Home
  •  

SPN이 등록되지 않음

Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor (UnitMonitor)

Knowledge Base article:

요약

The SPN of the AD FS service account is not registered correctly in Active Directory Domain Services (AD DS). This monitor queries the SPN attribute of the AD FS service account from AD DS every 15 minutes and checks whether it is in the format "host/<Federation Service name>"

원인

AD FS Windows 서비스와 연관된 서비스 계정이 변경되었지만 AD FS가 새 서비스 계정에 대해 AD DS에서 등록된 SPN을 찾을 수 없습니다.

해결 방법

서비스 계정의 SPN이 AD DS에 올바르게 등록되어 있는지 확인하십시오. 자세한 내용은 AD FS 배포 가이드의 "페더레이션 서버 팜에 대해 서비스 계정을 수동으로 구성"을 참조하십시오.

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices2012R2.FederationServer
Parent MonitorSystem.Health.ConfigurationState
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
SPN이 등록되지 않음
AD FS 서비스 계정의 SPN이 Active Directory에 올바르게 등록되어 있지 않습니다.
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType" ConfirmDelivery="false">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Warning</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>

  </OperationalStates>

  <Configuration>

    <PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>

    <ScriptName>FederationServerSPNCheck.ps1</ScriptName>

    <ScriptBody><Script>

                        function GetDomainUser ([string] $domainUser, [ref]$domain, [ref]$user)

                        {

                        $splitacct = $domainUser.Split( '\' )

                        if ( $splitacct.Length -ne 2 -OR [String]::IsNullOrEmpty( $splitacct[ 0 ] ) -OR [String]::IsNullOrEmpty( $splitacct[ 1 ] ) )

                        {

                        return

                        }

                        $domain.Value = $splitacct[ 0 ]

                        $user.Value = $splitacct[ 1 ]

                        }



                        Import-Module adfs



                        $scomapi = new-object -comObject "MOM.ScriptAPI"

                        $script:spnSet = $true

                        $script:account = ""

                        $script:expectedSpn = ""

                        $script:shouldContinue = $true



                        $serviceWMIObject = (get-wmiobject  -query "select * from win32_service where name='adfssrv'")

                        $script:account = $serviceWMIObject.StartName

                        $serviceRunning = $serviceWMIObject.Started



                        if ($serviceRunning)

                        {

                        &amp;{

                        $domainName = ""

                        $userName = ""

                        $domainDirEntry = $null

                        $dirCtx = $null



                        GetDomainUser  $script:account ([ref]$domainName) ([ref]$userName)

                        if ([String]::IsNullOrEmpty($domainName) -ne $true)

                        {

                        $adfsProperties = Get-ADFSProperties

                        $script:expectedSpn = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture, "host/{0}" , $adfsProperties.HostName)



                        $temp = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices")

                        $dirCtx = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext( [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $domainName)



                        &amp;{

                        $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $dirCtx  )

                        $domainDirEntry = $domain.GetDirectoryEntry()

                        }

                        Trap [System.Exception]

                        {

                        $script:shouldContinue = $false

                        #ignore

                        continue

                        }



                        if ($script:shouldContinue)

                        {

                        $propertiesToLoad = "servicePrincipalName"

                        $filter = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture,"(&amp;(sAMAccountName={0}))", $userName )

                        $src = new-object System.DirectoryServices.DirectorySearcher( $domainDirEntry )

                        $temp = $src.PropertiesToLoad.Add( $propertiesToLoad )

                        $src.Filter = $filter

                        $searchResult = $src.FindOne()

                        if ( ($searchResult -eq $null) -or ($searchResult.Properties -eq $null))

                        {

                        $script:spnSet = $false

                        }

                        else

                        {

                        $dirEntry = $searchResult.GetDirectoryEntry()

                        $script:spnSet = $false

                        if ( $dirEntry.Properties["servicePrincipalName"] -ne $null )

                        {

                        foreach ( $registeredSpn in $dirEntry.Properties["servicePrincipalName"] )

                        {

                        if ( ($registeredSpn -ne $null) -and ([StringComparer]::OrdinalIgnoreCase.Equals( $registeredSpn, $script:expectedSpn)) )

                        {

                        $script:spnSet = $true

                        break

                        }

                        }

                        }

                        }

                        }

                        }

                        }

                        Trap [System.Exception]

                        {

                        #ignore

                        continue

                        }

                        }



                        $scompb = $scomapi.CreatePropertyBag()

                        $scompb.AddValue("SPNSet",  $script:spnSet )

                        $scompb.AddValue("Account",  $script:account )

                        $scompb.AddValue("ExpectedSPN",  $script:expectedSpn )

                        $scomapi.AddItem($scompb)

                        $scomapi.ReturnItems()

                    </Script></ScriptBody>

    <IntervalSeconds>900</IntervalSeconds>

    <TimeoutSeconds>180</TimeoutSeconds>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">false</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">true</Value>

        </ValueExpression>

      </SimpleExpression>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>