Hi,

Please help me on this.

I have setup and configured ADFS in Windows Server 2012 R2.

I want to authenticate an active directory with ADFS through LDAP.

Please provide a step wise description.

Regards

krrish

I've set up an ADFS server and I'm in the process of adding a WAP server as ADFS Proxy. When I try to configure the WAP server I get the following error message:

An error occurred when attempting to establish a trust relationship with the federation service. Error: Invalid Request

Both with the wizard and with PowerShell. DNS for the ADFS fqdn resolves to the internal ADFS server and port 443 has been opened in the firewall. An AD user account was used which is local administrator on the ADFS server. I can navigate to https://login.<domain>.com/adfs/ls/idpinitiatedsignon from the WAP server and successfully authenticate. No certificate errors.

I did see other people with similar issues, however their error messages were not 'Invalid Request' like I see.

Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!

Hello

I have the following Problem. ADFS 3.0 is working pretty good in my Environment.
But when i enable "MFA" with Certificates the Login accept the first Factor an prompt me to select a Cert. Here is the Problem the IE do not Show any Dialog to select the USER Certificate.

Can'f find anything in the logs.

The site is in the Trusted Zone & PopUpBlocker is disabled

Thx for your help

Daniel

I am new to ADFS and am looking for some general direction: 

For implementing SSO, I have been able to accomplish the following:

set up a claims aware web application as a landing page to link to other web applications.  Draw from the authenticated user's roles, and only display the web apps that are applicable to him, then pass the specific claims aware web app that is chosen from this landing page

but I am looking to accomplish the ADFS SSO without having to setup relying party trust for each web application that needs to be added.  One reccomendation was to delegate a token via a web app to a web service via ActAs, but I haven't been able to find any samples on how to accomplish this. 

any help?

Hi,

Hi have a web app in asp .NET framework 4.5 on Windows server 2008 R2 with IIS 7.5

I use the form authentification

Each hour, all my user is deconnected from the app (at 12h, 13h, 14h...)

I don't see why...

Someone can help me on this ?

Thanks

Sylo

We've had Windows Server 2012 R2 setup with ADFS 3.0 and a Server 2012 R2 WAP for a couple months now, all working fine for single sign-on to on-premises CRM and federation with our Office 365 tenancy.  We recently updated the certificate on the ADFS 3.0 server and WAP server but have run into an interesting problem.

When I first used the Get-WebApplicationProxySSLCertificate command to check the current certificate thumbprint, there were two hostname entries for our ADFS service (sso.domainname.com) - one for port 443 and the other for port 49443.  However, after I updated the certificate with the Set-WebApplicationProxySSLCertificate newcertthumbprinthere command and verified the new cert was applied with the get command again, the hostname entry for port 443 is gone.  Only the hostname entry for port 49443 remains.  Now when Office 365 tries to redirect to sso.domainname.com we get "Page cannot be displayed".  Single sign-on for CRM and Office 365 works just fine internally.

No firewall changes on either ADFS server or our perimeter Cisco ASA have been made and I can verify this by a telnet session to port 443 for the service url IP address externally.

So little ADFS troubleshooting information... Any help is appreciated!

We are migrating from ADFS2 to ADFS3. I have setup ADFS3 successfully and migrated the relying parties from ADFS2 to 3. When testing all the WS-Federation sites work fine, also one to Jive which uses SAML is OK. I am having problems with Shibboleth. The error logs are reporting

On looking thru the forums it looks like previous windows updates have caused this. However I have not been able to find the updates in question on the server. This is using a fresh install of Server 2012 R2 and fully updated by windows Update. This all works with ADFS2 just not with ADFS3.

Does anybody have any ideas or pointers on how to solve this?

Our current software uses MVC4 and traditional FAM/SAM http modules for SAML over WS-Fed support.  It might be nice to upgrade to MVC5 with the new OWIN architecture and keep WS-Fed over SAML support.  Is there any good documentation for describing this process?

thanks

scott

Hi,

We have configured ADFS 2.0 (Idp) with PingFederate (SP); where in sign-in does not happen and the feedback provided by SP (PingFederate) is that name-id is missing in the Subject of the SAML token being received. 

Idp is configured with Metadata XML received from the SP; and an Idp Metadata XML is sent to the SP. 

Secure hash algorithm has been configured to SHA-1

We did try configuring Send LDAP as attributes rules and Transform rules to covert email address to name-id; so far no luck.

No errors found in event viewer on ADFS console.

Could someone guide me what i must have missed out in my configuration that is not sending out name-id in subject of the SAML 2.0 token?

Hi,

I'm working through an "urgent" issue where ADFS is being used to authenticate users to a externally hosted intranet.
I've been introduced to it without much of a back story and have been unraveling the beast, but have gotten to the point where a point in the right direction could save me a ton of time/effort.

The form based authentication (FBA) works fine, however when users click "Log in with my operating system account" they're prompted to authenticate both using the https://[ADFS server]/adfs/ls/IdpInitiatedSignon.aspx and the website login button. To me, that means that I can concentrate on getting it going internally, before worrying about the external site.

