRequest asyncRequest)
                     at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
                     at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext,
                  ContextCallback callback, Object state, Boolean preserveSyncCtx)
                     at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                  callback, Object state, Boolean preserveSyncCtx)
                     at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                  callback, Object state)
                     at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
                     at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
                     at System.Net.ConnectStream.WriteHeaders(Boolean async)
                     --- End of inner exception stack trace ---
                     at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
                     at System.Net.WebClient.DownloadData(Uri address)
                     at CallSite.Target(Closure , CallSite , Object , Object )
Output           : {PingFedmetadataException}
ExceptionMessage : 

看起來您在https://blogs.technet.microsoft.com/pie/2016/10/23/adfs-2016-cannot-addupdate-relying-party-from-the-gui-from-metadata-中遇到了問題文件/

在我發現兩個系統之間的 TLS 設置發生衝突之前,我也遇到了這個問題。託管元數據的伺服器設置為僅使用 TLS 1.2,而在 Windows Server 2016 上執行的 ADFS 伺服器設置為預設 TLS 設置。當我將 ADFS 伺服器更改為僅使用 TLS 1.2 時,問題得到了解決。

引用自:https://serverfault.com/questions/811167