添加輔助 ADFS 伺服器時出現安全錯誤
我根據technet 上的指南創建了一個 ADFS 伺服器。但是,當嘗試在 technet 上使用本指南的後半部分添加輔助 ADFS 伺服器時,該過程會失敗。
PS > Import-Module ADFS PS > $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account." PS > Add-AdfsFarmNode ` >> -CertificateThumbprint:"REDACTED" ` >> -OverwriteConfiguration:$true ` >> -PrimaryComputerName:"awsfed01.ad.redacted.com" ` >> -ServiceAccountCredential:$serviceAccountCredential >> Add-AdfsFarmNode : MSIS7711: PolicyOperationFault At line:1 char:1 + Add-AdfsFarmNode ` + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Add-AdfsFarmNode], FaultException + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.JoinFarmCommand Message Context Status ------- ------- ------ Unable to synchronize local database... DeploymentTask Error
現在,我嘗試每五分鐘配置一次的伺服器上的事件日誌中出現以下錯誤:
來源:AD FS,事件 ID 344:
There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.
來源:AD FS,事件 ID 345:
There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. Additional Data Master Name : awsfed01.ad.redacted.com Endpoint Uri : http://awsfed01.ad.redacted.com/adfs/services/policystoretransfer Exception details: System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed. at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target) at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
每次輔助嘗試連接時,主 ADFS 伺服器的安全審核日誌都包含審核失敗,並提供以下詳細資訊:
An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: msa-adfs$ Account Domain: RDC Failure Information: Failure Reason: An Error occured during Logon. Status: 0x80090302 Sub Status: 0xC0000418 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: AWSFED20 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0
環境細節
我正在使用帶有 ADFS 3.0 的 Windows Server 2012 R2
我的域是ad.redacted.com(或RDC*)。此外,我將redacted.com和redacted.co.uk*作為 UPN。
我使用的是 WID 數據庫,而不是外部 SQL 伺服器。
我為我的主要 ADFS 安裝使用手動創建的 gMSA 服務帳戶,名為RDC\msa-adfs$ - 並且在嘗試配置輔助 ADFS 伺服器時使用相同的帳戶。我根據網際網路上的各種來源將其 SPN 配置為以下內容:
- 主機/adfs.ad.redacted.com
- http/adfs
- 主機/adfs.ad.redacted.com
- http/adfs
主 ADFS 伺服器的名稱是awsfed01.ad.redacted.com
輔助 ADFS 伺服器 - 我正在嘗試配置 - 名稱是awsfed02.ad.redacted.com
adfs.ad.redacted.com的 DNS CNAME 記錄指向awsfed01.ad.redacted.com
我使用了由外部 CA 簽名的 SSL 證書,主域為adfs.ad.redacted.com,並使用以下主題備用名稱:
- adfs.ad.redacted.com
- enterpriseregistration.ad.redacted.com
- enterpriseregistration.redacted.com
- enterpriseregistration.redacted.co.uk
兩台 ADFS 伺服器都配置為啟用了 Windows 防火牆,但網路配置為允許它們之間的所有流量
我已經嘗試從空白伺服器多次配置它。每次,輔助 ADFS 伺服器都會以相同的方式失敗並顯示相同的錯誤消息。
更新:使用 PowerShell 重現
為了盡可能可靠地嘗試和重現這一點,我重新創建了我正在使用 PowerShell 所做的事情。
先決條件: * 域控制器awsdc01用於域ad.redacted.com aka *RDC*
- 兩個聯合伺服器:awsfed10,awsfed20在名為ADFS Servers的組中
在 awsdc01 上:
New-ADServiceAccount -Name msa-adfs ` -DNSHostName adfs.ad.redacted.com ` -PrincipalsAllowedToRetrieveManagedPassword "ADFS Servers" -ServicePrincipalNames "http/adfs.ad.redacted.com"
成功執行。
在 awsfed10 上:
Install-WindowsFeature adfs-federation –IncludeManagementTools Add-WindowsFeature RSAT-AD-PowerShell $password = ConvertTo-SecureString -String "Redacted" -Force -AsPlainText Import-PfxCertificate -FilePath C:\files\cert.pfx cert:\localMachine\my -Password $password Import-Module ActiveDirectory Import-Module ADFS Install-ADServiceAccount msa-adfs Install-AdfsFarm -CertificateThumbprint:"XXX" -FederationServiceName:"adfs.ad.redacted.com" -GroupServiceAccountIdentifier RDC\msa-adfs$ Initialize-ADDeviceRegistration -ServiceAccountName RDC\msa-adfs$ Enable-AdfsDeviceRegistration
全部執行成功。
在 awsfed20 上:
Install-WindowsFeature adfs-federation –IncludeManagementTools Add-WindowsFeature RSAT-AD-PowerShell $password = ConvertTo-SecureString -String "Redacted" -Force -AsPlainText Import-PfxCertificate -FilePath C:\files\cert.pfx cert:\localMachine\my -Password $password Import-Module ActiveDirectory Import-Module ADFS Install-ADServiceAccount msa-adfs Install-AdfsFarm -CertificateThumbprint:"XXX" -PrimaryComputerName:"awsfed10.ad.redacted.com" -GroupServiceAccountIdentifier RDC\msa-adfs$
失敗並出現與上述相同的錯誤。
必須使用基於 FederationServiceName 參數的主機 SPN(不是 http)來創建 GMSA。因此,如果您使用 adfs.ad.redacted.com,則 SPN 將為 host/adfs.ad.redacted.com。
您不應使用 CNAME 條目將 adfs.ad.redacted.com 指向單個伺服器。這將導致 Kerberos 身份驗證問題,如https://blogs.technet.microsoft.com/askds/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication/方案 2 中所述。
我假設您正在使用一些負載平衡。因此,adfs.ad.redacted.com 應解析為位於 AD FS 場節點前面的負載均衡器的虛擬 IP。
是否正在使用 NTLM 阻塞?因為它看起來如此。https://blogs.technet.microsoft.com/askds/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7/有更多關於 NTLM 阻塞的細節.
現在只需使用 NTLM 審核(不要阻止)並在更正之前建議的配置後重試添加第二個節點。
如果您仍有問題,我建議向 Microsoft 提出支持案例。