반품
-
제목
Active Roles Web Interface shows "The connection with the remote endpoint was terminated" post Federation Configuration -
설명
After Federating Active Roles Web Interface the following error is thrown.
"Message 5202:
Message 1001: The connection with the remote endpoint was terminated."
.jpg)
-
원인
If the Active Roles Web Interface is hosted on a remote server (separate from the Active Roles Administration Service) and Federated Authentication is being used, then the service account used to run the ARWebAppPool IIS Application Pool is missing the required permission. -
해결 방안
When the Federated Authentication endpoint sends an authorization request with a user name via SAML, IIS on the Active Roles Web Interface host can generate a Windows token by impersonation. However, this token can only be used to access remote resources only if the account running the ARWebAppPool IIS Application Pool has the privilege to Act as part of the operating system (SeTcbPrivilege)
If only one remote Active Roles Web Interface host is needed, the ARWebAppPool can be run as the LocalSystem account, which has SeTcbPrivilege by default. If more than one remote Active Roles Web Interface host is needed, then Kerberos SPN requirements mean that the ARWebAppPool must be run as an Active Directory service account that has the SeTcbPrivilege explicitly granted.
- Select Control Panel | Administrative Tools | Local Security Settings
- In the left panel, select Security Settings | Local Policies | User Rights Assignment
- Open Act as part of operating system
- In the Act as part of the operating system properties dialog box, click Add User or Group
- In the Add User or Group dialog box, enter the desired Active Directory service account and click OK.
- Click OK to close the properties dialog box
NOTE: If the Add button is greyed out, then there is a Group Policy which is preventing local changes. Instead, add the desired Active Directory service account into the Group Policy for this privilege on the Active Roles Web Interface host(s).