从 ADFS 2.1 升级到 4.0 后出现 ADFS 错误

从 ADFS 2.1 升级到 4.0 后出现 ADFS 错误

我不知道是否有人见过这个问题或有什么想法?

我们最近将 ADFS 从 W2008r2 上的 ADFS 2.1 迁移到了 W2016 上的 ADFS 4.0。

基本功能似乎很好,但是我发现使用我的所有依赖方信任更新联合元数据时出现问题;尝试右键单击并选择“从联合元数据更新...”(或转到属性、监视、测试 URL)出现以下错误:

"An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid metadata endpoint".

相关的错误消息是

Method not found: 'Microsoft.identitymodel.protocols.WSFederation.Metadata.MetadataBase Microsoft.Identity.Model.Protocols.WSFederation.Metadata.MetadataSerializer.ReadMetadata(System.IO.Stream)'.

无需代理服务器,也未定义代理服务器。我可以在 ADFS 服务器上的 IE 中顺利浏览联合元数据 URL 并获取预期的 XML 页面。我已检查证书是否正确定义,ADFS 服务帐户是否具有对证书的读取权限等。

服务启动时或尝试测试/更新元数据时,事件日志中均无错误消息。尝试添加新的依赖方信任时会出现同样的错误。

我已经运行了 ADFS 诊断程序,并且 test-adfsserverhealth 给出了一个错误,我认为这是关键,但我不知道下一步该怎么做。

Name             : PingFederationMetadata
Result           : Fail
Detail           : System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a
                   send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing
                   connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An
                   existing connection was forcibly closed by the remote host
                      at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags
                   socketFlags)
                      at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                      --- End of inner exception stack trace ---
                      at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                      at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
                      at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest
                   asyncRequest)
                      at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer,
                   AsyncProtocolRequest asyncRequest)
                      at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
                      at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext,
                   ContextCallback callback, Object state, Boolean preserveSyncCtx)
                      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                   callback, Object state, Boolean preserveSyncCtx)
                      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                   callback, Object state)
                      at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
                      at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
                      at System.Net.ConnectStream.WriteHeaders(Boolean async)
                      --- End of inner exception stack trace ---
                      at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
                      at System.Net.WebClient.DownloadData(Uri address)
                      at CallSite.Target(Closure , CallSite , Object , Object )
Output           : {PingFedmetadataException}
ExceptionMessage : 

答案1

答案2

我也遇到过这个问题,直到我发现两个系统之间的 TLS 设置存在冲突。托管元数据的服务器设置为仅使用 TLS 1.2,而运行在 Windows Server 2016 上的 ADFS 服务器设置为默认 TLS 设置。当我将 ADFS 服务器更改为仅使用 TLS 1.2 时,问题就解决了。

相关内容