声明提供方信任,通过Haproxy 2.8.5提供https服务,metadata通过url可以正常打开页面
ADFS在配置“声明提供方信任”时,通过URL访问声明提供方的联合元数据,提示“SSL连接通道已关闭”或“基础连接已关闭”,查看haproxy日志发现保存日志““
SSL handshake failure (error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol)
”
The problem turned out to be caused by the fact that Windows Server at least up to 2016 is using TLS 1.0 for .NET framework (in which the ADFS configuration wizard is implemented) while my service hosting the metadata document only allowed TLS 1.2 as the minimum version。
出现该问题的原因是ADFS默认使用TLS1.0,可以选择强制ADFS使用TLS1.2,也可以配置haproxy支持TLS1.0,如下
ssl-default-bind-options ssl-min-ver TLSv1.0 no-sslv3
ADFS禁用TLS1.0,参考如下:
https://learn.microsoft.com/zh-cn/troubleshoot/windows-server/active-directory/disable-and-replace-tls-1dot0
https://learn.microsoft.com/zh-cn/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs?source=recommendations
https://learn.microsoft.com/zh-cn/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs?source=recommendations#enable-strong-authentication-for-net-applications
标签:fs,ad,url,ADFS,server,ssl,报错,https From: https://www.cnblogs.com/dreamer-fish/p/18344843