AD FS 2.0 RU3 - Multiple RPs sharing signing certificates

February 24, 2013, 12:01 pm

≫ Next: AD FS 2.0 + Unable to read Winhttp configuration

≪ Previous: WIF 4.5 Replacement for FederatedPassiveSignIn

Hi all,

I'm testing AD FS 2.0 RU3, in particular one issue that is flagged as fixed:

http://support.microsoft.com/?id=2790338

Some relying parties require that signature certificates are applied to the relying party for SAML requests, as signature certificates provide a critical security validation function and are defined in the SAML 2.0 specification. AD FS 2.0 is capable of allowing unique signature certificates to be applied to a relying party trust, but it only allows the same certificate to be applied to one relying party trust per AD FS 2.0 farm. This restriction may allow multiple relying parties to use the same signing certificate for SAML requests. AD FS 2.0 update rollup 3 removes this restriction and allows multiple relying parties to use the same signing certificate for SAML request.

I've tested this with two RPs (app1 and app2) sharing the same signing certificate via online metadata exchange. When I attempt to register the second RP, I get the following error:

MSIS7613: The signing certificate of the relying party trust is not unique across all relying party trusts in AD FS 2.0 configuration

I was under the impression that Issue 4 as defined in the Release Notes now allows shared certificates across multiple RPs. Has anyone else tested this successfully?

Regards,

Mylo

↧

AD FS 2.0 + Unable to read Winhttp configuration

September 9, 2010, 7:04 am

≫ Next: ADFS 2.0 fails on start on SQL Server, suceed on WID

≪ Previous: AD FS 2.0 RU3 - Multiple RPs sharing signing certificates

We are in the process of completing of AD FS 2.0 configuration. The AD FS Infrastructure includes (2) federation server proxies in a farm, (2) federation servers in a farm, and a cluster SQL Server 2008 backend.

With that said, when we restart the AD FS 2.0 Windows Service on both of the federation servers, we see the following event in the AD FS Debug log. The AD FS 2.0 Windows Service does start, so I am curious if this error can be ignored or if there are any modifications that can be done to resolve this error.

AD FS 2.0 Admin Log
-------------------
No specific warning or error related to WinHTTP Proxy.

AD FS 2.0 Debug Log
-------------------
CreateFromCurrentConfiguration: Unable to read Winhttp configuration. Using direct connection. Exception: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.IdentityServer.WinhttpProxyConfigurationReader.Read(Uri& httpProxy, Uri& httpsProxy, Boolean& byPassLocalAddresses, List`1& byPassList)
at Microsoft.IdentityServer.ADFSWebProxy.CreateFromCurrentConfiguration(IProxyConfigurationReader reader)

Cross posted: http://social.microsoft.com/Forums/en-US/partnerwinserver/thread/fa0c9105-d8d7-483c-8355-08ff814c7e8d

↧

ADFS 2.0 fails on start on SQL Server, suceed on WID

January 28, 2013, 5:56 am

≫ Next: Saml 2 Sender Vouches with WIF

≪ Previous: AD FS 2.0 + Unable to read Winhttp configuration

I have a fully operational ADFS server running under a WID database. For backup centralization easiness, I’d like to move databases on a SQL Database.

I Followed the steps describes in this article, but when service try to start, the following errors are trapped in theADFS 2.0 admin log :

Log

Name: AD FS 2.0AdminSource: AD FS 2.0
EventID: 102
Description: There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Additional Data Exception details: System.ServiceModel.FaultException`1[Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault] :ADMIN0012 : OperationFault (le détail de l’erreur est égal à Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault).

Then :

LogName:      AD FS 2.0/Admin
Source:        AD FS 2.0
EventID:      220
TaskCategory: NoneLevel:
ErrorKeywords:      AD FS
Description:The Federation Service configuration could not be loaded correctly from the AD FS configuration database.Additional Data Error: ADMIN0012 :OperationFault

Enabling ADFS debug logs show these events:

LogName:      AD FS 2.0 Tracing/Debug
Source:        AD FS 2.0 Tracing
EventID:      37
TaskCategory: None
Level:         Error
Keywords:      ADFSPolicyServerService
Description:An erroroccurred while trying to search in the policy store:
Message: Une exception a été levée par la cible d'unappel.

LogName:      AD FS 2.0 Tracing/Debug
Source:        AD FS 2.0 Tracing
Event ID:      53
Task Category: None
Level:         Warning
Keywords:      ADFSSTS
Description: Got exception:ADMIN0012 : OperationFault with stacktrace:   à
Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.Sql.SqlStore.Search(Filterfilter, Int32 maxObjects, String[] propertyNames)   àMicrosoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.<>c__DisplayClass4.<SearchCore>b__3()  àMicrosoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.AttemptDeadlockSusceptibleOperation(DeadlockSusceptibleOperationoperation)  à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchCore(IPolicyStoreServicestore, Filter filter, Int32 maxObjects, String[] propertyNames)   à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchDirect(Filterfilter, Int32 maxObjects, String[] propertyNames)   à Microsoft.IdentityServer.Service.Configuration.SqlServiceConfigurationReader.LoadData()   à Microsoft.IdentityServer.Service.Configuration.AdministrationServiceState.FetchAdministrationServiceStateData()   à Microsoft.IdentityServer.Service.SecurityTokenService.STSService.FetchAdministrationServiceConfiguration()while fetching configuration. Will retry in 2000 ms.

