The SPN of the AD FS service account is not registered correctly in Active Directory Domain Services (AD DS). This monitor queries the SPN attribute of the AD FS service account from AD DS every 15 minutes and checks whether it is in the format "host/<Federation Service name>"
Учетная запись службы, связанная со службами службы федерации Active Directory Windows, была изменена, но службы федерации Active Directory не могут найти зарегистрированное имя субъекта-службы в AD DS для новой учетной записи службы.
Убедитесь, что имя субъекта-службы для учетной записи службы правильно зарегистрировано в AD DS. Дополнительные сведения см. в разделе "Настройка учетной записи службы для фермы серверов федерации вручную" Руководства по развертыванию служб федерации Active Directory.
Target | Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices2012R2.TwoStateScriptMonitorType" ConfirmDelivery="false">
<Category>AvailabilityHealth</Category>
<AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServerSPNMonitor_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Warning</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>
<OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>
<ScriptName>FederationServerSPNCheck.ps1</ScriptName>
<ScriptBody>
function GetDomainUser ([string] $domainUser, [ref]$domain, [ref]$user)
{
$splitacct = $domainUser.Split( '\' )
if ( $splitacct.Length -ne 2 -OR [String]::IsNullOrEmpty( $splitacct[ 0 ] ) -OR [String]::IsNullOrEmpty( $splitacct[ 1 ] ) )
{
return
}
$domain.Value = $splitacct[ 0 ]
$user.Value = $splitacct[ 1 ]
}
Import-Module adfs
$scomapi = new-object -comObject "MOM.ScriptAPI"
$script:spnSet = $true
$script:account = ""
$script:expectedSpn = ""
$script:shouldContinue = $true
$serviceWMIObject = (get-wmiobject -query "select * from win32_service where name='adfssrv'")
$script:account = $serviceWMIObject.StartName
$serviceRunning = $serviceWMIObject.Started
if ($serviceRunning)
{
&{
$domainName = ""
$userName = ""
$domainDirEntry = $null
$dirCtx = $null
GetDomainUser $script:account ([ref]$domainName) ([ref]$userName)
if ([String]::IsNullOrEmpty($domainName) -ne $true)
{
$adfsProperties = Get-ADFSProperties
$script:expectedSpn = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture, "host/{0}" , $adfsProperties.HostName)
$temp = [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices")
$dirCtx = new-object System.DirectoryServices.ActiveDirectory.DirectoryContext( [System.DirectoryServices.ActiveDirectory.DirectoryContextType]::Domain, $domainName)
&{
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain( $dirCtx )
$domainDirEntry = $domain.GetDirectoryEntry()
}
Trap [System.Exception]
{
$script:shouldContinue = $false
#ignore
continue
}
if ($script:shouldContinue)
{
$propertiesToLoad = "servicePrincipalName"
$filter = [String]::Format( [System.Globalization.CultureInfo]::InvariantCulture,"(&(sAMAccountName={0}))", $userName )
$src = new-object System.DirectoryServices.DirectorySearcher( $domainDirEntry )
$temp = $src.PropertiesToLoad.Add( $propertiesToLoad )
$src.Filter = $filter
$searchResult = $src.FindOne()
if ( ($searchResult -eq $null) -or ($searchResult.Properties -eq $null))
{
$script:spnSet = $false
}
else
{
$dirEntry = $searchResult.GetDirectoryEntry()
$script:spnSet = $false
if ( $dirEntry.Properties["servicePrincipalName"] -ne $null )
{
foreach ( $registeredSpn in $dirEntry.Properties["servicePrincipalName"] )
{
if ( ($registeredSpn -ne $null) -and ([StringComparer]::OrdinalIgnoreCase.Equals( $registeredSpn, $script:expectedSpn)) )
{
$script:spnSet = $true
break
}
}
}
}
}
}
}
Trap [System.Exception]
{
#ignore
continue
}
}
$scompb = $scomapi.CreatePropertyBag()
$scompb.AddValue("SPNSet", $script:spnSet )
$scompb.AddValue("Account", $script:account )
$scompb.AddValue("ExpectedSPN", $script:expectedSpn )
$scomapi.AddItem($scompb)
$scomapi.ReturnItems()
</ScriptBody>
<IntervalSeconds>900</IntervalSeconds>
<TimeoutSeconds>180</TimeoutSeconds>
<ErrorExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">false</Value>
</ValueExpression>
</SimpleExpression>
</ErrorExpression>
<SuccessExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='SPNSet']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">true</Value>
</ValueExpression>
</SimpleExpression>
</SuccessExpression>
</Configuration>
</UnitMonitor>