My main lead so far is that the issue is repeatable internally and that SSO seems to work directly on the ADFS server.
I suspect its a certificate issue or the claim rule has been set up incorrectly, but am still learning so don't know how to confirm if so.

• Admin users on the ADFS server a user can click  "Log in with my operating system account" to log in, but they need to click it twice
• Admin users on the ADFS server can sign into the local or external site using single sign on from the following address: https://[ADFS server]/adfs/ls/IdpInitiatedSignon.aspx
• End users can log in using the form or by clicking  "Log in with my operating system account" and manually entering in their credentials.
• I've set up a SPN for HTTP/[ADFS FQDN] and HTTP/[ADFS hostname], some people have said that having HOST/[ADFS hostname] stopped their implementation from working, there area bunch of SPNs for this host and i'm not sure of the reasoning behind them all:
  

• Users IE browser are configured with "Enable Integrated Windows Authentication", "Automatic login on in Intranet zone" and have the ADFS and external webserver addresses specified in the Intranet zone
• Users have several certificates installed 
• Since we can test using the /adfs/ls endpoint, i'm assuming that its the only endpoint I needed to confirm is enabled?
• Windows Authentication is enabled for "intranet"s
• I can see information in "/FederationMetadata/2007-06/FederationMetadata.xml" and "/adfs/fs/federationserverservice.asmx" including the certificates used with the /adfs/ls endpoint. But unfortunately am not quite sure how to use the information to progress troubleshooting.
• If it helps, the "test url" button on the properties of the relay trust for  http://[externally hosted intranet]//saml/metadata works fine.
• People have mentioned that DNS issues have caused pain in this area, which could explain why the issue only exists on client workstations and not on the ADFS server directly, however since its internal and resolves the correct name/ip I don't think this is the case?
• The three claim rules set up are below and the metadata suggested that all of the entries are "optional". But i suspect this needs to be set to something specifically?

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), query = ";mail,givenName,sn,objectGuid;{0}", param = c.Value);

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,userPrincipalName;{0}", param = c.Value);

I'd appreciate if someone could give me a few pointers to help me pull together all the strands of information I have into something a bit more tangible and guide me on the next step to check so i can work through this issue.

Kind regards,

S

Hi All,

We have 2 ADFS servers in farm with SQL backend & 2 ADFS proxy servers, For service communication we are using Digicert certifcate & Token certiifcates are self signed

Currently we were having SHA1 digicert certificate, we planned to replace sha1 certificates with sha2 certificates & we renewed certificates as well in both ADFS & ADFS proxy servers

Post renewal ADFS relying party application like CRM, sharepoint etc sites are working  from internal entwork but when we try to access from external network we were getting "server hangup" error while accessing the CRM, sharepoint webistes

There was no ADFS related errors was found except the below "Schannel" errors after certiifcate renewal, Does anyone got same error in their environment

Note: we found more events after certiifcate renewal, after rolling the back the certiifcates to old one these errors gone in the server

Log Name: System

Source : Schannel

Event ID: 36888

Time : 6/15/2015 10.01 AM

Level : Error

User : System

Computer : abc

Description:  A fatal alert was generated and sent to remote endpoint. This may result in termination of connection. The TLS protocol defined fatal error code is 40. The windows Schannel error state is 1205

==============

Log Name: System

Source : Schannel

Event ID: 36874

Time : 6/15/2015 10.01 AM

Level : Error

User : System

Computer : abc

Description:  An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed

Hi all,

Thanks for your time in advance. I am on the SAML SP side working with a client using ADFS 3.0 as their IdP.

Authentication to the client's ADFS 3.0 is only available while on-network and on VPN. Is there a way to configure ADFS such that when we trigger a Service Provider-initiated SAML request (SAML AuthN), ADFS can see that the AuthN request is coming from a specific relying party trust, and allow authentication to ADFS?, e.g.:

IF off-network {

   IF AuthN request from THIS RELYING PARTY {

      ALLOW ACCESS

      } ELSE {

      DENY ACCESS

   }

I should note that externally, we're communicating with an ADFS reverse proxy - I'm not sure if that affects anything.

I'm not a Microsoft / ADFS stack expert by any means, just know enough to be dangerous. Thanks for your time and help!

Hi everyone!

We are trying to federate our application, so that our customers can gain to our application using their respective corporate identities (Ping Identity or their ADFS server).

The web application is a non-claims aware and we are trying to find out a solution to federate it without changing the code.

