Advice renewing ADFS token signing certificate

May 21, 2015, 6:14 am

≫ Next: how to implement Idp initiated SSO using SAML2.0?

≪ Previous: ADFS 3.0 and workplace join issue

We are using SSL cert from public CA for token signing certificate in ADFS2.0 farm. The token signing certificate in our ADFS farm is expiring. We use ADFS for both IDP initiated and SP initiated SSO applications. To minimize the impact to SSO applications, what's the best way to renew the token signing certificate? Thanks in advance !

This posting is provided AS-IS with no warranties/guarantees and confers no rights.

↧

how to implement Idp initiated SSO using SAML2.0?

May 21, 2015, 8:11 am

≫ Next: ADFS SSO in two way forest trust

≪ Previous: Advice renewing ADFS token signing certificate

I want to implement SAML 2.0 Idp initiated SSO in asp.net.

regards,

Pankaj

↧

ADFS SSO in two way forest trust

October 18, 2012, 10:24 am

≫ Next: Loadbalancing an ADFS 2.2 Farm

≪ Previous: how to implement Idp initiated SSO using SAML2.0?

Hi all,

We have an issue with SSO across forests. But first some background.

DOMAIN A hosts a web application that requires the use of ADFS for SSO. We have built the ADFS in DOMAIN A and got it all working nicely. The clients in DOMAIN A can successfully SSO to the web application. We have set *.ourdomainname in the Local Intranet Zone using group policy.

There is a two-way forest trust using selective authentication between DOMAIN A and DOMAIN B. The service account that ADFS runs under has been granted Allowed to Authenticate against all the DCs in DOMAIN B. Also, DOMAIN B users have been granted the Allowed to Authenticate against the ADFS server

When a client from DOMAIN B connects to the web application it attempts to redirect to the ADFS server for authentication but then Internet Explorer displays a "Cannot Display Webpage" error. However the interesting bit is when *.ourdomainname or the adfs fqdn are removed from the Local Intranet Zone, the client is prompted for a user name and password as you would expect, and when entered the credentials are accepted and we are redirected back to the web app authenticated.

I cannot fathom why the SSO would not work in DOMAIN B but manually logging using the ADFS prompt does.

Is there some extra configuration required to get SSO working in DOMAIN B?

Cheers

↧

Loadbalancing an ADFS 2.2 Farm

December 12, 2013, 2:42 pm

≫ Next: ADFS 3.0 Home Realm Discovery page does not display

≪ Previous: ADFS SSO in two way forest trust

Is anyone aware of any documentation on how to setup ADFS on Windows Server 2012 R2 behind a load balancer?

I have an existing ADFS 2.0 farm on Windows Server 2008 R2, and am setting up a new ADFS farm on Windows Server 2012 R2. The load balancer configuration for my 2.0 farm works fine, but when I try to use the same simple load balancing settings for the 2.2 farm, I am unable to get it to work. With the changes in ADFS with Server 2012 R2, are there changes to how load balancing is performed?

↧

ADFS 3.0 Home Realm Discovery page does not display

May 27, 2015, 6:16 am

≫ Next: ADFS Setup:I cant authenticate using IWA but it works fine when Fiddler is running

≪ Previous: Loadbalancing an ADFS 2.2 Farm

Hi,

I'm having an issue with a new ADFS 3.0 and WAP infrastructure. Here's a bit of background on my set up...

I've installed ADFS 3.0 on Server 2012 R2 and 2 x WAP servers in an NLB cluster on Server 2012 R2.

I've added a new "non claims aware" relying party trust in ADFS for a web application running on IIS 8.5 on Server 2012 R2.

I've configured a pass through rule in WAP for the ADFS Service.

I've configured an ADFS Preauthentication rule in WAP for the "non claims aware" application.

I can access the Non Claims Aware web application via WAP, I get presented with the windows login page and can successfully login and access the backend application.

Next, I've added a new "Claims Provider Trust" in ADFS, using some imported metadata from a Tivoli Federated Identity Manager environment.

Now, when I try to access the non claims aware web application via WAP, I expect to be presented with the "Home Realm Discovery" screen, where I should be able to choose to sign in with the TFIM IdP, however no "Home Realm Discovery" page is presented, and instead I just get the same old ADFS sign in page.

I have cleared all my cookies, and have tried using a private browser session but with no success.

