ADFS3.0 Extranet锁定保护的问题 [英] problem with ADFS3.0 Extranet Lockout Protection
问题描述
您好,
启用外联网锁定保护后,会发生奇怪的事情。在我的ADFS中,有依赖方信任的Office 365和其他依赖方(intergate虽然是saml2.0)。
当我尝试使用尚未退出AD的帐户登录时在office 365上,错误消息
" 用户ID或密码不正确。
输入正确的用户ID和密码,然后重试。" 可以显示。但是当我尝试使用其他依赖方未在AD中退出的帐户登录时(虽然是saml2.0),ADFS将发生错误:
事件ID 111:
联合服务在处理WS-Trust请求时遇到错误。
请求类型:http://schemas.microsoft.com/idfx/ requesttype / issue
附加数据
异常详细信息:
Microsoft.IdentityServer.Service。 AccountPolicy.ADAccountLookupException:抛出了类型'Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException'的异常。
at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.GetADUserObject(String userName)
at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.IsAccountThrottled(String userName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement,SecurityTokenHandlerCollection securityTokenHandlerCollection)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request,IList`1& identityClaimSet)
事件ID 364:
在联邦被动请求期间遇到错误。
附加数据
协议名称:
Saml
依赖方:
http:// xxxxxxxxx / adfs / services / trust
异常详细信息:
Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException:类型异常抛出了'Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException'。
at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.GetADUserObject(String userName)
at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.IsAccountThrottled(String userName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement,SecurityTokenHandlerCollection securityTokenHandlerCollection)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request,IList`1& identityClaimSet)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request,IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest,Uri& replyTo,IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context,SecurityToken securityToken,SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context,SecurityToken securityToken,SecurityToken deviceSecurityToken,SecurityToken& ssoSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context,SecurityToken securityToken,SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext,PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
启用外联网之前锁定保护,我已安装Hotfix KB 291935(http://support.microsoft.com/kb/2919355)。 禁用保护后,可以显示错误消息"不正确的
用户ID或密码。输入正确的用户ID和密码,然后重试。" 并且不会发生错误。
< p style ="text-align:justify">这是ADFS中的错误吗?
请阅读我的博客文章。 &NBSP;我将其作为错误提交给Microsoft,他们刚刚发布了一个修补程序。
http: //the-techanic.blogspot.com/2014_09_01_archive.html
修复:
http://support.microsoft.com/kb/3025078/EN-US
请注意: 他们得到了hofix的标题有点不对,但这是对我博客文章中描述内容的修复。
Hello,
After I enable Extranet Lockout Protection, The strange things happen. In my ADFS, there are Office 365 and other relying party(intergate though saml2.0) in relying party trust.
when I try to login with a account that has not exit in a AD on office 365, error message "Incorrect user ID or password. Type the correct user ID and password, and try again." can be display. but when I try to login with a account that has not exit in a AD on other relying party(intergate though saml2.0), ADFS will occur error:
Event ID 111:
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue
Additional Data
Exception details:
Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: Exception of type 'Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException' was thrown.
at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.GetADUserObject(String userName)
at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.IsAccountThrottled(String userName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
Event ID 364:
Encountered error during federation passive request.Additional Data
Protocol Name:
Saml
Relying Party:
http://xxxxxxxxx/adfs/services/trust
Exception details:
Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: Exception of type 'Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException' was thrown.
at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.GetADUserObject(String userName)
at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.IsAccountThrottled(String userName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Before enable extranet lockout protection, I have installed Hotfix KB 291935(http://support.microsoft.com/kb/2919355). After I disable the protection, The error message can be displayed "Incorrect user ID or password. Type the correct user ID and password, and try again." and no error occur.
Is it a bug in ADFS?
Please read my blog post about this. I submitted it as a bug to Microsoft and they just released a hotfix.
http://the-techanic.blogspot.com/2014_09_01_archive.html
Fix:
http://support.microsoft.com/kb/3025078/EN-US
Please note: They got the title of the hofix a little wrong but this is the fix to what is described in my blog post.
这篇关于ADFS3.0 Extranet锁定保护的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!