Hlavní název služby účtu služby AD FS není ve službě Active Directory Domain Services (AD DS) správně zaregistrovaný. Toto monitorování zadává dotazy na atribut SPN účtu služby AD FS ze služby AD DS každých 15 minut a kontroluje, jestli je ve formátu hostitel/<název služby FS (Federation Service)>.
Účet služby, který je spojený se službou AD FS systému Windows byl změněn, ale nemůže pro nový účet služby najít název SPN zaregistrovaný ve službě AD DS.
Ujistěte se, že název SPN pro účet služby je správně zaregistrovaný ve službě AD DS. Další informace jsou uvedeny v článku „Ruční konfigurace účtu služby pro farmu federačních serverů“ v Příručce pro nasazení služby AD FS.
Target | Microsoft.ActiveDirectoryFederationServices.2016.FederationServer | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.ActiveDirectoryFederationServices.2016.TwoStateScriptMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices.2016.FederationServerSPNMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices.2016.TwoStateScriptMonitorType" ConfirmDelivery="false">
<Category>AvailabilityHealth</Category>
<AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices.2016.FederationServerSPNMonitor_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Warning</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>
<OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>
<ScriptName>FederationServerSPNCheck.ps1</ScriptName>
<ScriptBody>
function GetDomainUser ([string] $domainUser, [ref]$domain, [ref]$user)
{
$splitacct = $domainUser.Split( '\' )
if ( $splitacct.Length -ne 2 -OR [String]::IsNullOrEmpty( $splitacct[ 0 ] ) -OR [String]::IsNullOrEmpty( $splitacct[ 1 ] ) )
{
return
}
$domain.Value = $splitacct[ 0 ]
$user.Value = $splitacct[ 1 ]
}
Import-Module adfs
$scomapi = new-object -comObject "MOM.ScriptAPI"
$script:spnSet = $true
$script:account = ""
$script:expectedSpn = ""
$script:shouldContinue = $true
$serviceWMIObject = (get-wmiobject -query "select * from win32_service where name='adfssrv'")
$script:account = $serviceWMIObject.StartName
$serviceRunning = $serviceWMIObject.Started
if ($serviceRunning)
{
&{
$domainName = ""
$userName = ""
$domainDirEntry = $null
$dirCtx = $null
GetDomainUser $script:account ([ref]$domainName) ([ref]$userName)
if ([String]::IsNullOrEmpty($domainName) -ne $true)
{
$adfsProperties = Get-ADFSProperties
$script:expectedSpn = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture, "host/{0}" , $adfsProperties.HostName)
$temp = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices")
$dirCtx = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext( [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $domainName)
&{
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $dirCtx )
$domainDirEntry = $domain.GetDirectoryEntry()
}
Trap [System.Exception]
{
$script:shouldContinue = $false
#ignore
continue
}
if ($script:shouldContinue)
{
$propertiesToLoad = "servicePrincipalName"
$filter = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture,"(&(sAMAccountName={0}))", $userName )
$src = new-object System.DirectoryServices.DirectorySearcher( $domainDirEntry )
$temp = $src.PropertiesToLoad.Add( $propertiesToLoad )
$src.Filter = $filter
$searchResult = $src.FindOne()
if ( ($searchResult -eq $null) -or ($searchResult.Properties -eq $null))
{
$script:spnSet = $false
}
else
{
$dirEntry = $searchResult.GetDirectoryEntry()
$script:spnSet = $false
if ( $dirEntry.Properties["servicePrincipalName"] -ne $null )
{
foreach ( $registeredSpn in $dirEntry.Properties["servicePrincipalName"] )
{
if ( ($registeredSpn -ne $null) -and ([StringComparer]::OrdinalIgnoreCase.Equals( $registeredSpn, $script:expectedSpn)) )
{
$script:spnSet = $true
break
}
}
}
}
}
}
}
Trap [System.Exception]
{
#ignore
continue
}
}
$scompb = $scomapi.CreatePropertyBag()
$scompb.AddValue("SPNSet", $script:spnSet )
$scompb.AddValue("Account", $script:account )
$scompb.AddValue("ExpectedSPN", $script:expectedSpn )
$scomapi.AddItem($scompb)
$scomapi.ReturnItems()
</ScriptBody>
<IntervalSeconds>900</IntervalSeconds>
<TimeoutSeconds>180</TimeoutSeconds>
<ErrorExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">false</Value>
</ValueExpression>
</SimpleExpression>
</ErrorExpression>
<SuccessExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">true</Value>
</ValueExpression>
</SimpleExpression>
</SuccessExpression>
</Configuration>
</UnitMonitor>