解决了 Windows 登录问题 | 您所在的位置:网站首页 › system 用户 logon › 解决了 Windows 登录问题 |
解决了 Windows 登录问题
April 3, 2023
投稿者:
C
本文介绍了用户使用证书或/和智能卡登录时 Windows 提供的日志和错误消息。可以使用这些日志提供的信息对身份验证失败问题进行故障排除。 证书和公钥基础结构Windows Active Directory 维护负责管理用户登录时使用的证书的多个证书存储。 NTAuth 证书存储:要针对 Windows 进行身份验证,必须将即时颁发用户证书(即,不支持任何证书链)的证书颁发机构放置在 NTAuth 存储中。要查看这些证书,请在 certutil 程序中输入:certutil –viewstore –enterprise NTAuth 根证书和中间证书存储:一般而言,证书登录系统只能提供单个证书,因此,如果正在使用证书链,所有计算机上的中间证书存储都必须包括这些证书。根证书必须位于可信证书存储中,而倒数第二个证书必须位于 NTAuth 存储中。 登录证书扩展名和组策略:可以将 Windows 配置为强制验证 EKU 以及其他证书策略。请参阅 Microsoft 文档:https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff404287(v=ws.10)。 注册表策略 说明 AllowCertificatesWithNoEKU 禁用时,证书必须包括智能卡登录扩展密钥用法 (EKU)。 AllowSignatureOnlyKeys 默认情况下,Windows 会过滤掉不允许进行 RSA 解密的证书私钥。此选项将覆盖该过滤器。 AllowTimeInvalidCertificates 默认情况下,Windows 会过滤掉过期的证书。此选项将覆盖该过滤器。 EnumerateECCCerts 启用椭圆曲线身份验证。 X509HintsNeeded 如果某个证书不包含唯一的用户主体名称 (UPN),或者不确定,此选项将允许用户手动指定其 Windows 登录帐户。 UseCachedCRLOnlyAnd、IgnoreRevocationUnknownErrors 禁用吊销检查(在域控制器上设置)。 域控制器证书: 所有服务器必须具有恰当的“域控制器”证书,才能对 Kerberos 连接进行身份验证。可以使用“本地计算机证书个人存储”MMC 管理单元菜单申请这些证书。 UPN 名称和证书映射建议用户证书在使用者替代名称扩展名中包括一个唯一的用户主体名称 (UPN)。 Active Directory 中的 UPN 名称默认情况下,Active Directory 中的每个用户都具有建立在模式 @ 和 @ 的基础之上的隐式 UPN。可用域和 FQDN 都包括在林的 RootDSE 条目中。单个域可以具有多个在 RootDSE 中注册的 FQDN 地址。 此外,Active Directory 中的每个用户都具有显式 UPN 和 altUserPrincipalNames。这些是用于指定该用户的 UPN 的 LDAP 条目。 按 UPN 搜索用户时,Windows 首先在当前域(取决于对查找 UPN 的过程的识别)中查找显式 UPN,然后查找替代 UPN。如果没有匹配项,则将查找隐式 UPN,这样可以解析到林中的其他域。 证书映射服务如果某个证书不包括显式 UPN,Active Directory 将具有用于存储完全匹配的公用证书以供在 x509certificate 属性中使用的选项。计算机可以直接查询此属性(默认情况下,在单个域中查询),以便为用户解析此类证书。 系统将向用户提供一个选项以指定可加快此搜索速度并且还允许在跨域环境中使用此功能的用户帐户。 如果林中存在多个域,并且用户未明确指定域,Active Directory rootDSE 将指定证书映射服务的位置。该服务位于全局目录计算机上,并且在林中具有所有 x509certificate 属性的缓存视图。可以使用此计算机仅基于证书来有效地查找任意域中的用户帐户。 控制登录域控制器选择当环境中包含多个域控制器时,查看并显示用于身份验证的域控制器将非常有用,这样可以启用并检索日志。 控制域控制器选择要强制 Windows 使用特定的 Windows 域控制器进行登录,可以通过配置 lmhosts 文件(\Windows\System32\drivers\etc\lmhosts)来显式设置 Windows 计算机使用的域控制器列表。 该位置通常存在一个名为 lmhosts.sam 的示例文件。其内容只有一行: 1.2.3.4 dcnetbiosname #PRE #DOM:mydomai 其中,1.2.3.4 为 mydomain 域中名为 dcnetbiosname 的域控制器的 IP 地址。 重新启动后,Windows 计算机将使用该信息登录 mydomain。完成调试后,必须还原此配置。 识别正在使用的域控制器登录时,Windows 将使用让该用户登录的域控制器设置一个 MSDOS 环境变量。要查看此变量,请启动命令提示窗口并输入以下命令:echo %LOGONSERVER%。 与身份验证有关的日志存储在此命令返回的计算机中。 启用帐户审核事件默认情况下,Windows 域控制器不启用完全帐户审核日志。可以在组策略编辑器中通过安全设置中的审核策略对其进行控制。要打开组策略编辑器,请在域控制器上运行 gpedit.msc。启用审核策略后,域控制器将在安全日志中生成额外的事件日志信息。 证书验证日志 检查证书有效性如果将智能卡证书导出为 DER 证书(不需要任何私钥),则可以通过以下命令验证其有效性:certutil –verify user.cer 启用 CAPI 日志记录在域控制器和用户计算机上,打开事件查看器并启用 Microsoft/Windows/CAPI2/Operational Logs 的日志记录功能。 在域控制器和 VDA 计算机上,打开事件查看器并导航到应用程序和服务日志 > Microsoft > Windows > CAPI2 > 操作。右键单击操作,然后选择启用日志。 此外,请使用以下注册表值微调 CAPI 日志记录:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32。默认情况下,以下值不存在,必须进行创建。如果您希望还原到默认 CAPI2 日志记录设置,请删除这些值。 