These 2 events are repeated 9 times, then this error is raised:

Log
Name:      AD FS 2.0 Tracing/Debug
Source:        AD FS 2.0 Tracing
Event ID:      67
Task Category: None
Level:         Error Keywords:      ADFSProtocol
Description: CreateFromCurrentConfiguration: Unable to read Winhttp configuration. Using direct connection.
Exception: System.NullReferenceException: La référence d'objet n'est pasdéfinie à une instance d'un objet.   àMicrosoft.IdentityServer.WinhttpProxyConfigurationReader.Read(Uri& httpProxy, Uri& httpsProxy, Boolean& byPassLocalAddresses,
List`1& byPassList)   à Microsoft.IdentityServer.ADFSWebProxy.CreateFromCurrentConfiguration(IProxyConfigurationReaderreader)

I Followed the steps describes in this article, but when service try to start, the following errors are trapped in theADFS 2.0 admin log :Enabling ADFS debug logs show these events:I checked SQL server, when service tries to start, I see some request on the AdfsConfiguraiton database (stored procedure GetServiceSettings is called) so it seems that it’s not related to a misconfiguration of SQL connection.

Opening internet acces did not solved the problem.
As suggested here, I tried to update Trust Providers registry settings for Account \S-1-5-20, but no success. (I tried value 23c00,200 and 23e00)
FrameWork.net 4 was deployed on the server, I removed it assuggested here, but no success.
If I revert configuration to use again the WID database (Data Source=\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True), then the service starts fine.

How can I make this ADFS Configuration works? The funny thing is that having Artficat DB on SQL server and using WID database works very well. Issues came from when moving ADFSCOnfiguration database to SQL.

Thanks in advance.

Romain K

OUch

↧

Saml 2 Sender Vouches with WIF

April 27, 2011, 8:12 am

≫ Next: How to configure Sharepoint with Trusted Provider

≪ Previous: ADFS 2.0 fails on start on SQL Server, suceed on WID

Hi,

I am trying to implement the Saml sender-vouches scenario as explained here:

http://weblogs.asp.net/gsusx/archive/2009/12/18/implementing-a-saml-sender-vouches-scenario-with-wif.aspx

This example is implemented with the WIF Saml 1.1 classes. I am trying to use the Saml 2 classes with theSaml2SecurityTokenHandler'sCreateAuthenticationStatement implementation in my derived class. The way this method is implemented in the Saml 1.1 version of the classes does not work for the Saml 2 versions. Does anyone have sample code for this method using WIF Saml 2 classes (ie. Saml2AuthenticationStatement, Saml2AuthenticationContext, , etc..). BTW, if I just short circuit to the base class's CreateAuthenticationStatement, the

Saml2AuthenticationStatementcomes back null.

Thanks.

↧

How to configure Sharepoint with Trusted Provider

March 12, 2013, 4:24 am

≫ Next: ADFS 2.0 - Service cannot start

≪ Previous: Saml 2 Sender Vouches with WIF

Hi,

We have 4 FrontEnds (WFEs) in Sharepoint farm. I would like to configure trusted provider (STS) in Sharepoint and it must be access to this Trusted Provider from each of the frontends.

I know that it should be address for realm like this: "http://sp/_trust/" to authenticate user but if I want to login to STS provider from one of the another existing frontends should I configure it also in some way like adding new realm address:"http://fwe1/_trust/" for this frontend or one realm "_trust" address should only be added ?

Thanx for any info.

↧

ADFS 2.0 - Service cannot start

February 15, 2011, 2:16 am

≫ Next: ADFS 2.0 PrimaryComputer in with and SQL configuration database?

≪ Previous: How to configure Sharepoint with Trusted Provider

Hi everyone,

That the first time that I was not to be able to install correctly ADFS 2.0. I suspect the server, but I have no way where I need to get some information for fix that.

I used my own deploy plan, that I already install with success before on my virtual machine. The target is one ADFS 2.0 who use a remote SQL Server. I generate scripts correctly with fsconfig, create SPN, create user on SQL and run my 2 scripts.

Then I try to create ADFS SQL Farm with fsconfig, all steps are done with success unless the last one concerning starting ADFS services. The event ID error 102 and 220 are logged in my envent viewer.

If i enable tracing on ADFS I have theses errors :

Nom du journal :AD FS 2.0 Tracing/Debug
Source :  AD FS 2.0 Tracing
Date :   14/02/2011 17:37:31
ID de l’événement :37
Catégorie de la tâche :Aucun
Niveau :  Erreur
Mots clés : ADFSPolicyServerService
Utilisateur : IRCPROTO\SVC-ADFS
Ordinateur : CINCA.ircproto.mpw.fra
Description :
An error occurred while trying to search in the policy store:
Message: Une exception a été levée par la cible d'un appel.

