ADFS配置“声明提供方信任”时,读取url报错
声明提供方信任,通过Haproxy 2.8.5提供https服务,metadata通过url可以正常打开页面
ADFS在配置“声明提供方信任”时,通过URL访问声明提供方的联合元数据,提示“SSL连接通道已关闭”或“基础连接已关闭”,查看haproxy日志发现保存日志““
SSL handshake failure (error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol)
”
The problem turned out to be caused by the fact that Windows Server at least up to 2016 is using TLS 1.0 for .NET framework (in which the ADFS configuration wizard is implemented) while my service hosting the metadata document only allowed TLS 1.2 as the minimum version。
出现该问题的原因是ADFS默认使用TLS1.0,可以选择强制ADFS使用TLS1.2,也可以配置haproxy支持TLS1.0,如下
ssl-default-bind-options ssl-min-ver TLSv1.0 no-sslv3
从 Windows Server 2012 开始,默认启用 TLS 1.2,配置ADFS3.0使用TLS1.2,如下:
注册表 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 项下新建 SchUseStrongCrypto 值,值数据为1,如下图所示:
然后重启adfs服务
参考如下:
https://learn.microsoft.com/zh-cn/troubleshoot/windows-server/active-directory/disable-and-replace-tls-1dot0
https://learn.microsoft.com/zh-cn/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs?source=recommendations
https://learn.microsoft.com/zh-cn/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs?source=recommendations#enable-strong-authentication-for-net-applications