Windows-Server-2012-R2

添加輔助 ADFS 伺服器時出現安全錯誤

  • August 2, 2019

我根據technet 上的指南創建了一個 ADFS 伺服器。但是,當嘗試在 technet 上使用本指南的後半部分添加輔助 ADFS 伺服器時,該過程會失敗。

PS > Import-Module ADFS
PS > $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."
PS > Add-AdfsFarmNode `
>> -CertificateThumbprint:"REDACTED" `
>> -OverwriteConfiguration:$true `
>> -PrimaryComputerName:"awsfed01.ad.redacted.com" `
>> -ServiceAccountCredential:$serviceAccountCredential
>>
Add-AdfsFarmNode : MSIS7711: PolicyOperationFault
At line:1 char:1
+ Add-AdfsFarmNode `
+ ~~~~~~~~~~~~~~~~~~
   + CategoryInfo          : NotSpecified: (:) [Add-AdfsFarmNode], FaultException
   + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.JoinFarmCommand


Message                                 Context                                                                  Status
-------                                 -------                                                                  ------
Unable to synchronize local database... DeploymentTask                                                            Error

現在,我嘗試每五分鐘配置一次的伺服器上的事件日誌中出現以下錯誤:

來源:AD FS,事件 ID 344

There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. 

來源:AD FS,事件 ID 345:

There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. 

Additional Data 

Master Name : awsfed01.ad.redacted.com 
Endpoint Uri : http://awsfed01.ad.redacted.com/adfs/services/policystoretransfer 
Exception details: 
System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
  at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
  at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)

每次輔助嘗試連接時,主 ADFS 伺服器的安全審核日誌都包含審核失敗,並提供以下詳細資訊:

An account failed to log on.

Subject:
   Security ID:        NULL SID
   Account Name:       -
   Account Domain:     -
   Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
   Security ID:        NULL SID
   Account Name:       msa-adfs$
   Account Domain:     RDC

Failure Information:
   Failure Reason:     An Error occured during Logon.
   Status:         0x80090302
   Sub Status:     0xC0000418

Process Information:
   Caller Process ID:  0x0
   Caller Process Name:    -

Network Information:
   Workstation Name:   AWSFED20
   Source Network Address: -
   Source Port:        -

Detailed Authentication Information:
   Logon Process:      NtLmSsp 
   Authentication Package: NTLM
   Transited Services: -
   Package Name (NTLM only):   -
   Key Length:     0

環境細節

  • 我正在使用帶有 ADFS 3.0 的 Windows Server 2012 R2

  • 我的域是ad.redacted.com(或RDC*)。此外,我將redacted.comredacted.co.uk*作為 UPN。

  • 我使用的是 WID 數據庫,而不是外部 SQL 伺服器。

  • 我為我的主要 ADFS 安裝使用手動創建的 gMSA 服務帳戶,名為RDC\msa-adfs$ - 並且在嘗試配置輔助 ADFS 伺服器時使用相同的帳戶。我根據網際網路上的各種來源將其 SPN 配置為以下內容:

    • 主機/adfs.ad.redacted.com
    • http/adfs
    • 主機/adfs.ad.redacted.com
    • http/adfs
  • 主 ADFS 伺服器的名稱是awsfed01.ad.redacted.com

  • 輔助 ADFS 伺服器 - 我正在嘗試配置 - 名稱是awsfed02.ad.redacted.com

  • adfs.ad.redacted.com的 DNS CNAME 記錄指向awsfed01.ad.redacted.com

  • 我使用了由外部 CA 簽名的 SSL 證書,主域為adfs.ad.redacted.com,並使用以下主題備用名稱:

    • adfs.ad.redacted.com
    • enterpriseregistration.ad.redacted.com
    • enterpriseregistration.redacted.com
    • enterpriseregistration.redacted.co.uk
  • 兩台 ADFS 伺服器都配置為啟用了 Windows 防火牆,但網路配置為允許它們之間的所有流量

我已經嘗試從空白伺服器多次配置它。每次,輔助 ADFS 伺服器都會以相同的方式失敗並顯示相同的錯誤消息。

更新:使用 PowerShell 重現

為了盡可能可靠地嘗試和重現這一點,我重新創建了我正在使用 PowerShell 所做的事情。

先決條件: * 域控制器awsdc01用於域ad.redacted.com aka *RDC*

  • 兩個聯合伺服器:awsfed10awsfed20在名為ADFS Servers的組中

在 awsdc01 上:

  New-ADServiceAccount -Name msa-adfs `
      -DNSHostName adfs.ad.redacted.com `
      -PrincipalsAllowedToRetrieveManagedPassword "ADFS Servers" 
      -ServicePrincipalNames "http/adfs.ad.redacted.com"

成功執行。

在 awsfed10 上:

  Install-WindowsFeature adfs-federation –IncludeManagementTools
  Add-WindowsFeature RSAT-AD-PowerShell

  $password = ConvertTo-SecureString -String "Redacted" -Force -AsPlainText
  Import-PfxCertificate -FilePath C:\files\cert.pfx  cert:\localMachine\my -Password $password

  Import-Module ActiveDirectory
  Import-Module ADFS

  Install-ADServiceAccount msa-adfs
  Install-AdfsFarm -CertificateThumbprint:"XXX" -FederationServiceName:"adfs.ad.redacted.com" -GroupServiceAccountIdentifier RDC\msa-adfs$
  Initialize-ADDeviceRegistration -ServiceAccountName RDC\msa-adfs$
  Enable-AdfsDeviceRegistration

全部執行成功。

在 awsfed20 上:

 Install-WindowsFeature adfs-federation –IncludeManagementTools
  Add-WindowsFeature RSAT-AD-PowerShell

  $password = ConvertTo-SecureString -String "Redacted" -Force -AsPlainText
  Import-PfxCertificate -FilePath C:\files\cert.pfx  cert:\localMachine\my -Password $password

  Import-Module ActiveDirectory
  Import-Module ADFS

  Install-ADServiceAccount msa-adfs
  Install-AdfsFarm -CertificateThumbprint:"XXX" -PrimaryComputerName:"awsfed10.ad.redacted.com" -GroupServiceAccountIdentifier RDC\msa-adfs$

失敗並出現與上述相同的錯誤。

必須使用基於 FederationServiceName 參數的主機 SPN(不是 http)來創建 GMSA。因此,如果您使用 adfs.ad.redacted.com,則 SPN 將為 host/adfs.ad.redacted.com。

您不應使用 CNAME 條目將 adfs.ad.redacted.com 指向單個伺服器。這將導致 Kerberos 身份驗證問題,如https://blogs.technet.microsoft.com/askds/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication/方案 2 中所述。

我假設您正在使用一些負載平衡。因此,adfs.ad.redacted.com 應解析為位於 AD FS 場節點前面的負載均衡器的虛擬 IP。

是否正在使用 NTLM 阻塞?因為它看起來如此。https://blogs.technet.microsoft.com/askds/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7/有更多關於 NTLM 阻塞的細節.

現在只需使用 NTLM 審核(不要阻止)並在更正之前建議的配置後重試添加第二個節點。

如果您仍有問題,我建議向 Microsoft 提出支持案例。

引用自:https://serverfault.com/questions/808624