ADFS3.0 Extranet锁定保护的问题 [英] problem with ADFS3.0 Extranet Lockout Protection

查看:93
本文介绍了ADFS3.0 Extranet锁定保护的问题的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

您好,


启用外联网锁定保护后,会发生奇怪的事情。在我的ADFS中,有依赖方信任的Office 365和其他依赖方(intergate虽然是saml2.0)。


当我尝试使用尚未退出AD的帐户登录时在office 365上,错误消息
" 用户ID或密码不正确。
输入正确的用户ID和密码,然后重试。" 可以显示。但是当我尝试使用其他依赖方未在AD中退出的帐户登录时(虽然是saml2.0),ADFS将发生错误:


事件ID 111:


联合服务在处理WS-Trust请求时遇到错误。 

请求类型:http://schemas.microsoft.com/idfx/ requesttype / issue 



附加数据 

异常详细信息: 

Microsoft.IdentityServer.Service。 AccountPolicy.ADAccountLookupException:抛出了类型'Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException'的异常。

    at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.GetADUserObject(String userName)

    at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.IsAccountThrottled(String userName)

    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

    at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)

    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement,SecurityTokenHandlerCollection securityTokenHandlerCollection)

    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request,IList`1& identityClaimSet)



事件ID 364:


在联邦被动请求期间遇到错误。 



附加数据 



协议名称: 

Saml 



依赖方: 

http:// xxxxxxxxx / adfs / services / trust 



异常详细信息: 

Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException:类型异常抛出了'Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException'。

    at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.GetADUserObject(String userName)

    at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.IsAccountThrottled(String userName)

    at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

    at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)

    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement,SecurityTokenHandlerCollection securityTokenHandlerCollection)

    at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request,IList`1& identityClaimSet)

    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request,IList`1& identityClaimCollection)

    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest,Uri& replyTo,IList`1& identityClaimCollection)

    at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context,SecurityToken securityToken,SecurityToken deviceSecurityToken)

    at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context,SecurityToken securityToken,SecurityToken deviceSecurityToken,SecurityToken& ssoSecurityToken)

    at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context,SecurityToken securityToken,SecurityToken deviceSecurityToken)

    at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)

    at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext,PassiveProtocolHandler protocolHandler)

    at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


启用外联网之前锁定保护,我已安装Hotfix KB 291935(http://support.microsoft.com/kb/2919355)。  禁用保护后,可以显示错误消息"不正确的
用户ID或密码。输入正确的用户ID和密码,然后重试。"  并且不会发生错误。


< p style ="text-align:justify">这是ADFS中的错误吗?

解决方案

请阅读我的博客文章。 &NBSP;我将其作为错误提交给Microsoft,他们刚刚发布了一个修补程序。


http: //the-techanic.blogspot.com/2014_09_01_archive.html


修复:


http://support.microsoft.com/kb/3025078/EN-US


请注意: 他们得到了hofix的标题有点不对,但这是对我博客文章中描述内容的修复。


Hello,

After I enable  Extranet Lockout Protection, The strange things happen. In my ADFS, there are Office 365 and other relying party(intergate though saml2.0) in relying party trust.

when I try to login with a account that has not exit in a AD on office 365, error message "Incorrect user ID or password. Type the correct user ID and password, and try again." can be display. but when I try to login with a account that has not exit in a AD on other relying party(intergate though  saml2.0), ADFS will occur error:

Event ID 111:

The Federation Service encountered an error while processing the WS-Trust request. 
Request type: http://schemas.microsoft.com/idfx/requesttype/issue 

Additional Data 
Exception details: 
Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: Exception of type 'Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException' was thrown.
   at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.GetADUserObject(String userName)
   at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.IsAccountThrottled(String userName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)

Event ID 364:

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
http://xxxxxxxxx/adfs/services/trust 

Exception details: 
Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException: Exception of type 'Microsoft.IdentityServer.Service.AccountPolicy.ADAccountLookupException' was thrown.
   at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.GetADUserObject(String userName)
   at Microsoft.IdentityServer.Service.AccountPolicy.AccountLockoutPolicy.IsAccountThrottled(String userName)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Before enable extranet lockout protection, I have installed Hotfix KB 291935(http://support.microsoft.com/kb/2919355).  After I disable the protection, The error message can be displayed "Incorrect user ID or password. Type the correct user ID and password, and try again." and no error occur.

Is it a bug in ADFS?

解决方案

Please read my blog post about this.  I submitted it as a bug to Microsoft and they just released a hotfix.

http://the-techanic.blogspot.com/2014_09_01_archive.html

Fix:

http://support.microsoft.com/kb/3025078/EN-US

Please note:  They got the title of the hofix a little wrong but this is the fix to what is described in my blog post.


这篇关于ADFS3.0 Extranet锁定保护的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