为什么 AD FS 2016 执行此 SQL 查询？

Question

我们无法弄清楚为什么 AD FS 2016 在 SQL 属性存储上执行某个 SQL 查询。

• 问题首先出现在我们重命名数据库以准备停用该数据库时。我们重命名它以查看是否有任何东西在使用它。
• 重命名后，AD FS 2016 开始抛出无法登录数据库的错误。这并不奇怪，除非它正在执行的 SQL 查询无法在任何依赖方或 OAuth 注册的声明规则中找到。
• 那么，是否有一个位置可以放置一个全局策略，该策略将在每个令牌请求上执行并应用于每个依赖方，因为 SQL 查询不在依赖方上正在请求令牌？

这是 AD FS 2016 在其事件查看器中报告的完整错误。

An Error occurred while executing a query in SQL attribute store.

Additional Data Connection information: POLICY3907: Server=REDACTED;Database=REDACTED. Query: SELECT [REDACTED] FROM [REDACTED].[REDACTED] WHERE [REDACTED]=@PARAMETER0 Parameters: REDACTED,

User Action Examine the exception details to take one or more of the following actions if applicable. Verify that the connection string to the SQL attribute store is valid. Make sure that the SQL attribute store can be reached by the connection string and the SQL attribute store exists. Verify that the SQL query and parameters are valid.

Exception details: Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SqlAttributeStoreQueryExecutionException: POLICY3904: Execution of query:'SELECT [REDACTED] FROM [REDACTED].[REDACTED] WHERE [REDACTED]=@PARAMETER0' with parameters:'REDACTED,' failed. Connection information:'POLICY3907: Server=REDACTED;Database=REDACTED.'. ---> System.Data.SqlClient.SqlException: Cannot open database "REDACTED" requested by the login. The login failed. Login failed for user 'REDACTED'. at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling, SqlAuthenticationProviderManager sqlAuthProviderManager) at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions) at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource1 retry) at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource1 retry) at System.Data.SqlClient.SqlConnection.Open() at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SyncQueryExecutor.BeginExecuteQuery(String query, List1 queryParameters, AsyncCallback callback, Object state)
--- End of inner exception stack trace --- at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SyncQueryExecutor.BeginExecuteQuery(String query, List1 queryParameters, AsyncCallback callback, Object state) at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SqlAttributeStore.BeginExecuteQuery(String query, String[] queryParameterValues, AsyncCallback callback, Object state) at Microsoft.IdentityServer.ClaimsPolicy.Language.AttributeLookupIssuanceStatement.BeginEvaluate(IEnumerable1 matchedClaims, PolicyContext policyContext, AsyncCallback callback, Object state)

System.Data.SqlClient.SqlException (0x80131904): Cannot open database "REDACTED" requested by the login. The login failed. Login failed for user 'REDACTED'. at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, DbConnectionPool pool, String accessToken, Boolean applyTransientFaultHandling, SqlAuthenticationProviderManager sqlAuthProviderManager) at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions) at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions) at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection) at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection) at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection) at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection) at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource1 retry, DbConnectionOptions userOptions) at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource1 retry) at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource1 retry) at System.Data.SqlClient.SqlConnection.Open() at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SyncQueryExecutor.BeginExecuteQuery(String query, List1 queryParameters, AsyncCallback callback, Object state) ClientConnectionId:a7e6a99c-b3c5-495d-be39-7d700321a5c3 Error Number:4060,State:1,Class:11

Answer 1

MFA 评估可以在全球范围内进行

https://docs.microsoft.com/en-us/archive/blogs/ramical/under-the-hood-tour-on-multi-factor-authentication-in-adfs-part-1-policy

通过 Get-AdfsAdditionalAuthenticationRule 检查 MFA 设置。他们可能定义了使用该属性存储的规则。

https://docs.microsoft.com/en-us/powershell/module/adfs/get-adfsadditionalauthenticationrule?view=windowsserver2022-ps

Answer 2

问题原来是添加到 Active Directory 声明提供程序信任的自定义规则。因此，每个使用 Active Directory 声明规则的应用程序都会执行该规则，然后查询数据库，即使该应用程序不需要该值。

因此，我从 Active Directory 中删除了该声明规则。这是我找到规则的屏幕截图。