I can't understand why the Home Realm Discovery page does not display. I've also got a seperate ADFS/WAP environment that I built previously as a proof of concept, it's pretty much identical in configuration with the following exceptions :

1 - There is only a single WAP server

2- The Token Signing and Decrypting certifcates are self generated

This proof of concept environment works ok, I've configured a similar non claims aware relying party and a claims provider trust with TFIM and the Home Realm Discovery page displays correctly.

I would appreciate any help or advice that anyone can offer,

Thanks in advance,

Jason

↧

ADFS Setup:I cant authenticate using IWA but it works fine when Fiddler is running

May 26, 2015, 7:19 am

≫ Next: The Integrated Windows authentication endpoint is missing on the internal metadata document.

≪ Previous: ADFS 3.0 Home Realm Discovery page does not display

I have configure ADFS on windows server 2012R2 but i cant authenticate using windows authentication. It prompts me for the password twice and then its gives a http 400 bad request. There is no error in the event-logs

This works perfectly fine if i am running Fiddler in the background.

I would be grateful if anyone can shed a light on this as i am so confused. i have reconfigured ADFS about 6 times now and its the same error.

↧

The Integrated Windows authentication endpoint is missing on the internal metadata document.

May 28, 2015, 1:26 am

≫ Next: Implementing 2 Way SSL in ADFS 3.0

≪ Previous: ADFS Setup:I cant authenticate using IWA but it works fine when Fiddler is running

Hi,

Using the Remote Connectivity Analyzer, I'm getting the following error when testing SSO:

Analyzing the ADFS metadata document for configuration problems.
    Errors were found while analyzing the ADFS metadata document.
         Additional Details
             The Integrated Windows authentication endpoint is missing on the internal metadata document.

I have followed the kb articles related to this:

https://support.microsoft.com/en-us/kb/2712957

https://support.microsoft.com/en-us/kb/2647048

I checked all the AD FS endpoints, and I "repaired" the domain. Any idea what else it could be?

Here's the part of the /adfs/services/trust/mex document that describes windowstransport:

        <wsdl:port name="CustomBinding_IWSTrustFeb2005Async" binding="tns:CustomBinding_IWSTrustFeb2005Async">
           <soap12:address location="https://infosys-c1-dc.performisonline.ch/adfs/services/trust/2005/windowstransport"/>
           <wsa10:EndpointReference>
               <wsa10:Address>https://infosys-c1-dc.performisonline.ch/adfs/services/trust/2005/windowstransport</wsa10:Address>
               <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
                   <Upn>infosystem@performisonline.ch</Upn>
               </Identity>
           </wsa10:EndpointReference>
       </wsdl:port>

What I don't understand is the part where it says <Upn>infosystem@performisonline.ch</Upn>. I compared this to the/adfs/services/trust/mex document of a working installation. There I don't have the <Upn> element, instead I have a <Spn> Element containing the host name of the ADFS server.

Thanks, Chris

↧

Implementing 2 Way SSL in ADFS 3.0

May 28, 2015, 12:15 am

≫ Next: ADFS 3.0 Login Page on Mobile Devices

≪ Previous: The Integrated Windows authentication endpoint is missing on the internal metadata document.

Hi,

I am trying to setup ADFS with 2 way SSL. We are using ADFS and a Service Provider. Requirement is to pass the client certificate to SOAP EndPoint of the IdP.

Appreciate any help.

Thanks

Salim

↧

ADFS 3.0 Login Page on Mobile Devices

May 29, 2015, 5:52 am

≫ Next: Problem Connecting to Server

≪ Previous: Implementing 2 Way SSL in ADFS 3.0

using microsoft size recommendations for ADFS login page we have put in custom .png. all of the mobile devices render differently and many show the login box we have with page title cut off drastically while others show a corner of the large box and you need to scroll to the right to see the login page. what are we doing wrong? i thought ADFS 3.0 is able know it is rendering the page to a mobile device

↧

Problem Connecting to Server

May 29, 2015, 8:38 am

≫ Next: SharePoint 2010 ADFS Password Expired

≪ Previous: ADFS 3.0 Login Page on Mobile Devices

I just installed Microsoft SQL Server 2014. I open the management studios and the connect to server pops up. I click connect and it failed with a 18456 error. What do I do?

↧

SharePoint 2010 ADFS Password Expired

October 8, 2013, 8:50 am

≫ Next: Active Federation for ADFS Proxy 2.0

≪ Previous: Problem Connecting to Server

In my SharePoint 2010 ADFS environment, if a user's account has an expired password or they have been set to change password at next login, they get the same message as someone that typed the wrong username/password combination.