值 说明 DiagLevel (DWORD) 详细级别(0 到 5) DiagMatchAnyMask (QUADWORD) 事件过滤器(对所有事件使用 0xffffff) DiagProcessName (MULTI_SZ) 按进程名称过滤(例如,LSASS.exe) CAPI 日志 消息 说明 构建链 名为 CertGetCertificateChain 的 LSA(包括结果) 验证吊销 名为 CertVerifyRevocation 的 LSA(包括结果) X509 对象 在详细模式下,证书和证书吊销列表 (CRL) 转储到 AppData\LocalLow\Microsoft\X509Objects 验证证书链策略 名为 CertVerifyChainPolicy 的 LSA(包括参数) 错误消息 错误代码: 说明 证书不可信 无法使用计算机的中间证书存储和可信根证书存储中的证书构建智能卡证书。 证书吊销检查错误 无法从证书 CRL 分发点指定的地址下载智能卡的 CRL。如果强制执行吊销检查,则会阻止成功登录。请参阅证书和公钥基础结构部分。 证书用途错误 证书不适用于登录。例如,证书可能是服务器证书或签名证书。 Kerberos 日志要启用 Kerberos 日志记录,请在域控制器和最终用户计算机上创建以下注册表值: 配置单元 Value name(值名称) 值 [DWORD] CurrentControlSet\Control\Lsa\Kerberos\Parameters 日志级别 0x1 CurrentControlSet\Control\Lsa\Kerberos\Parameters KerbDebuglevel 0xffffffff CurrentControlSet\Services\Kdc KdcDebugLevel 0x1 CurrentControlSet\Services\Kdc KdcExtraLogLevel 0x1fKerberos 日志记录输出到系统事件日志中。 “不可信证书”等消息应能够轻松诊断。 下面两个错误代码为信息性代码,可以安全地忽略: KDC_ERR_PREAUTH_REQUIRED(用于向后兼容域控制器较旧的域控制器) 未知错误 0x4b 域控制器和工作站日志本节介绍了用户使用证书登录时域控制器和工作站上的预期日志条目。 域控制器 CAPI2 日志 域控制器安全日志 Virtual Delivery Agent (VDA) 安全日志 VDA CAPI 日志 VDA 系统日志 域控制器 CAPI2 日志登录过程中,域控制器将验证调用者的证书,从而生成以下格式的一系列日志条目。 最终事件日志消息在域控制器上显示 lsass.exe,从而根据 VDA 提供的证书构建一个链,并验证其有效性(包括吊销)。结果返回为“ERROR_SUCCESS”。 域控制器安全日志域控制器显示一系列登录事件,关键事件为 4768,其中,证书用于发出 Kerberos Ticket Granting Ticket (krbtgt)。 在此消息之前显示的消息将显示用于进行身份验证以登录域控制器的服务器的计算机帐户。 在此消息之后显示的消息将显示属于正在用于针对域控制器进行身份验证的新 krbtgt 的用户帐户。 VDA 安全日志与登录事件相对应的 VDA 安全审核日志是指 winlogon.exe 中事件 ID 为 4648 的条目。 VDA CAPI 日志此示例 VDA CAPI 日志显示 lsass.exe 中的单个链构建和验证顺序,用于验证域控制器证书 (dc.citrixtest.net)。 VDA 系统日志启用了 Kerberos 日志记录时,系统日志将显示错误 KDC_ERR_PREAUTH_REQUIRED(可以忽略)以及 Winlogon 中显示 Kerberos 登录成功的条目。 使用 Windows 事件日志监视 FAS所有 FAS 事件都将写入到 Windows 应用程序事件日志中。可以使用 System Centre Operations Manager (SCOM) 等产品根据此处描述的流程和事件监视 FAS 服务的运行状况。 FAS 服务是否正在运行?要确定 FAS 服务是否正在运行,请监视进程 Citrix.Authentication.FederatedAuthenticationService.exe。 本部分内容仅介绍监视 FAS 服务的最重要的事件。有关 FAS 事件代码的完整列表,请参阅 FAS 事件日志。 FAS 运行状况事件以下事件显示您的 FAS 服务是否运行正常。 事件来源为 Citrix.Authentication.FederatedAuthenticationService。 事件 事件文本 说明 备注 [S003] Administrator [{0}] setting Maintenance Mode to [{1}] FAS 服务已进入维护模式或退出维护模式。 在维护模式下,FAS 服务器无法用于单点登录。 [S022] Administrator [{0}] setting Maintenance Mode to Off FAS 服务已退出维护模式。 可以从 FAS 10.7/Citrix Virtual Apps and Desktops 2109 获得。 [S023] Administrator [{0}] setting Maintenance Mode to On FAS 服务已进入维护模式。 可以从 FAS 10.7/Citrix Virtual Apps and Desktops 2109 获得。 [S123] Failed to issue a certificate for [upn: {0} role: {1}] [exception: {2}] 如果任何 CA FAS 均未配置成功颁发的用户证书,则会在 [S124] 之后出现此事件。该用户的单点登录将失败。 此事件指示所有已配置的 CA 都无法正常运行。如果将 FAS 配置为使用 HSM,也可能会表示 HSM 无法正常运行。 [S124] Failed to issue a certificate for [upn: {0} role: {1}] at [certificate authority: {2}] [exception: {3}] FAS 尝试向给定 CA请求用户证书时出现故障。如果 FAS 配置了多个 CA,FAS 将在另一个 CA 处尝试该请求。 