Federation Service 無法授權呼å«è€…代表信賴憑è‰è€…的主體發佈權æ–。
指定的呼å«è€…未ç²å¾—授權,無法代表æ¤ä¿¡è³´æ†‘è‰è€…的主體。
如需有關æ¤äº‹ä»¶ç‰¹å®šåŽŸå› 的詳細資訊,請åƒé–±å‘¼å«è€…身分è˜åˆ¥å’Œ OnBehalfOf 身分è˜åˆ¥ (如果有) 的事件 501 和事件 502 (兩者具有相åŒä¾‹é …è˜åˆ¥ç¢¼)。
一般而言,æ¤äº‹ä»¶å¯èƒ½è¡¨ç¤ºï¼Œæ¤ä¿¡è³´æ†‘è‰è€…信任之宣告原則ä¸çš„宣告授權è¦å‰‡æœªä¾éœ€è¦é€²è¡Œä½œæ¥ã€‚
使用 AD FS 嵌入å¼ç®¡ç†å–®å…ƒç¢ºå®šå‘¼å«è€…ç²å¾—授權å¯ä»£è¡¨ä¿¡è³´æ†‘è‰è€…的主體。
首先,請確èªæ¤ä¿¡è³´æ†‘è‰è€…信任的宣告授權è¦å‰‡å·²ä¾éœ€è¦è¨å®šã€‚如需詳細資訊,請åƒé–± 使用宣告授權è¦å‰‡çš„時機。
å¦‚æžœæ‚¨å¿…é ˆé‡å°æ¤ä¿¡è³´æ†‘è‰è€…信任更新模擬授權原則,å¯ä»¥ä½¿ç”¨ AD FS çš„ Windows PowerShell Cmdlet。明確的說,您å¯ä»¥æª¢è¦–模擬授權è¦å‰‡åŽŸå‰‡ä¸¦å°‡å…¶è¨å®šç‚º ImpersonationAuthorizationRules 內容的一部分。若è¦è®€å–æ¤å…§å®¹ï¼Œè«‹ä½¿ç”¨ Get-ADFSRelyingPartyTrust Cmdlet。若è¦ä¿®æ”¹æ¤å…§å®¹ï¼Œè«‹ä½¿ç”¨ Set-ADFSRelyingPartyTrust Cmdlet。
Target | Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuance | ||
Category | ConfigurationHealth | ||
Enabled | False | ||
Event_ID | 323 | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | $Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$ |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceOnBehalfOfAuthorizationErrorRule" Enabled="false" Target="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuance" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>ConfigurationHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">323</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>(^AD FS$)</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertName/>
<AlertDescription/>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices.2016.TokenIssuanceOnBehalfOfAuthorizationErrorRule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Params/Param[2]$</AlertParameter1>
<AlertParameter2>$Data/Params/Param[3]$</AlertParameter2>
<AlertParameter3>$Data/Params/Param[4]$</AlertParameter3>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Params/Param[2]$</SuppressionValue>
<SuppressionValue>$Data/Params/Param[3]$</SuppressionValue>
<SuppressionValue>$Data/Params/Param[4]$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>