How can I redirect the user to a site I have created to change the password and still redirect the user to the original URL they were trying to access?

If I'm not able to do this, is there a way to modify the formssignin.aspx page that will redirect the user to my password change site?

↧

Active Federation for ADFS Proxy 2.0

June 1, 2015, 6:40 am

≫ Next: adfs token-signing rollover question.

≪ Previous: SharePoint 2010 ADFS Password Expired

I'm trying to setup active federation for ADFS Proxy 2.0. Passive federation works fine (and therefore I expect that I have configured ADFS proxy correctly), but when I use active federation, I get the following exception: "The HTTP request was forbidden with client authentication scheme 'Anonymous'".

I'm using the following code:

var factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(SecurityMode.TransportWithMessageCredential, HttpClientCredentialType.Digest), "https://adfs-proxy/adfs/services/trust/13/usernamemixed");

    factory.Credentials.UserName.UserName = username;
    factory.Credentials.UserName.Password = password;
    factory.Credentials.HttpDigest.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
    factory.TrustVersion = TrustVersion.WSTrust13;

    var rst = new RequestSecurityToken
    {
        RequestType = RequestTypes.Issue,
        AppliesTo = new EndpointAddress(relyingPartyIdentifier),
        KeyType = KeyTypes.Bearer
    };

var channel = factory.CreateChannel();
return channel.Issue(rst);

Fiddler displays the following response:

    HTTP/1.1 403 Forbidden
    Transfer-Encoding: chunked
    Server: Microsoft-HTTPAPI/2.0
    Date: Mon, 01 Jun 2015 13:06:16 GMT

There is the following message in ADFS trace log: "WSTrustProxyListener.ProcessRequest: Rejected front-end request to resource 'https://adfs-proxy:443/adfs/services/trust/13/usernamemixed/'". If I change the url to point to the original ADFS server, not proxy, the code above works fine (sending the same request to ADFS).

/adfs/services/trust/13/usernamemixed endpoint is allowed in the ADFS server for the proxy.

I have also found out that when I access the following link pointing to ADFS proxy server:

'https://adfs-proxy/federationmetadata/2007-06/federationmetadata.xml

I get 403 Forbidden response as well. I see the same message in ADFS trace log: WSTrustProxyListener.ProcessRequest: Rejected front-end request to resource 'https://adfs-proxy:443/FEDERATIONMETADATA/2007-06/FEDERATIONMETADATA.XML'.

If I specify original ADFS server (not proxy) for this link, everything is fine, the correct xml is returned. Actually, for ADFS proxy I get 403 Forbidden for any request to the following listeners (if I hit them in IE) regardless of whether they are allowed for ADFS proxy or not:

'https://+:443/FederationMetadata/2007-06/
'http://+:80/adfs/services/trust/
'https://+:443/adfs/services/trust/

How can I configure and use active federation for ADFS proxy?

↧

adfs token-signing rollover question.

May 31, 2015, 6:22 pm

≫ Next: What approach to take for first setting up ADFS SSO

≪ Previous: Active Federation for ADFS Proxy 2.0

Since none of my relying parties support this feature I want to turn auto-rollover off (yes slightly less secure), can this be done live without causing issues with my current relying parties? Would think not, it should not be changing certs but I just want to verify.

thanks

↧

What approach to take for first setting up ADFS SSO

October 19, 2014, 7:02 pm

≫ Next: ADFS Federation Trust between two forests with One-Way trust

≪ Previous: adfs token-signing rollover question.

I am new to ADFS and am looking for some general direction:

For implementing SSO, I am considering one of two approaches:

1. set up a claims aware web application as a landing page to link to other web applications. Draw from the authenticated user's roles, and only display the web apps that are applicable to him, then pass the specific claims aware web app that they choose from this landing page

...or...

2. set up a claims aware web service, that each web application will have to call

Any benefits to one over the other?

↧

ADFS Federation Trust between two forests with One-Way trust

June 2, 2015, 6:39 pm

≫ Next: Integration scenarios for ADFS

≪ Previous: What approach to take for first setting up ADFS SSO

I have two forests abc.com and xyz.com. There is one-way outgoing trust from abc.com to xyz.com i.e. users from xyz.com can login to abc.com. I have a non-claims aware application configured in abc.com and users from xyz.com should be able to access it over public internet. There is one ADFS 3.0 farm installed in abc.com network with Service Account created in abc.com and users who have accounts in abc.com can login to the application using ADFS login page. But users from xyz.com cannot login even though they have access. This is because ADFS service Acount cannot query the xyz.com forest.