此事件可能表示 CA 无法正常运行,或者无法联系 CA。如果将 FAS 配置为使用 HSM,也可能会表示 HSM 无法正常运行。该异常可用于帮助确定问题的原因。 [S413] Authorization certificate expiring soon ({0} days left). Certificate details: {1} 当 FAS 授权证书即将到期时会定期生成此事件。默认情况下,如果授权证书在过期后的 30 天内,则每天都会生成此事件。 默认设置可以使用 cmdlet Set-FasRaCertificateMonitor 进行调整;请参阅 PowerShell cmdlet。 [S414] Authorization certificate has expired. Certificate details: {0} 当 FAS 授权证书已过期时会定期生成此事件。默认情况下,每天都会生成此事件。 一旦过期,FAS 将无法生成新的用户证书,并且单点登录开始失败。 与云连接的 FAS 事件如果您将 FAS 与 Citrix Cloud 结合使用,以下事件将显示您的 FAS 服务是否运行正常。 事件来源为 Citrix.Fas.Cloud。 事件 事件文本 说明 备注 [S012] The FAS service is available for single sign-on from Citrix Cloud 此事件表示从 Workspace(即 Citrix Cloud)进行的单点登录应该能够正常运行。 在发出此事件之前,FAS 会检查 (1) 事件是否已配置,(2) 是否未处于维护模式,以及 (3) 是否已连接到 Citrix Cloud。 [S013] The FAS service is not available for single sign-on from Citrix Cloud. [{0}] Further details can be found in the admin console. 此事件表示 FAS 无法从 Workspace(即 Citrix Cloud)提供单点登录。此消息包含单点登录不起作用的原因。 FAS 保持与 Citrix Cloud 的持久连接。有时,此连接可能会因各种原因而终止(例如网络故障或代理服务器上的连接生命周期策略)。出现这种情况时,事件文本将包含“Service is not connected to the cloud”。这是正常行为,FAS 会立即尝试重新建立与 Citrix Cloud 的连接。 安全事件以下事件表示未经授权的实体试图使用 FAS。 事件来源为 Citrix.Authentication.FederatedAuthenticationService。 事件 事件文本 说明 [S001] ACCESS DENIED: User [{0}] is not a member of the Administrators group 尝试查看或更改 FAS 的配置,但调用者不是 FAS 管理员。 [S002] ACCESS DENIED: User [{0}] is not an Administrator of Role [{1}] 尝试查看或更改 FAS 规则的配置,但调用者不是 FAS 管理员。 [S101] Server [{0}] is not authorized to assert identities in role [{1}] 尝试断言用户身份,但不允许调用者执行此操作。只允许在 FAS 规则配置(以及 Workspace,如果适用)中允许的 StoreFront 服务器断言用户身份。 [S104] Server [{0}] failed to assert UPN [{1}] (UPN not allowed by role [{2}]) 尝试断言用户身份,但根据 FAS 规则配置,不允许该用户的帐户进行断言。 [S205] Relying party access denied - the calling account [{0}] is not a permitted relying party of the rule [{1}] VDA 尝试使用 FAS 执行单点登录,但根据 FAS 规则配置,不允许使用 VDA。 FAS 事件日志以下各表列出了由 FAS 生成的事件日志条目。 管理事件 [联合身份验证服务][事件来源:Citrix.Authentication.FederatedAuthenticationService] 将记录这些事件,以响应 FAS服务器的配置变化。 日志代码 [S001] ACCESS DENIED: User [{0}] is not a member of Administrators group [S002] ACCESS DENIED: User [{0}] is not an Administrator of Role [{1}] [S003] Administrator [{0}] setting Maintenance Mode to [{1}] [S004] Administrator [{0}] requesting authorization certificate from CA [{1}] using templates [{2} and {3}] [S005] Administrator [{0}] de-authorizing CA [{1}] [S006] Administrator [{0}] creating Certificate Definition [{1}] [S007] Administrator [{0}] updating Certificate Definition [{1}] [S008] Administrator [{0}] deleting Certificate Definition [{1}] [S009] Administrator [{0}] creating Rule [{1}] [S010] Administrator [{0}] updating Role [{1}] [S011] Administrator [{0}] deleting Rule [{1}] [S012] Administrator [{0}] creating certificate [upn: {1} sid: {2} rule: {3}]Certificate