XML de l’événement :<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" /><EventID>37</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000080</Keywords><TimeCreated SystemTime="2011-02-14T16:37:31.594724800Z" /><EventRecordID>1</EventRecordID><Correlation /><Execution ProcessID="3092" ThreadID="556" ProcessorID="1" KernelTime="15" UserTime="28" /><Channel>AD FS 2.0 Tracing/Debug</Channel><Computer>CINCA.ircproto.mpw.fra</Computer><Security UserID="S-1-5-21-1556569207-3421234143-1596450342-86374" /></System><UserData><Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events"><EventData>An error occurred while trying to search in the policy store:
Message: Une exception a été levée par la cible d'un appel.</EventData></Event></UserData></Event>

and

Nom du journal :AD FS 2.0 Tracing/Debug
Source :  AD FS 2.0 Tracing
Date :   14/02/2011 17:37:31
ID de l’événement :53
Catégorie de la tâche :Aucun
Niveau :  Avertissement
Mots clés : ADFSSTS
Utilisateur : IRCPROTO\SVC-ADFS
Ordinateur : CINCA.ircproto.mpw.fra
Description :
Got exception:ADMIN0012 : OperationFault with stacktrace: à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.Sql.SqlStore.Search(Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.<>c__DisplayClass4.<SearchCore>b__3()à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.AttemptDeadlockSusceptibleOperation(DeadlockSusceptibleOperation operation)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchCore(IPolicyStoreService store, Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchDirect(Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Configuration.SqlServiceConfigurationReader.LoadData()à Microsoft.IdentityServer.Service.Configuration.AdministrationServiceState.FetchAdministrationServiceStateData()à Microsoft.IdentityServer.Service.SecurityTokenService.STSService.FetchAdministrationServiceConfiguration() while fetching configuration. Will retry in 2000 ms.
XML de l’événement :<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" /><EventID>53</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000400</Keywords><TimeCreated SystemTime="2011-02-14T16:37:31.610349600Z" /><EventRecordID>2</EventRecordID><Correlation /><Execution ProcessID="3092" ThreadID="556" ProcessorID="1" KernelTime="16" UserTime="28" /><Channel>AD FS 2.0 Tracing/Debug</Channel><Computer>CINCA.ircproto.mpw.fra</Computer><Security UserID="S-1-5-21-1556569207-3421234143-1596450342-86374" /></System><UserData><Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events"><EventData>Got exception:ADMIN0012 : OperationFault with stacktrace: à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.Sql.SqlStore.Search(Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.&lt;&gt;c__DisplayClass4.&lt;SearchCore&gt;b__3()à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.AttemptDeadlockSusceptibleOperation(DeadlockSusceptibleOperation operation)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchCore(IPolicyStoreService store, Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchDirect(Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Configuration.SqlServiceConfigurationReader.LoadData()à Microsoft.IdentityServer.Service.Configuration.AdministrationServiceState.FetchAdministrationServiceStateData()à Microsoft.IdentityServer.Service.SecurityTokenService.STSService.FetchAdministrationServiceConfiguration() while fetching configuration. Will retry in 2000 ms.</EventData></Event></UserData></Event>

Someone can help me how to interpret theses errors please ?

Thank you so much,
Alex

GIRAUD Alexandre - MVP Forefront France http://www.alexgiraud.net/blog

↧

ADFS 2.0 PrimaryComputer in with and SQL configuration database?

March 12, 2013, 9:41 am

≫ Next: ID6013: The signature verification failed in in Saml2SecurityTokenHandler

≪ Previous: ADFS 2.0 - Service cannot start

I think I messed up my orginal install. When I do a get-ADFSSyncProperties on either of my servers in my farm they both come back with:

Role
----
PrimaryComputer

Does anybody know if this means my second server in the farm isn't setup correctly or is it suppose to be that way since they both use the same SQL server for the ADFSConfiguration?

Thanks to anybody that can help me.

↧

ID6013: The signature verification failed in in Saml2SecurityTokenHandler

January 22, 2010, 4:54 am

≫ Next: RP with only a claims aware app

≪ Previous: ADFS 2.0 PrimaryComputer in with and SQL configuration database?

