Home
  •  

Erro: Chave de Certificado Privada Inacessível

Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceCertPrivateKeyInaccessibleErrorMonitor (UnitMonitor)

Knowledge Base article:

Resumo

Este monitor indica que a conta de serviço que está associado ao serviço AD FS do Windows não tem permissão para a chave privada dos certificados de autenticação de tokens ou dos certificados de criptografia de token que estão configurados no banco de dados de configuração do AD FS.

Causas

A conta de serviço do AD FS não tem permissões para ler as chaves privadas dos certificados configurados.

Resoluções

Verifique se a conta de serviço do AD FS tem permissões de leitura das chaves privadas de certificado. Para obter mais informações, consulte a seção "Confirm that private keys for certificates are accessible by the AD FS service user account" (Confirmar se as chaves privadas dos certificados são acessíveis pela conta de usuário do serviço AD FS) no Guia de solução de problemas do AD FS.

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices.2016.TokenIssuance
Parent MonitorSystem.Health.ConfigurationState
CategoryConfigurationHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.Windows.2SingleEventLog2StateMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
Erro: Chave de Certificado Privada Inacessível
A emissão de token falhou porque a conta de serviço que o serviço AD FS do Windows usa não tem permissão para a chave privada de seus certificados de assinatura de tokens e/ou seus certificados de descriptografia de token.
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceCertPrivateKeyInaccessibleErrorMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuance" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.2SingleEventLog2StateMonitorType" ConfirmDelivery="true">

  <Category>ConfigurationHealth</Category>

  <AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceCertPrivateKeyInaccessibleErrorMonitor_AlertMessageResourceID">

    <AlertOnState>Error</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Error</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="FirstEventRaised" MonitorTypeStateID="FirstEventRaised" HealthState="Error"/>

    <OperationalState ID="SecondEventRaised" MonitorTypeStateID="SecondEventRaised" HealthState="Success"/>

  </OperationalStates>

  <Configuration>

    <FirstComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</FirstComputerName>

    <FirstLogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</FirstLogName>

    <FirstExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">387</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <RegExExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>MatchesMOM2005RegularExpression</Operator>

            <Pattern>(^AD FS$)</Pattern>

          </RegExExpression>

        </Expression>

      </And>

    </FirstExpression>

    <SecondComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</SecondComputerName>

    <SecondLogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</SecondLogName>

    <SecondExpression>

      <And>

        <Expression>

          <SimpleExpression>

            <ValueExpression>

              <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

            </ValueExpression>

            <Operator>Equal</Operator>

            <ValueExpression>

              <Value Type="UnsignedInteger">388</Value>

            </ValueExpression>

          </SimpleExpression>

        </Expression>

        <Expression>

          <RegExExpression>

            <ValueExpression>

              <XPathQuery Type="String">PublisherName</XPathQuery>

            </ValueExpression>

            <Operator>MatchesMOM2005RegularExpression</Operator>

            <Pattern>(^AD FS$)</Pattern>

          </RegExExpression>

        </Expression>

      </And>

    </SecondExpression>

  </Configuration>

</UnitMonitor>