Definition: {4} Security Context: {5}] [S013] Administrator [{0}] deleting certificates [upn: {1} role: {2} Certificate Definition: {3} Security Context: {4}] [S015] Administrator [{0}] creating certificate request [TPM: {1}] [S016] Administrator [{0}] importing Authorization certificate [Reference: {1}] [S022] Administrator [{0}] setting Maintenance Mode to Off [S023] Administrator [{0}] setting Maintenance Mode to On [S024] Administrator [{0}] setting system health monitor [S025] Administrator [{0}] setting system health monitor [S026] Administrator [{0}] setting RA Certificate Monitor [S027] Administrator [{0}] resetting RA certificate monitor [S050] Administrator [{0}] creating cloud configuration: [{1}] [S051] Administrator [{0}] updating cloud configuration: [{1}] [S052] Administrator [{0}] removing cloud configuration [S060] Administrator [{0}] Requesting Cloud Registration. Instance: {1} [S060] Administrator [{0}] Requesting Direct Trust Cloud Registration. Instance: {1} CloudServiceUrlFormat: {2} [S061] Administrator [{0}] Completing Cloud Registration. Resource location: {1}, Rule name: {2} [S062] Administrator [{0}] Completed Cloud Registration. Resource location: {1} ({2}), Rule name: {3}, Customer: {4} ({5}) [S063] A KRS error occurred during cloud registration. The exception was {0} [S064] An unknown error occurred during cloud registration. The exception was {0} 日志代码 [S401] Performing configuration upgrade - [From version {0} to version {1}] [S402] ERROR: The Citrix Federated Authentication Service must be run as Network Service [currently running as: {0}] [S404] Forcefully erasing the Citrix Federated Authentication Service database [S405] An error occurred while migrating data from the registry to the database: [{0}] [S406] Migration of data from registry to database is complete (note: user certificates are not migrated) [S407] Registry-based data was not migrated to a database since a database already existed [S408] Cannot downgrade the configuration – [From version {0} to version {1}] [S409] ThreadPool configuration succeeded - MinThreads adjusted from [workers: {0} completion: {1}] to: [workers: {2} completion: {3}] [S410] ThreadPool configuration failed - failed to adjust MinThreads from [workers: {0} completion: {1}] to: [workers: {2} completion: {3}]; this may impact the scalability of the FAS server [S411] Error starting the FAS service: [{0}] [S412] Configuration upgrade complete – [From version {0} to version {1}] [S413] Authorization certificate expiring soon ({0} days left). Certificate details: {1} [S414] Authorization certificate has expired. Certificate details: {0} [S415] Authorization certificate checks completed. {0} issues were logged. Next check is due in {1} 创建身份声明 [联合身份验证服务][事件来源:Citrix.Authentication.FederatedAuthenticationService] 在运行期间,当可信服务器声明用户登录时,将在 FAS 服务器上记录这些事件。 