The SPN of the AD FS service account is not registered correctly in Active Directory Domain Services (AD DS). This monitor queries the SPN attribute of the AD FS service account from AD DS every 15 minutes and checks whether it is in the format "host/<Federation Service name>"
AD FS Windows 서비스와 연관된 서비스 계정이 변경되었지만 AD FS가 새 서비스 계정에 대해 AD DS에서 등록된 SPN을 찾을 수 없습니다.
서비스 계정의 SPN이 AD DS에 올바르게 등록되어 있는지 확인하십시오. 자세한 내용은 AD FS 배포 가이드의 "페더레이션 서버 팜에 대해 서비스 계정을 수동으로 구성"을 참조하십시오.
Target | Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType" ConfirmDelivery="false">
<Category>AvailabilityHealth</Category>
<AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Warning</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>
<OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>
<ScriptName>FederationServerSPNCheck.ps1</ScriptName>
<ScriptBody>
function GetDomainUser ([string] $domainUser, [ref]$domain, [ref]$user)
{
$splitacct = $domainUser.Split( '\' )
if ( $splitacct.Length -ne 2 -OR [String]::IsNullOrEmpty( $splitacct[ 0 ] ) -OR [String]::IsNullOrEmpty( $splitacct[ 1 ] ) )
{
return
}
$domain.Value = $splitacct[ 0 ]
$user.Value = $splitacct[ 1 ]
}
Import-Module adfs
$scomapi = new-object -comObject "MOM.ScriptAPI"
$script:spnSet = $true
$script:account = ""
$script:expectedSpn = ""
$script:shouldContinue = $true
$serviceWMIObject = (get-wmiobject -query "select * from win32_service where name='adfssrv'")
$script:account = $serviceWMIObject.StartName
$serviceRunning = $serviceWMIObject.Started
if ($serviceRunning)
{
&{
$domainName = ""
$userName = ""
$domainDirEntry = $null
$dirCtx = $null
GetDomainUser $script:account ([ref]$domainName) ([ref]$userName)
if ([String]::IsNullOrEmpty($domainName) -ne $true)
{
$adfsProperties = Get-ADFSProperties
$script:expectedSpn = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture, "host/{0}" , $adfsProperties.HostName)
$temp = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices")
$dirCtx = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext( [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $domainName)
&{
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $dirCtx )
$domainDirEntry = $domain.GetDirectoryEntry()
}
Trap [System.Exception]
{
$script:shouldContinue = $false
#ignore
continue
}
if ($script:shouldContinue)
{
$propertiesToLoad = "servicePrincipalName"
$filter = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture,"(&(sAMAccountName={0}))", $userName )
$src = new-object System.DirectoryServices.DirectorySearcher( $domainDirEntry )
$temp = $src.PropertiesToLoad.Add( $propertiesToLoad )
$src.Filter = $filter
$searchResult = $src.FindOne()
if ( ($searchResult -eq $null) -or ($searchResult.Properties -eq $null))
{
$script:spnSet = $false
}
else
{
$dirEntry = $searchResult.GetDirectoryEntry()
$script:spnSet = $false
if ( $dirEntry.Properties["servicePrincipalName"] -ne $null )
{
foreach ( $registeredSpn in $dirEntry.Properties["servicePrincipalName"] )
{
if ( ($registeredSpn -ne $null) -and ([StringComparer]::OrdinalIgnoreCase.Equals( $registeredSpn, $script:expectedSpn)) )
{
$script:spnSet = $true
break
}
}
}
}
}
}
}
Trap [System.Exception]
{
#ignore
continue
}
}
$scompb = $scomapi.CreatePropertyBag()
$scompb.AddValue("SPNSet", $script:spnSet )
$scompb.AddValue("Account", $script:account )
$scompb.AddValue("ExpectedSPN", $script:expectedSpn )
$scomapi.AddItem($scompb)
$scomapi.ReturnItems()
</ScriptBody>
<IntervalSeconds>900</IntervalSeconds>
<TimeoutSeconds>180</TimeoutSeconds>
<ErrorExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">false</Value>
</ValueExpression>
</SimpleExpression>
</ErrorExpression>
<SuccessExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">true</Value>
</ValueExpression>
</SimpleExpression>
</SuccessExpression>
</Configuration>
</UnitMonitor>