I have a problem with Saml2 token handler. I've created a custom handler that inherits from Saml2SecurityTokenHandler. I'm getting an exception:

System.Security.Cryptography.CryptographicException: ID6013: The signature verification failed.

at Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.VerifySignature(HashAlgorithm hash, AsymmetricSignatureDeformatter deformatter, String signatureMethod)

at Microsoft.IdentityModel.Protocols.XmlSignature.SignedXml.StartSignatureVerification(SecurityKey verificationKey)

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()

at System.Xml.XmlReader.ReadEndElement()

at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)

at CustomSaml2SecurityTokenHandler.ReadAssertion(XmlReader reader) in C:\IdentityTrainingKit\Labs\WebServicesAndIdentity\Ex1-SecuringWebService\Begin\WeatcherStationServiceEx01_2\CustomSaml2SecurityTokenHandler.cs:line 69

at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)

at Microsoft.IdentityModel.Tokens.SecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)

at Microsoft.IdentityModel.Tokens.SecurityTokenSerializerAdapter.ReadTokenCore(XmlReader reader, SecurityTokenResolver tokenResolver)

at System.IdentityModel.Selectors.SecurityTokenSerializer.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)

at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator& usedTokenAuthenticator)

at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)

at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)

at System.ServiceModel.Security.StrictModeSecurityHeaderElementInferenceEngine.ExecuteProcessingPasses(ReceiveSecurityHeader securityHeader, XmlDictionaryReader reader)

at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)

at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)

at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)

In response to SOAP like that:

<soap:Envelope xmlns:soap="...." xmlns:tem="http://tempuri.org/">

<soap:Header>

<wsse:Security soap:mustUnderstand="true" xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="...">

<saml:Assertion Version="2.0" ID="_620eb6ad-258b-4fc2-893c-d8358f269553" IssueInstant="2010-01-22T10:41:18Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

<saml:Issuer>...</saml:Issuer>

</Transform>

</Transforms>

<DigestValue>K0rmjYlOt+TfNgChz1vdZeOjxGQ=</DigestValue>

</Reference>

</SignedInfo>

</X509Data>

</KeyInfo>

</Signature>

....

</saml:AttributeStatement>

</saml:Assertion>

</wsse:Security>

</soap:Header>

<soap:Body>

...

</soap:Body>

</soap:Envelope>

After spending some time with reflector and debugger here is what I found.

The last bit in the stack trace is SignedXml.VerifySignature() which (from reflector) looks like that:

private void VerifySignature(HashAlgorithm hash, AsymmetricSignatureDeformatter deformatter, string signatureMethod)

{

this.Signature.SignedInfo.ComputeHash(hash);

if (StringComparer.Ordinal.Equals(signatureMethod, "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"))

{

if (!CryptoUtil.VerifySignatureForSha256(deformatter, hash, this.GetSignatureValue()))

{

throw DiagnosticUtil.ExceptionUtil.ThrowHelperError(new CryptographicException(Microsoft.IdentityModel.SR.GetString("ID6013", new object[0])));

}

else if (!deformatter.VerifySignature(hash, this.GetSignatureValue()))

{

throw DiagnosticUtil.ExceptionUtil.ThrowHelperError(new CryptographicException(Microsoft.IdentityModel.SR.GetString("ID6013", new object[0])));

}

The error happens in bolded section when deformatter.VerifySignature() returns false. In my case the deformatter is an instance of RSAPKCS1SignatureDeformatter. Going down to that method we have:

public override bool VerifySignature(byte[] rgbHash, byte[] rgbSignature)

{

if (this._strOID == null)

{

throw new CryptographicUnexpectedOperationException(Environment.GetResourceString("Cryptography_MissingOID"));

}

.....

}

When I managed to debug to this point the _strIOD field is null. The only place I found where this is set is the method SetHashAlgorithm() which looks like it's not called before calling VerifySignature()

I'm not sure if I'm doing something wrong or there is an error in WIF but I would appreciate any help. Also, if anyone have an idea about a workaround I will be more than grateful.

Regards,

Jimmy

↧

RP with only a claims aware app

March 12, 2013, 9:05 am

≫ Next: ADFS single sign on

≪ Previous: ID6013: The signature verification failed in in Saml2SecurityTokenHandler

Hi,

We have an environment with ADFS setup. Now a 3th party has a web based application, dedicated for our use. But, that 3th party does not have any ADFS server in its own environment. Only the web based application which will soon be a claims aware application.

My question, is it possible to setup a sort of trust between us, and that 3th parties claims aware app?

I only clicked some screens in ADFS and was wondering what I should enter in the Relying trust metadata field for example. Have to enter a URL. But, aside of that, I am wondering what the answer is on my first question. Can somebody tell?

Thanks!

↧

ADFS single sign on

March 13, 2013, 3:40 am

≫ Next: Federation trust between Private ADFS Servers through VPN

≪ Previous: RP with only a claims aware app

Hi,

We have two separate CRM 2011 servers (not working together) with IFD and ADFS. They are both connected to the same ADFS server. Still when logging in to a organization url of one CRM server and then in the same browser to an organization url of the other server there is no SSO and there's an error presented: "Key not valid for use in specified state". I've read a similar issue with an NLB CRM 2011 environment where they said maybe the CRM servers encrypt their cookie with a different key.

* How is this possible, isn't ADFS supposed to be working as SSO between different servers?

* I want to setup ADFS for reporting services, will SSO between CRM and SQL reporting services then work or will there also be another cookie encryption used?