My question is if we install an ADFS farm in xyz.com and then create a Federation Trust between ADFS farms (in abc.com and xyz.com), whether users from xyz.com can access the application?

Regards, Sarath

↧

Integration scenarios for ADFS

June 3, 2015, 3:09 am

≫ Next: Active Directory Provider and Email Suffix Home Realm Discovery in ADFS 3.0

≪ Previous: ADFS Federation Trust between two forests with One-Way trust

Hello,

I am new to ADFS and I need help.

A- I have some applications (in Java or php) that support natively SAML2.0 standard.

I want to have a federation between these applications and ADFS (ADFS will act as Identity Provider). My questions:

- will a model where my applications are Service Provider (presenting a SAML2 assertion Consumer service) and ADFS as Identity Provider will work without issues in an IdP-Initiated mode ?

- In my case where the applications support SAML2.0, do I have to have ADFS also acting as Service Provider in front of the applications or they can interact directly with the ADFS IdP without issues ?

B- I have also some applications (written in JAVA or PhP) which are not SAML 2.0 compliant. I still have ADFS as Identity Provider.

In this case, which are the pre-requisites that these applications should have in order to be part of a federation ? if I want to add ADFS as Service Provider in front of these applications, what should be modified on the application level so that they can support this integration to ADFS (as Service Provider)?

thank you for your responses or any documentation that I can use to resolve my different use cases.

Regards,

↧

Active Directory Provider and Email Suffix Home Realm Discovery in ADFS 3.0

June 3, 2015, 3:51 pm

≫ Next: Event ID 364 and Event ID 111

≪ Previous: Integration scenarios for ADFS

We are in the process of implementing a new ADFS 3.0 setup within our company. The ADFS server is setup and configured with multiple Claim Provider Trusts and a Relying Party Trust. We are able to connect via the Relying Party and authenticate via ADFS. We have also configured the email suffix for the Claim Providers and get the expect result that the Home Realm Discovery page displays two options.

Active Directory
Other Organization

When "Other Organization" is clicked, a prompt for an email address is displayed and if an email suffix from one of the Claim Providers is entered, it forwards appropriately. If an Active Directory email address is entered it fails.

What we want to do is to always have the prompt for an email address and have it forward to the Active Directory Login when a local email address is entered as if it was a third Party Claim Provider.

Is this possible?

↧

Event ID 364 and Event ID 111

June 4, 2015, 4:03 am

≫ Next: Remote Desktop with WAP on 2012 R2

≪ Previous: Active Directory Provider and Email Suffix Home Realm Discovery in ADFS 3.0

Scenario: There is a SharePoint portal, which has SSRS reports located in a library. Users from a Oracle LDAP repository are trying to access the reports.

Issue: When a user (from an Oracle LDAP repository) is trying to connect SharePoint portal. The user get an error as shown below. Errors from the EventViewer can be found in the attached document.

There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: 856067a8-e1dd-4fb9-8e65-45169d88c14a

Need help in the overall configuration of ADFS with Oracle LDAP

↧

Remote Desktop with WAP on 2012 R2

October 20, 2014, 7:57 am

≫ Next: ADFS login page for external users

≪ Previous: Event ID 364 and Event ID 111

I'm trying to setup RD Web with or without RD Gateway with AD FS and WAP. All on 2012 R2.

I have all the RD Roles on the same server inside the firewall and I would like to use the WAP server we are using for OWA for the same purpose for RD.

I have seen some bits of info that tells me it's possible but nothing more.

So any info would be greatly appreciated

↧

ADFS login page for external users

June 4, 2015, 3:51 pm

≫ Next: Authenticate ADFS with LDAP

≪ Previous: Remote Desktop with WAP on 2012 R2

Hi All,

I built an ADFS lab on Windows 2008 servers recently, and during this process configured a stand alone WAP server for testing external authentication. At the time I was unsure if this was the correct way to do it and I couldn't find any specific doco that suggested the authentication page could sit on the ADFS proxy server. I am about to move into a pre-production environment and this question is still puzzling me. Is it okay to configure the IIS app on the proxy server or should I keep this separate?

The app will initially be for connecting users with our Office 365 tenancy.

Cheers

Andy

↧

Latest Images