ADFS 4 与 AD LDS(对象不存在)

ADFS 4 与 AD LDS(对象不存在)

我已经用我有限的知识尝试了所有可能的办法,但我无法找出问题所在,所以希望有人能指出正确的方向。

我有一台 ADFS 2016 服务器,它可以与我们的内部 AD 配合使用,但我想使用 AD LDS 对其进行配置,因为我不想在我们的内部 AD 服务器中为所有客户添加帐户。

我已经在托管 ADFS 的同一台机器上安装了 AD LDS(稍后会将其移走,但只是想让它正常工作),并按照文章中的说明进行操作微软。对此设置的一些更改是,我仅使用 UPN 和电子邮件属性,而不使用名字、姓氏或名字。

似乎当我使用文章中的所有 powershell 命令时,我确实获得了本地声明提供者信任,但是当我尝试登录时,它总是失败,事件日志中出现错误消息,提示该对象不存在。

用户帐户肯定存在,但我不确定哪里出了问题。该应用程序只发送用户名和密码,因此我定义了与用户电子邮件相同的 UPN 映射,并尝试使用邮件属性。

我还能提供哪些信息来帮助我?谢谢

编辑

我为 adfs 启用了跟踪调试,并且看到以下错误:

 LDAPAttributeStoreReader: Failed to retrieve attributes with filter (&(objectClass=inetOrgPerson)([email protected])) with error:
System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.

Server stack trace: 
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

Exception rethrown at [0]: 
   at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.OnAttributeSearchComplete(IAsyncResult attributeSearchAsyncResult)

另外,我还看到了一些其他错误

    Failed to complete attribute store query with error:
The object does not exist.
Error code: NoSuchObject
Server response message: 0000208D: NameErr: DSID-0315295A, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=domain,DC=com'


   at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.EndGetAttributes(IAsyncResult result)
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.OnExecuteQueryComplete(IAsyncResult ar)

第三个

    LdapAccountStore: Failed to lookup the directory object for user [email protected] on server.
Exception: The object does not exist.
Error code: NoSuchObject
Server response message: 0000208D: NameErr: DSID-0315295A, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=domain,DC=com'


StackTrace:    at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
   at Microsoft.IdentityModel.Threading.TypedAsyncResult`1.End(IAsyncResult result)
   at Microsoft.IdentityServer.Service.LocalAccountStores.LdapStore.LdapAccountStore.GetUserDn(String userName)
System.DirectoryServices.Protocols.DirectoryOperationException: The object does not exist.
ResultCode: NoSuchObject
ErrorMessage: 0000208D: NameErr: DSID-0315295A, problem 2001 (NO_OBJECT), data 0, best match of:
    'DC=domain,DC=com'

MatchedDN: DC=domain,DC=com
StackTrace: 
Server stack trace: 
   at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)
   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)

Exception rethrown at [0]: 
   at System.DirectoryServices.Protocols.LdapConnection.EndSendRequest(IAsyncResult asyncResult)
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.OnAttributeSearchComplete(IAsyncResult attributeSearchAsyncResult)

答案1

因此,经过多次尝试和错误,我终于找到了解决问题的方法。这主要适用于使用 AD LDS 身份验证设置 ADFS 4 并且可能已遵循此Microsoft 文章

对某些人来说,这可能很明显,但我却为此苦苦挣扎。当您按照本文操作时,它没有提到您用于绑定到 AD LDS 实例的帐户需要成为管理员组的成员。现在,当我弄清楚它与权限有关时,我尝试将该帐户添加到配置分区中的管理员组,但显然没有奏效。因此,在您创建的应用程序分区中找到管理员组,并使用 DN 使该帐户成为其成员。

我想提一下的是索赔射线Microsoft 的工具帮助我解决了一些其他问题。谢谢

相关内容