↧

Federation trust between Private ADFS Servers through VPN

March 13, 2013, 11:17 am

≫ Next: WIF 4.5: How to express this WIF 3.5 code using WIF 4.5?

≪ Previous: ADFS single sign on

We have a requirement to setup VPN for ADFS, so that the https traffic follows through the VPN(and not over internet) between Account Partner and relying partner. And that any communication between ADFS Servers should be through their respective ADFS Proxies. So,

We have ADFS Proxy in DMZ and ADFS Server in internal network on both sides.
We have FW Rule between respectives orgnaizations ADFS Proxy and ADFS Server to allow 443 traffic
We have VPN setup with FW Rule to allow 443 between the 2 ADFS Proxies.

With the above setup, the following is working AccountPartner ADFS Proxy -> Relying Party ADFS Proxy -> Relying ADFS Server and the reverse.

But the following IS NOT WORKING and we need help to make it work:

Calling Relying Party ADFS Proxy from AccountPartner ADFS SERVER should go through AccountPartner ADFS Proxy.
EXAMPLE: Account ADFS Server -> should always go through Account ADFS Proxy to ->Relying Party ADFS Proxy.
Currently Account ADFS Server is trying to directly talk to Relying party ADFS Proxy and as there is NO FW Rule in VPN, it is failing.

Is there something on ADFS Server, that we need to configure to route all the traffic through ADFS Proxy? Something like we set WebProxy in Internet Explorer? Please help.

Thank you

↧

WIF 4.5: How to express this WIF 3.5 code using WIF 4.5?

March 13, 2013, 12:50 pm

≫ Next: Using WIF In an existing site with FormsAuthentication

≪ Previous: Federation trust between Private ADFS Servers through VPN

Hello!

In WIF 3.5 you could write like:

SendMessageContext context = this.sendMessageContext;
string requestType;

switch(context.TrustVersion)
{
    case WSTrustVersion.WSTrustFeb2005:
        requestType = WSTrustFeb2005Constants.RequestTypes.Issue;
        break;
    case WSTrustVersion.WSTrust13:
        requestType = WSTrust13Constants.RequestTypes.Issue;
        break;
    default:
        throw new NotSupportedException();
}

RequestSecurityToken rst = new RequestSecurityToken(requestType);

How to write the same using WIF 4.5 as neither WSTrustFeb2005Constants nor WSTrust13Constants are defined here?

In WIF 3.5 you could write like:

new BinarySecretSecurityToken(KeyGenerator.ComputeCombinedKey(request.Entropy.GetKeyBytes(), response.Entropy.GetKeyBytes(), num));

How to write the same using WIF 4.5 as KeyGenerator.ComputeCombinedKey does not exist in WIF 4.5?

Best regards,

Henrik Dahl

↧

Using WIF In an existing site with FormsAuthentication

March 14, 2013, 8:19 am

≫ Next: ADFS, Sharepoint 2013, Shibboleth and SAML 2.0

≪ Previous: WIF 4.5: How to express this WIF 3.5 code using WIF 4.5?

We have a request to allow SSO using AD FS. I have gone through all of the SDK samples and have the RP working in a standalone site, pointing at an AD FS in our domain. I can get the claims to display on the default.aspx page.

Here is what I wanted to do next.. I would like that WIF page to be hosted in our site, as a sub application, have that site write the forms auth ticket, then redirect to our main site. I am assuming since I am inheriting the Forms Auth and machinekey settings from my main site, i don't have a conflict there. Here is what I have..

In the Application_PostAuthenticateRequest event in the global.asax in my WIF site.. (Called WSFedAuthGate) accessable via https://fqdn.com/WSFedAuthGate/Default.aspx

protected void Application_PostAuthenticateRequest(object sender, EventArgs e) {
    System.Web.HttpApplication app = sender as System.Web.HttpApplication;

    if (app.Request.IsAuthenticated && app.User != null && app.User.Identity != null) {
        string name = app.User.Identity.Name;
        if (FormsAuthentication.GetAuthCookie(name, false) != null) {
            FormsAuthentication.SetAuthCookie(name, false);
            // hard code for now..
            app.Response.Redirect("https://fqdn.com/home/asp_main.aspx");
        }
    }

}

The forms auth ticket is written, and i am being redirected to the main site, but the main site is not recognizing the forms auth ticket.. I.e. request.isAuthenticated is false..

Here is the section from the web config from the main site..

<authentication mode="Forms"><forms loginUrl="/home/asp_main.aspx" name=".myauth" protection="All" timeout="120" enableCrossAppRedirects="true"/></authentication>

and here is the authentication from the WIF sub application..

<authorization><deny users="?" /></authorization>

and later

<system.webServer><validation validateIntegratedModeConfiguration="false" /><modules><remove name="RefreshController" /><add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /><add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /></modules><defaultDocument><files><add value="Default.aspx" /></files></defaultDocument></system.webServer>

There is something simple i'm missing here i just know it..

