Jump to content

ADFS Device Registration Server Kein Zertifikat


Recommended Posts

Hallo,

wir betreiben einen ADFS 2016 welcher für uns die Device Registration übernimmt. Dies funktioniert soweit auch. Also die Geräte sind in Azure registriert und da wo wir testweise Hello for Business verwenden, funktioniert dies einwandfrei.

Ich sehe aber im Eventlog vom Device Registration Server die folgende Fehlermeldung mit Error Code 144

No certificate could be found on the Device Registration Service object that can be used as the issuing certificate.

 

Ein Get-AdfsDeviceRegistration ergibt folgendes

 

PS C:\> Get-AdfsDeviceRegistration


DrsObjectDN                          : CN=DeviceRegistrationService,CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=hen,DC=de
DevicesPerUser                       : 0
MaximumInactiveDays                  : 0
DeviceObjectLocation                 : CN=RegisteredDevices,DC=hen,DC=de
IsAdfsServiceAuthorizationReady      : True
IsDirectoryConfigured                : True
IsDeviceAuthenticationReady          : True
IssuanceAuthorizationRules           :
IssuanceTransformRules               : @RuleName = "Pass through all claims but group SIDs"
                                       c:[Type !~ "^(?i).+(group|primarygroup)+sid$"]
                                        => issue(claim = c);

                                       @RuleName = "Issue Permit Device Registration claim"
                                        => issue(Type = "http://schemas.microsoft.com/authorization/claims/PermitDeviceRegistration", Value = "true");

                                       @RuleName = "Issue Custom Quota to Administrators"
                                       [Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)S-1-5-21-\d{1,10}-\d{1,10}-\d{1,10}-512$"]
                                        => issue(Type = "http://schemas.microsoft.com/authorization/claims/deviceregistrationquota", Value = "2147483647");

                                       @RuleName = "Issue Account Store Claim"
                                       c:[Type == "http://schemas.microsoft.com/ws/2014/01/identity/claims/accountstore"]
                                       => issue(Type = "http://schemas.microsoft.com/authorization/claims/accountStore", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

                                       @RuleName = "Issue Inside Corp Network Claim"
                                       c:[Type == "http://schemas.microsoft.com/ws/2014/01/identity/claims/insidecorporatenetwork"]
                                       => issue(Type = "http://schemas.microsoft.com/authorization/claims/insidecorporatenetwork", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

                                       @RuleName = "MFA for Domain Joined Machines"
                                       c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "515$"]
                                       => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ");

                                       @RuleName = "Object identifier"
                                       c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "DJ", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] &&
                                        c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(store = "Active Directory", types =
                                       ("http://schemas.microsoft.com/identity/claims/objectidentifier"), query = ";objectguid;{0}", param = c2.Value);

                                       @RuleName = "On-Prem Object GUID"
                                        c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =~ "DJ", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] && c2:[Type ==
                                       "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(store = "Active Directory", types =
                                       ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), query = ";objectguid;{0}", param = c2.Value);

                                       @RuleName = "Primary SID"
                                       c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =~ "DJ", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
                                       Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c2);


AllowedAuthenticationClassReferences : {ngcmfa, wiaormultiauthn}
AdditionalAuthenticationRules        :
AccessControlPolicyName              : Permit everyone and require MFA, allow automatic device registration
AccessControlPolicyParameters        :
ResultantPolicy                      : RequireFreshAuthentication:False
                                       IssuanceAuthorizationRules:
                                       {
                                         Permit users
                                           with 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' claim regex matches '-515$' in the request;

                                         Permit users
                                           and when authentication includes MFA
                                         except
                                           with 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' claim regex matches '-515$' in the request;

                                         Permit users
                                           with 'http://schemas.microsoft.com/claims/authnmethodsreferences' claim equals to 'http://schemas.microsoft.com/claims/wiaormultiauthn' in the request
                                       }



PS C:\>

 

Im Internet finde ich dazu eigentlich gar nichts. 

Ansonsten funktioniert auch alles auf dem ADFS, 

 

Ist jemand schon mal über den Fehler gestolpert, bzw. hat Ideen, wo man zwecks Fehlersuche starten kann?

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...