从ADFS 2.1升级到4.0后出现ADFS错误

Question

我不知道有没有人见过这个问题或者有什么想法？

我们最近将ADFS从W2008r2上的ADFS2.1迁移到了W2016上的ADFS4.0。

基本功能似乎很好，但我发现在使用所有依赖方信任更新联邦元数据方面存在问题；试图右键单击并选择“从联邦元数据中更新.”(或转到属性、监视、测试URL)会产生以下错误：

"An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid metadata endpoint".

关联的错误消息是

Method not found: 'Microsoft.identitymodel.protocols.WSFederation.Metadata.MetadataBase Microsoft.Identity.Model.Protocols.WSFederation.Metadata.MetadataSerializer.ReadMetadata(System.IO.Stream)'.

不需要代理服务器，也不定义代理服务器。我可以浏览ADFS服务器上IE中的联邦元数据URL，并获得预期的XML页面。我已经检查证书是否定义正确，ADFS服务帐户是否具有对它们的读取访问权限，等等。

事件日志中没有错误消息，无论是在服务启动时还是在尝试测试/更新元数据时。尝试添加新的依赖方信任会导致同样的错误。

我已经运行了ADFS诊断，并且测试-adfsserverhealth给出了一个错误，我认为这是关键，但我不知道下一步该去哪里。

Name             : PingFederationMetadata
Result           : Fail
Detail           : System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a
                   send. ---> System.IO.IOException: Unable to read data from the transport connection: An existing
                   connection was forcibly closed by the remote host. ---> System.Net.Sockets.SocketException: An
                   existing connection was forcibly closed by the remote host
                      at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags
                   socketFlags)
                      at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                      --- End of inner exception stack trace ---
                      at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                      at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
                      at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest
                   asyncRequest)
                      at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer,
                   AsyncProtocolRequest asyncRequest)
                      at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
                      at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext,
                   ContextCallback callback, Object state, Boolean preserveSyncCtx)
                      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                   callback, Object state, Boolean preserveSyncCtx)
                      at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                   callback, Object state)
                      at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
                      at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
                      at System.Net.ConnectStream.WriteHeaders(Boolean async)
                      --- End of inner exception stack trace ---
                      at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
                      at System.Net.WebClient.DownloadData(Uri address)
                      at CallSite.Target(Closure , CallSite , Object , Object )
Output           : {PingFedmetadataException}
ExceptionMessage : 

Answer 1

看起来您在https://blogs.technet.microsoft.com/pie/2016/10/23/adfs-2016-cannot-addupdate-relying-party-from-the-gui-from-metadata-files/中遇到了问题

Answer 2

我也有这个问题，直到我发现两个系统之间的TLS设置是冲突的。承载元数据的服务器被设置为仅使用TLS 1.2，而运行在Windows server 2016上的ADFS服务器被设置为默认的TLS设置。当我将ADFS服务器更改为仅使用TLS 1.2时，问题得到了解决。