↧

ADFS, Sharepoint 2013, Shibboleth and SAML 2.0

March 14, 2013, 10:09 am

≫ Next: ADFS, Sharepoint 2013, Shibboleth and SAML 2.0

≪ Previous: Using WIF In an existing site with FormsAuthentication

Scenario

It seems that a SharePoint 2013 web application, with claim based authentication activated, can't connect directly to a Shibboleth environment because SharePoint yet not implement or support SAML 2.0.

We have an environment with a Federation Server (ADFS 2.0) and Federation Server Proxy with a SharePoint 2013 web application defined and configured as a Service Provider, that must connect with a Shibboleth environment configured as an Identity Provider.

In such scenario Shibboleth locate the ADFS environment with an entity ID (Federation Service identifier – i.e http://sts.contoso.com/adfs/services/trust that link as Service Provider).

At the same time we’d like to connect the same ADFS with the same Shibboleth environment as an Identity Provider.

Unfortunately it seems not possible because Shibboleth locates and identifies the ADFS environment with the same entity ID and doesn't permit to connect ADFS as IdP and also as SP at the same time.

So our questions are:

Is it possible to change entity ID (Federation Service identifier) on ADFS for having Shibboleth talking at the same time as IdP or as SP?

It could be an option (or a workaround) to install two different instances of ADFS in our domain environment with two differents url and two different entity ID s?

Will ever SharePoint 2013 implement SAML 2.0?

Franct

↧

ADFS, Sharepoint 2013, Shibboleth and SAML 2.0

March 15, 2013, 1:54 am

≫ Next: AD FS 2.0 Enabling endpoint on Proxy

≪ Previous: ADFS, Sharepoint 2013, Shibboleth and SAML 2.0

from ADFS, Sharepoint 2013, Shibboleth and SAML 2.0

Scenario

In such scenario Shibboleth locate the ADFS environment with an entity ID (Federation Service identifier – i.e http://sts.contoso.com/adfs/services/trust that link as Service Provider).

At the same time we’d like to connect the same ADFS with the same Shibboleth environment as an Identity Provider.

Unfortunately it seems not possible because Shibboleth locates and identifies the ADFS environment with the same entity ID and doesn't permit to connect ADFS as IdP and also as SP at the same time.

So our questions are:

Is it possible to change entity ID (Federation Service identifier) on ADFS for having Shibboleth talking at the same time as IdP or as SP?

It could be an option (or a workaround) to install two different instances of ADFS in our domain environment with two differents url and two different entity ID s?

Will ever SharePoint 2013 implement SAML 2.0?

Franct

↧

AD FS 2.0 Enabling endpoint on Proxy

March 14, 2013, 11:01 pm

≫ Next: logo display bug ADFS 2.0

≪ Previous: ADFS, Sharepoint 2013, Shibboleth and SAML 2.0

This is what I get running the example for Set-ADFSEndpoint. I'm actually interested in enabling the windowstransport endpoint, but I get the same error.

Anyone know why this is?

↧

logo display bug ADFS 2.0

March 16, 2013, 8:48 am

≫ Next: Strange Errors after unexpected reboot

≪ Previous: AD FS 2.0 Enabling endpoint on Proxy

When I login on my ADFS 2.0 server (Update 3) in /adfs/ls/IdpInitiatedSignOn.aspx. After choosing a federation connection to which I am not authorised, I receive the webpage "access denied" with the URL /adfs/ls/auth/integrated/?SAMLRequest=<something>

The logo-picture is not displayed correctly, because the URL in de page source assumes it is located in the current directory. In the dir /adfs/ls/auth/intergrated/ is no logo.png located.

You can configure the logo in the file /adfs/ls/web.config, containing the following lines:

This is not correct. You must change the line to:
< add key="logo" value="/adfs/ls/logo.png" />
The logo will now be displayed correctly. The comment in the file is not correct, and should state : enter the full path from the root of the webserver.

↧

Strange Errors after unexpected reboot

March 16, 2013, 11:54 am

≫ Next: Is the Federation proxy role necessary?

≪ Previous: logo display bug ADFS 2.0

We have a very very strange situation that ive been trying to resolve for two days now with no success after an unexpected set of reboots in vm's from azure.

We have an on-premis network and an azure network that are setup for site to site vpn. Their is an AD controller and ADFS and ADFS Proxy in the azure network.

After the reboot only computers outside of the on-premis network work. When I browse to my application and it redirects to the federation page I get the prompt for the username and password and if I sign in I am in the product. If I do these exact same steps from the on-premis network instead of being prompted with the username and password I get an error. I have confirmed that dns is not an issue that both externally and internally the location of the federation provider is being resolved to the external ip of the proxy address. This is the first big mystery, why does it work for users outside the network but not inside.

This is the error I get every time I try to access federation from the on-premis network

There was an error during retrieving the configuration data for the secondary federation server.

Additional Data

Exception details:

ADMIN0023: Incorrect value for property LastPublishedPolicyCheckTime: 1/1/1900 12:00:00 AM.

