Hlavní název služby (SPN) není zaregistrovaný

Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor (UnitMonitor)

Knowledge Base article:

Souhrn

The SPN of the AD FS service account is not registered correctly in Active Directory Domain Services (AD DS). This monitor queries the SPN attribute of the AD FS service account from AD DS every 15 minutes and checks whether it is in the format "host/<Federation Service name>"

Příčiny

Účet služby, který je spojený se službou AD FS systému Windows byl změněn, ale nemůže pro nový účet služby najít název SPN zaregistrovaný ve službě AD DS.

Řešení

Ujistěte se, že název SPN pro účet služby je správně zaregistrovaný ve službě AD DS. Další informace jsou uvedeny v článku "Ruční konfigurace účtu služby pro farmu federačních serverů" v Příručce pro nasazení služby AD FS.

Element properties:

Target

Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer

Parent Monitor

System.Health.ConfigurationState

Category

AvailabilityHealth

Enabled

True

Alert Generate

True

Alert Severity

Warning

Alert Priority

Normal

Alert Auto Resolve

True

Monitor Type

Microsoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType

Remotable

True

Accessibility

Public

Alert Message

Hlavní název služby (SPN) není zaregistrovaný

Hlavní název služby účtu služby AD FS není ve službě Active Directory správně zaregistrovaný.

RunAs

Default

Source Code:

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType" ConfirmDelivery="false">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Warning</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>

  </OperationalStates>

  <Configuration>

    <PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>

    <ScriptName>FederationServerSPNCheck.ps1</ScriptName>

    <ScriptBody><Script>

                        function GetDomainUser ([string] $domainUser, [ref]$domain, [ref]$user)

                        {

                        $splitacct = $domainUser.Split( '\' )

                        if ( $splitacct.Length -ne 2 -OR [String]::IsNullOrEmpty( $splitacct[ 0 ] ) -OR [String]::IsNullOrEmpty( $splitacct[ 1 ] ) )

                        {

                        return

                        }

                        $domain.Value = $splitacct[ 0 ]

                        $user.Value = $splitacct[ 1 ]

                        }



                        Import-Module adfs



                        $scomapi = new-object -comObject "MOM.ScriptAPI"

                        $script:spnSet = $true

                        $script:account = ""

                        $script:expectedSpn = ""

                        $script:shouldContinue = $true



                        $serviceWMIObject = (get-wmiobject  -query "select * from win32_service where name='adfssrv'")

                        $script:account = $serviceWMIObject.StartName

                        $serviceRunning = $serviceWMIObject.Started



                        if ($serviceRunning)

                        {

                        &amp;{

                        $domainName = ""

                        $userName = ""

                        $domainDirEntry = $null

                        $dirCtx = $null



                        GetDomainUser  $script:account ([ref]$domainName) ([ref]$userName)

                        if ([String]::IsNullOrEmpty($domainName) -ne $true)

                        {

                        $adfsProperties = Get-ADFSProperties

                        $script:expectedSpn = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture, "host/{0}" , $adfsProperties.HostName)



                        $temp = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices")

                        $dirCtx = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext( [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $domainName)



                        &amp;{

                        $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $dirCtx  )

                        $domainDirEntry = $domain.GetDirectoryEntry()

                        }

                        Trap [System.Exception]

                        {

                        $script:shouldContinue = $false

                        #ignore

                        continue

                        }



                        if ($script:shouldContinue)

                        {

                        $propertiesToLoad = "servicePrincipalName"

                        $filter = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture,"(&amp;(sAMAccountName={0}))", $userName )

                        $src = new-object System.DirectoryServices.DirectorySearcher( $domainDirEntry )

                        $temp = $src.PropertiesToLoad.Add( $propertiesToLoad )

                        $src.Filter = $filter

                        $searchResult = $src.FindOne()

                        if ( ($searchResult -eq $null) -or ($searchResult.Properties -eq $null))

                        {

                        $script:spnSet = $false

                        }

                        else

                        {

                        $dirEntry = $searchResult.GetDirectoryEntry()

                        $script:spnSet = $false

                        if ( $dirEntry.Properties["servicePrincipalName"] -ne $null )

                        {

                        foreach ( $registeredSpn in $dirEntry.Properties["servicePrincipalName"] )

                        {

                        if ( ($registeredSpn -ne $null) -and ([StringComparer]::OrdinalIgnoreCase.Equals( $registeredSpn, $script:expectedSpn)) )

                        {

                        $script:spnSet = $true

                        break

                        }

                        }

                        }

                        }

                        }

                        }

                        }

                        Trap [System.Exception]

                        {

                        #ignore

                        continue

                        }

                        }



                        $scompb = $scomapi.CreatePropertyBag()

                        $scompb.AddValue("SPNSet",  $script:spnSet )

                        $scompb.AddValue("Account",  $script:account )

                        $scompb.AddValue("ExpectedSPN",  $script:expectedSpn )

                        $scomapi.AddItem($scompb)

                        $scomapi.ReturnItems()

                    </Script></ScriptBody>

    <IntervalSeconds>900</IntervalSeconds>

    <TimeoutSeconds>180</TimeoutSeconds>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">false</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">true</Value>

        </ValueExpression>

      </SimpleExpression>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>