日志代码 [S101] Server [{0}] is not authorized to assert identities in role [{1}] [S102] Server [{0}] failed to assert UPN [{1}] (Exception: {2}{3}) [S103] Server [{0}] requested UPN [{1}] SID {2}, but lookup returned SID {3} [S104] Server [{0}] failed to assert UPN [{1}] (UPN not allowed by role [{2}]) [S105] Server [{0}] issued identity assertion [upn: {1}, role {2}, Security Context: [{3}]] [S120] Issuing certificate to [upn: {0} role: {1} Security Context: [{2}]] [S121] Certificate issued to [upn: {0} role: {1}] by [certificate authority: {2}] [S122] Warning: Server is overloaded [upn: {0} role: {1}][Requests per minute {2}]. [S123] Failed to issue a certificate for [upn: {0} role: {1}] [exception: {2}] [S124] Failed to issue a certificate for [upn: {0} role: {1}] at [certificate authority: {2}] [exception: {3}] 作为信赖方 [联合身份验证服务][事件来源:Citrix.Authentication.FederatedAuthenticationService] VDA 将用户登录时,这些事件将在运行时记录在 FAS 服务器上。 日志代码 [S201] Relying party [{0}] does not have access to a password. [S202] Relying party [{0}] does not have access to a certificate. [S203] Relying party [{0}] does not have access to the Logon CSP [S204] Relying party [{0}] accessing the Logon CSP for [upn: {1}] in role: [{2}] [Operation: {3}] as authorized by [{4}] [S205] Relying party access denied - the calling account [{0}] is not a permitted relying party of the rule [{1}] [S206] Calling account [{0}] is not a relying party [S208] Private Key operation failed [Operation: {0} upn: {1} role: {2} certificateDefinition {3} Error {4} {5}]. 会话中证书服务器 [联合身份验证服务][事件来源:Citrix.Authentication.FederatedAuthenticationService] 当用户使用会话中证书时,会在 FAS 服务器上记录这些事件。 日志代码 [S301] Access Denied: User [{0}] does not have access to a Virtual Smart Card [S302] User [{0}] requested unknown Virtual Smart Card [thumbprint: {1}] [S303] Access Denied: User [{0}] does not match Virtual Smart Card [upn: {1}] [S304] User [{0}] running program [{1}] on computer [{2}] using Virtual Smart Card [upn: {3} role: {4} thumbprint: {5}] for private key operation [{6}] [S305] Private Key operation failed [Operation: {0}] [upn: {1} role: {2} containerName {3} Error {4} {5}]. FAS 断言插件 [联合身份验证服务][事件来源:Citrix.Authentication.FederatedAuthenticationService] 这些事件由 FAS 断言插件记录。 日志代码 [S500] No FAS assertion plug-in is configured [S501] The configured FAS assertion plug-in could not be loaded [exception:{0}] [S502] FAS assertion plug-in loaded [pluginId={0}] [assembly={1}] [location={2}] [S503] Server [{0}] failed to assert UPN [{1}] (logon evidence was supplied but the plug-in [{2}] does not support it) [S504] Server [{0}] failed to assert UPN [{1}] (logon evidence was supplied but there is no configured FAS plug-in) [S505] Server [{0}] failed to assert UPN [{1}] (the plug-in [{2}] rejected the logon evidence with status [{3}] and message [{4}]) [S506] The plug-in [{0}] accepted logon evidence from server [{1}] for UPN [{2}] with message [{3}] [S507] Server [{0}] failed to assert UPN [{1}] (the plug-in [{2}] threw exception [{3}] during method [{4}]) [S507] Server [{0}] failed to assert UPN [{1}] (the plug-in [{2}] threw exception [{3}]) [S508] Server [{0}] failed to assert UPN [{1}] (access disposition was supplied but the plug-in [{2}] does not support it) [S509] Server [{0}] failed to assert UPN [{1}] (access disposition was supplied but there is no configured FAS plug-in) [S510] Server [{0}] failed to assert UPN [{1}] (the access disposition was considered invalid by plug-in [{2}] 启用 Workspace 的 FAS [联合身份验证服务][事件来源:Citrix.Fas.Cloud] 将 FAS 与 Workspace 结合使用时会记录这些事件。 日志代码 [S001] Rotated Citrix Cloud authorization key [fas id: {0}] [old key id:{1}] [new key id:{2}] [S002] The cloud support module is starting. FasHub cloud service URL: {0} [S003] FAS registered with the cloud [fas id: {0}] [transaction id: {1}] [S004] FAS failed to register with the cloud [fas id: {0}] [transaction id: {1}] [exception: {2}] [S005] FAS sent its current configuration to the cloud [fas id: {0}] [transaction id: {1}] [S006] FAS failed to send its current configuration to the cloud [fas id: {0}] [transaction id: {1}] [exception: {2}] [S007] FAS unregistered from the cloud [fas id: {0}] [transaction id: {1}] [S009] FAS failed to unregister from the cloud [fas id: {0}] [transaction id: {1}] [exception: {2}] [S010] The FAS service is connected to the cloud messaging URL: {0} [S011] The FAS service is not connected to the cloud [S012] The FAS service is available for single sign-on from Citrix Cloud [S013] The FAS service is not available for single sign-on from Citrix Cloud. [{0}] Further details can be found in the admin console [S014] A call to the cloud service failed [fas id: {0}] [transaction id: {1}] [exception: {2}] [S015] A message from Citrix Cloud was blocked because the caller is not permitted [message ID {0}] [transaction ID {1}] [caller {2}] [S016] A call to the cloud service succeeded [fas id: {0}] [transaction id: {1}] [S019] FAS downloaded its configuration from the cloud [fas id: {0}] [transaction id: {1}] [S020] FAS failed to download its configuration from the cloud [fas id: {0}] [transaction id: {1}] [exception: {2}] [S021] The cloud support module failed to start. Exception: {0} [S022] The cloud support module is stopping [S023] Failed to rotate Citrix Cloud authorization key [fas id: {0}] [current key id:{1}] [new key id:{2}] [keys in cloud:{3}] [S024] Initiating rotation of Citrix Cloud authorization key [fas id: {0}] [current key id:{1}] [new key id:{2}] [S025] This service’s authorization key is present in the Citrix Cloud [current key: {0}] [keys in cloud: {1}] [S026] This service’s authorization key is not present in the Citrix Cloud [current key: {0}] [keys in cloud: {1}] [S027] Upgraded the Citrix Cloud authorization key storage format [fas id: {0}] 登录 [VDA][事件来源:Citrix.Authentication.IdentityAssertion] 在登录阶段会在 VDA 上记录这些事件。 