When I researched this error the only thing people have reported are that it comes from the proxy and has to do with the proxy and actual adfs server being in different timezones. For me this error is occurring in the adfs server itself. the other weird thing is that this is the primary server in a farm (that only has one node). There used to be another primary but I migrated the server by creating this one, adding it to the farm, changing roles then decommissioning the other server. Either way this isn't the secondary server so why does it matter? This error happens every time I try to access federation from within the on-premis network. Does the machine that's running the web browser have any play that goes into this?

The next problem that started to occur has to do with the ADFS configuration manager ui.

When I open the configuration manager it successfully connects to the ADFS configuration database which is WID.

Clicking on Endpoints, Certificates, Claims Descriptions and Attribute Stores all work.

When I click on Claims Provider Trusts I get this error.

I cannot find any information on this error nor why it happens with Claims Provider trusts.

Clicking on Relying Parties is even weirder. I know I have 3 relying parties. When I click on Relying Parties it shows the first of the 3 and then shows the error above. So its as if it was able to retrieve the first one but then errored out retrieving the others.

I get no events in the ADFS event viewer when these errors occur through the configuration manager.

I turned on verbose tracing in the adfs windows service and ran those above.

The errors that I saw were all similar to this

<E2ETraceEvent xmlns="<System">http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="<EventID>131075</EventID><Type>3</Type><SubType">http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>131075</EventID><Type>3</Type><SubType Name="Error">0</SubType><Level>2</Level><TimeCreated SystemTime="2013-03-16T17:07:50.2243764Z" /><Source Name="System.ServiceModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution ProcessName="Microsoft.IdentityServer.ServiceHost" ProcessID="1956" ThreadID="10" /><Channel /><Computer>CLOUDADFS01</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier><Description>Throwing an exception.</Description><AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain><Exception><ExceptionType>System.ServiceModel.CommunicationException, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:10'.</Message><StackTrace>   at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)
   at System.ServiceModel.Channels.BufferedConnection.WriteNow(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, BufferManager bufferManager)
   at System.ServiceModel.Channels.BufferedConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionStream.Write(Byte[] buffer, Int32 offset, Int32 count)
   at System.Net.Security.NegotiateStream.StartWriting(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.NegotiateStream.ProcessWrite(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.NegotiateStream.Write(Byte[] buffer, Int32 offset, Int32 count)
   at System.ServiceModel.Channels.StreamConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)
   at System.ServiceModel.Channels.FramingDuplexSessionChannel.CloseOutputSession(TimeSpan timeout)
   at System.ServiceModel.Channels.FramingDuplexSessionChannel.OnClose(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnClose(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.MessageRpc.CloseChannel()
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessageCleanup(MessageRpc&amp; rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.ProcessError(Exception e)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)
   at System.ServiceModel.Dispatcher.ChannelHandler.DispatchAndReleasePump(RequestContext request, Boolean cleanThread, OperationContext currentOperationContext)
   at System.ServiceModel.Dispatcher.ChannelHandler.HandleRequest(RequestContext request, OperationContext currentOperationContext)
   at System.ServiceModel.Dispatcher.ChannelHandler.AsyncMessagePump(IAsyncResult result)
   at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
   at System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)
   at System.ServiceModel.Channels.FramingDuplexSessionChannel.TryReceiveAsyncResult.OnReceive(IAsyncResult result)
   at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
   at System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)
   at System.ServiceModel.Channels.SynchronizedMessageSource.SynchronizedAsyncResult`1.CompleteWithUnlock(Boolean synchronous, Exception exception)
   at System.ServiceModel.Channels.SynchronizedMessageSource.ReceiveAsyncResult.OnReceiveComplete(Object state)
   at System.ServiceModel.Channels.SessionConnectionReader.OnAsyncReadComplete(Object state)
   at System.ServiceModel.Channels.StreamConnection.OnRead(IAsyncResult result)
   at System.ServiceModel.Diagnostics.Utility.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
   at System.Net.LazyAsyncResult.Complete(IntPtr userToken)
   at System.Net.LazyAsyncResult.ProtectedInvokeCallback(Object result, IntPtr userToken)
   at System.Net.Security.NegotiateStream.ProcessFrameBody(Int32 readBytes, Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.NegotiateStream.ReadCallback(AsyncProtocolRequest asyncRequest)
   at System.Net.FixedSizeReader.CheckCompletionBeforeNextRead(Int32 bytes)
   at System.Net.FixedSizeReader.ReadCallback(IAsyncResult transportResult)
   at System.ServiceModel.AsyncResult.Complete(Boolean completedSynchronously)
   at System.ServiceModel.Channels.ConnectionStream.ReadAsyncResult.OnAsyncReadComplete(Object state)
   at System.ServiceModel.Channels.SocketConnection.FinishRead()
   at System.ServiceModel.Channels.SocketConnection.AsyncReadCallback(Boolean haveResult, Int32 error, Int32 bytesRead)
   at System.ServiceModel.Diagnostics.Utility.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
   at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
</StackTrace><ExceptionString>System.ServiceModel.CommunicationException: The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:00:10'. ---&gt; System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
   at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)
   --- End of inner exception stack trace ---</ExceptionString><InnerException><ExceptionType>System.Net.Sockets.SocketException, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>An existing connection was forcibly closed by the remote host</Message><StackTrace>   at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
   at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)</StackTrace><ExceptionString>System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
   at System.Net.Sockets.Socket.Send(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
   at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout)</ExceptionString><NativeErrorCode>2746</NativeErrorCode></InnerException></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent>

