Home
  •  

Имя субъекта-службы не зарегистрировано

Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor (UnitMonitor)

Knowledge Base article:

Сводка

The SPN of the AD FS service account is not registered correctly in Active Directory Domain Services (AD DS). This monitor queries the SPN attribute of the AD FS service account from AD DS every 15 minutes and checks whether it is in the format "host/<Federation Service name>"

Причины

Учетная запись службы, связанная со службами службы федерации Active Directory Windows, была изменена, но службы федерации Active Directory не могут найти зарегистрированное имя субъекта-службы в AD DS для новой учетной записи службы.

Решения

Убедитесь, что имя субъекта-службы для учетной записи службы правильно зарегистрировано в AD DS. Дополнительные сведения см. в разделе "Настройка учетной записи службы для фермы серверов федерации вручную" Руководства по развертыванию служб федерации Active Directory.

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices2012R2.FederationServer
Parent MonitorSystem.Health.ConfigurationState
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
Имя субъекта-службы не зарегистрировано
Имя субъекта-службы учетной записи службы федерации Active Directory неправильно зарегистрировано в службе каталогов Active Directory.
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType" ConfirmDelivery="false">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Warning</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>

  </OperationalStates>

  <Configuration>

    <PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>

    <ScriptName>FederationServerSPNCheck.ps1</ScriptName>

    <ScriptBody><Script>

                        function GetDomainUser ([string] $domainUser, [ref]$domain, [ref]$user)

                        {

                        $splitacct = $domainUser.Split( '\' )

                        if ( $splitacct.Length -ne 2 -OR [String]::IsNullOrEmpty( $splitacct[ 0 ] ) -OR [String]::IsNullOrEmpty( $splitacct[ 1 ] ) )

                        {

                        return

                        }

                        $domain.Value = $splitacct[ 0 ]

                        $user.Value = $splitacct[ 1 ]

                        }



                        Import-Module adfs



                        $scomapi = new-object -comObject "MOM.ScriptAPI"

                        $script:spnSet = $true

                        $script:account = ""

                        $script:expectedSpn = ""

                        $script:shouldContinue = $true



                        $serviceWMIObject = (get-wmiobject  -query "select * from win32_service where name='adfssrv'")

                        $script:account = $serviceWMIObject.StartName

                        $serviceRunning = $serviceWMIObject.Started



                        if ($serviceRunning)

                        {

                        &amp;{

                        $domainName = ""

                        $userName = ""

                        $domainDirEntry = $null

                        $dirCtx = $null



                        GetDomainUser  $script:account ([ref]$domainName) ([ref]$userName)

                        if ([String]::IsNullOrEmpty($domainName) -ne $true)

                        {

                        $adfsProperties = Get-ADFSProperties

                        $script:expectedSpn = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture, "host/{0}" , $adfsProperties.HostName)



                        $temp = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices")

                        $dirCtx = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext( [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $domainName)



                        &amp;{

                        $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $dirCtx  )

                        $domainDirEntry = $domain.GetDirectoryEntry()

                        }

                        Trap [System.Exception]

                        {

                        $script:shouldContinue = $false

                        #ignore

                        continue

                        }



                        if ($script:shouldContinue)

                        {

                        $propertiesToLoad = "servicePrincipalName"

                        $filter = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture,"(&amp;(sAMAccountName={0}))", $userName )

                        $src = new-object System.DirectoryServices.DirectorySearcher( $domainDirEntry )

                        $temp = $src.PropertiesToLoad.Add( $propertiesToLoad )

                        $src.Filter = $filter

                        $searchResult = $src.FindOne()

                        if ( ($searchResult -eq $null) -or ($searchResult.Properties -eq $null))

                        {

                        $script:spnSet = $false

                        }

                        else

                        {

                        $dirEntry = $searchResult.GetDirectoryEntry()

                        $script:spnSet = $false

                        if ( $dirEntry.Properties["servicePrincipalName"] -ne $null )

                        {

                        foreach ( $registeredSpn in $dirEntry.Properties["servicePrincipalName"] )

                        {

                        if ( ($registeredSpn -ne $null) -and ([StringComparer]::OrdinalIgnoreCase.Equals( $registeredSpn, $script:expectedSpn)) )

                        {

                        $script:spnSet = $true

                        break

                        }

                        }

                        }

                        }

                        }

                        }

                        }

                        Trap [System.Exception]

                        {

                        #ignore

                        continue

                        }

                        }



                        $scompb = $scomapi.CreatePropertyBag()

                        $scompb.AddValue("SPNSet",  $script:spnSet )

                        $scompb.AddValue("Account",  $script:account )

                        $scompb.AddValue("ExpectedSPN",  $script:expectedSpn )

                        $scomapi.AddItem($scompb)

                        $scomapi.ReturnItems()

                    </Script></ScriptBody>

    <IntervalSeconds>900</IntervalSeconds>

    <TimeoutSeconds>180</TimeoutSeconds>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">false</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">true</Value>

        </ValueExpression>

      </SimpleExpression>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>