日志代码 [S101] Identity Assertion Logon failed. Unrecognised Federated Authentication Service [id: {0}] [S102] Identity Assertion Logon failed. Could not lookup SID for {0} [Exception: {1}{2}] [S103] Identity Assertion Logon failed. User {0} has SID {1}, expected SID {2} [S104] Identity Assertion Logon failed. Failed to connect to Federated Authentication Service: {0} [Error: {1} {2}] [S105] Identity Assertion Logon. Logging in [Username: {0} Domain: {1}] [S106] Identity Assertion Logon.\n\nFederated Authentication Service: {0}\n\nLogging in [Certificate: {1}] [S107] Identity Assertion Logon failed. [Exception: {0}{1}] [S108] Identity Assertion Subsystem. ACCESS_DENIED [Caller: {0}] 会话中证书 [VDA][事件来源:Citrix.Authentication.IdentityAssertion] 当用户尝试使用会话中证书时,会在 VDA 上记录这些事件。 日志代码 [S201] Virtual smart card access authorized by [{0}] for [PID: {1} Program Name: {2}Certificate thumbprint: {3}] [S203] Virtual Smart Card Subsystem. Access Denied [caller: {0}, session {1}] [S204] Virtual Smart Card Subsystem. Smart card support disabled 证书请求和密钥对生成 [联合身份验证服务][事件来源:Citrix.Fas.PkiCore] 当 FAS 服务器执行日志级别的加密操作时,会记录这些事件。 日志代码 [S001] TrustArea::TrustArea: Installed certificate [TrustArea: {0} Certificate {1}TrustAreaJoinParameters {2}] [S014] Pkcs10Request::Create: Created PKCS10 request [Distinguished Name {0}] [S016] PrivateKey::Create [Identifier {0}MachineWide: {1} Provider: {2} ProviderType: {3} EllipticCurve: {4} KeyLength: {5} isExportable: {6}] [S017] PrivateKey::Delete [CspName: {0}, Identifier {1}] 日志代码 [S104] MicrosoftCertificateAuthority::GetCredentials: Authorized to use {0} [S105] MicrosoftCertificateAuthority::SubmitCertificateRequest Error submit response [{0}] [S106] MicrosoftCertificateAuthority::SubmitCertificateRequest Issued certificate [{0}] [S112] MicrosoftCertificateAuthority::SubmitCertificateRequest - Waiting for approval [CR_DISP_UNDER_SUBMISSION] [Reference: {0}] 最终用户错误消息本部分内容列出了在 Windows 登录页面上向用户显示的常见错误消息。 显示的错误消息 说明和参考 用户名或密码无效 计算机相信您拥有有效的证书和私钥,但 Kerberos 域控制器拒绝了连接。参阅本文的 Kerberos 登录部分。 系统无法让您登录。无法验证您的凭据。/不支持该请求 无法联系域控制器,或者域控制器未配置证书,无法支持智能卡身份验证。为“Kerberos 身份验证”、“域控制器身份验证”或“域控制器”证书注册域控制器。此操作值得一试,即使在现有证书可能有效时亦如此。 系统可能无法让您登录。用于身份验证的智能卡证书不可信。 未在本地计算机上安装中间证书和根证书。请参阅证书和公钥基础结构。 请求错误 这通常指示未正确设置证书上的扩展名,或者 RSA 密钥太短(小于 2048 位)。 相关信息 为智能卡登录配置域 智能卡登录策略 启用 CAPI 日志记录 启用 Kerberos 日志记录 有关通过第三方证书颁发机构启用智能卡登录的指导原则 |
CopyRight 2018-2019 实验室设备网 版权所有 |