I also found the error above that occurs when someone on the on-premis network attempts to connect

<E2ETraceEvent xmlns="<System">http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="<EventID>131076</EventID><Type>3</Type><SubType">http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>131076</EventID><Type>3</Type><SubType Name="Error">0</SubType><Level>2</Level><TimeCreated SystemTime="2013-03-16T17:07:50.2077742Z" /><Source Name="System.ServiceModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution ProcessName="Microsoft.IdentityServer.ServiceHost" ProcessID="1956" ThreadID="10" /><Channel /><Computer>CLOUDADFS01</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.TraceHandledException.aspx</TraceIdentifier><Description>Handling an exception.</Description><AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain><Exception><ExceptionType>System.IO.InvalidDataException, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>ADMIN0023: Incorrect value for property LastPublishedPolicyCheckTime: 1/1/1900 12:00:00 AM.</Message><StackTrace>   at Microsoft.IdentityServer.PolicyModel.PropertyTypes.DateTimeProperty.Validate(Object context)
   at Microsoft.IdentityServer.PolicyModel.PropertyTypes.PropertySet.ValidateProperties(Object context)
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.Authority.ValidateProperties()
   at Microsoft.IdentityServer.PolicyModel.PropertyTypes.PropertySet.GetData()
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SearchResult.GetData()
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.Search(FilterData filterData, Int32 maxObjects, String[] propertyNames)
   at SyncInvokeSearch(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp; rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp; rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc&amp; rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</StackTrace><ExceptionString>System.IO.InvalidDataException: ADMIN0023: Incorrect value for property LastPublishedPolicyCheckTime: 1/1/1900 12:00:00 AM.
   at Microsoft.IdentityServer.PolicyModel.PropertyTypes.DateTimeProperty.Validate(Object context)
   at Microsoft.IdentityServer.PolicyModel.PropertyTypes.PropertySet.ValidateProperties(Object context)
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.Authority.ValidateProperties()
   at Microsoft.IdentityServer.PolicyModel.PropertyTypes.PropertySet.GetData()
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SearchResult.GetData()
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.Search(FilterData filterData, Int32 maxObjects, String[] propertyNames)
   at SyncInvokeSearch(Object , Object[] , Object[] )
   at System.ServiceModel.Dispatcher.SyncMethodInvoker.Invoke(Object instance, Object[] inputs, Object[]&amp; outputs)
   at System.ServiceModel.Dispatcher.DispatchOperationRuntime.InvokeBegin(MessageRpc&amp; rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage5(MessageRpc&amp; rpc)
   at System.ServiceModel.Dispatcher.ImmutableDispatchRuntime.ProcessMessage4(MessageRpc&amp; rpc)
   at System.ServiceModel.Dispatcher.MessageRpc.Process(Boolean isOperationContextSet)</ExceptionString></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent>

Is there anyone that has any idea what is going on and how to fix? Everything works great for users who are external, internal users don't work and these issues are occurring when trying to manage the adfs server. I have confirmed that I can connect to the WID database.

↧

Is the Federation proxy role necessary?

March 18, 2013, 3:20 pm

≫ Next: SSO with ADFS and Windows 2012

≪ Previous: Strange Errors after unexpected reboot

As we are using a Barracuda FW to do reverse proxy, I was considering that the Federation Proxy role would not be necessary.

We will want to provide Federation services to our own personnel on the intnernet and potentially provide access to our internal resources to external partners.

It seems that this is confirmed in this other post, as well. Is this correct?

Thanks.

http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/fe71e43e-a828-4b9e-bb05-08ecd0ca5c4d

↧

SSO with ADFS and Windows 2012

March 14, 2013, 7:14 pm

≫ Next: WS-Trust request fails with Bad Key error

≪ Previous: Is the Federation proxy role necessary?

I am on a large project that requires to provide SSO capability using ADFS with mostly web applications (eg. Tivoli, Domino, Websphere, Java etc).

1) With budget constraints, would you recommend MS Windows 2012 SP1 ADFS to implement such solution? 2) Do you see any caveat with using ADFS? We plan on using kerberos, NTLM2 or form based. SAML is few years down the road.

3) Our current samAccountName contains space between First LastName (eg. John Smith), many ldap system use samAccountName for logins. do you envision any challenge with during federation or in the future with other integrated MS/unix/ios systems?

thanks,

↧

Latest Images