信赖方签名证书无效

Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceRelyingPartySigningCertificateCrlCheckFailureRule (Rule)

Knowledge Base article:

摘要

联合身份验证服务无法处理签署的 SAML 登录或注销请求,因为合作伙伴用于签署请求的证书无法进行证书吊销检查,或者该证书已过期。

原因

以下是此事件的可能原因:

注意:

您可以使用适用于 AD FS 的 Windows PowerShell cmdlet 配置信赖方信任的签名证书的吊销设置。对于特定的设置,请使用 Set-ADFSRelyingPartyTrust cmdlet 的 SigningCertificateRevocationCheck 参数。

解决方法

以下是此事件可能的解决方法:

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices2012R2.TokenIssuance
CategoryConfigurationHealth
EnabledTrue
Event_ID316
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
信赖方签名证书无效
信赖方“{0}”的签名证书无效。检查“警告上下文”选项卡,以获取有关此信赖方所使用证书的详细信息。
Event Log$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer"]/ADFSEventLog$

Member Modules:

ID Module Type TypeId RunAs 
DS DataSource Microsoft.Windows.EventProvider Default
Alert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceRelyingPartySigningCertificateCrlCheckFailureRule" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuance" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>ConfigurationHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer"]/ADFSEventLog$</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">316</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>(^AD FS$)</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceRelyingPartySigningCertificateCrlCheckFailureRule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Params/Param[1]$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Params/Param[1]$</SuppressionValue>
<SuppressionValue>$Data/Params/Param[2]$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>