I built an ADFS 3.0 environment with windows server 2012 R2 simulating a future scenario, following my lab environment:

Our side:

-     1 Active Directory server (domainB)

-     1 IIS7 web server with our non-claims aware applications (Windows Integrated Authentication supported by Kerberos mechanism) joined on domainB

-     1 ADFS 3.0 server (service provider) joined on domainB

-     1 WAP server joined on domainB

Customer side:

-     1 Active Directory (domainA)

-     1 ADFS 3.0 server (identity provider) joined on domainA

Application users:

-     domainB\user1

-     domainA\user2

I followed these steps to build my lab environment:

1. Installation and configuration of ADFS 3.0 on domainB
2. Installation and configuration of WAP server on domainB
3. Publish ADFS 3.0 on WAP server on domainB
4. Create a Non-claims aware Relying party Trust pointing the application on ADFS 3.0 on domainB
5. Publish the Non-claims aware to WAP on domainB
6. Installation and configuration of ADFS 3.0 on domainA
7. Trust ADFS 3.0 on domainB with ADFS 3.0 on domainB
8. Edit claim rules on each federate server

The “domainB\user1” has no problem to access to the application, in my WAP server there are the following events:

Web Application Proxy successfully retrieved a Kerberos ticket on behalf of the user.

Web Application Proxy received an HTTP request with a valid edge token.

The “domainA\user2” cannot access and appears a server error on the screen and in the WAP Event Viewer there are the following errors:

Warning: EventID 13019

Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: The user name or password is incorrect.

 (0x8007052e).

Error: EventID 12027

Web Application Proxy encountered an unexpected error while processing the request.

Error: The user name or password is incorrect.

 (0x8007052e).

Seems to be an issue with the Kerberos authentication but the domainB\user1 has no problem to access to the application.

Need to understand:

- Where is the issue?

- Accessing to the non-claims aware applications are supported by only the users members of the same domain of the web application server

I’m spending many days to find out the cause.

Appreciate any direction here.

Thanks

I have a 2008r2 domain with 2008r2 Federation and Federation Proxy servers. The Proxy servers reside in our DMZ and are not allowed access to the CRLs through the firewall. They currently work fine, but getting tons of 364 errors every hour because no access to CRLs.  To gain access to CRLs, I have to go through a proxy server to gain access to the CRLs. Normally, I would not think this server traffic would impact any ADFS traffic, but because it is a proxy server and that setting is getting applied to the proxy account I thought I should double check before making the change. 

If I add a proxy setting in for my service account on the proxy servers, will it route any ADFS traffic through the proxy server?  Just want to make sure that if the proxy goes down, it will not impact production.

Thanks,

Dave

Hi,

I posted this in the Windows Server forum but was told to ask the question here as they did not know the answer. I'd greatly appreciate it if someone could assist/ advise.

Background:

I have set up a test 2012R2 environment which is as follows:

DC1.example.local: 192.168.2.90  (2012R2)

xyz-adfs.example.local: 192.168.2.150 (2012R2)

proxy.example.local : 192.168.2.160 (2012R2)

fileserver.example.local 192.168.2.114 (2012R2)

The AD domain is example.local and the external domain is example.net. I have a wildcard cert for *.example.net that I am using.

The ADFS service name is exampleadfs.

I've set this up using the guide at https://technet.microsoft.com/en-us/library/dn747208.aspx 

My DNS entries are:

Internal DNS: 

example.net (Forward Zone)> workfolders.example.net pointing to 192.168.2.114, exampleadfs.example.net pointing to 192.168.2.150, enterpriseregistration.example.net pointing to 192.168.2.150.

External DNS: workfolders.example.net, exampleadfs.example.net and enterpriseregistration.example.net  all point to the WAN IP.

The intent was to get work folders working for domain and non domain joined devices, inside and outside the LAN.

This works fine internally and externally. The only issue is that as the authentication token expires after 8 hours, users have to re-enter their passwords which is not ideal. according to this : http://blogs.technet.com/b/filecab/archive/2014/07/07/using-adfs-authentication-for-work-folders.aspx if I workspace join the devices in question, the token expiration period becomes 7 days by default and can be adjusted. Originally, Workplace join did not work correctly and I got (on the client) event ID 102,  source Workplace Join : Error code 0x80072EFD. a connection to the server could not be established. Could not connect to https://EnterpriseRegistration.example.local:443/Enrollmentserver/Contract.. This issue was resolved by adding a UPN for the external domain example.net and reinstalling ADFS and the Web Application Proxy. 

However, I now have the following issues:

1) When I access https://exampleadfs.example.net/adfs/ls/idpinitiatedsignon.htm

from the ADFS server itself, I get a windows security prompt asking me to confirm a certificate for MS-Organization-Access. Clicking ok takes me to the ADFS sign in page. This only happens on the ADFS server and not the clients where I do not get this prompt.  Is this normal behavior?

2) How would I change the default authentication token timeout period from 7 days and what is the maximum this period can be set to? The  blog (http://blogs.technet.com/b/filecab/archive/2014/07/07/using-adfs-authentication-for-work-folders.aspx ) mentions you can do it but now how.

Thanks,

HA

hi Experts,

We are in plan to deploy ADFS 3.0 setup in our environment. we have a ADFS Service ashttps://adfs.domain.com(example). IF this URL service functionality is not working then it should inform IT admins.  My query is :-

1. How do I monitor the ADFS Service URL from Externally from internet and also from internal LAN.

2. We have F5 - GTM product which gives a hit to URL and checks input from Web server (like any string). In Our Case, we are using ADFS proxy 2012 R2 (Remote access feature). What can I do on URl web page so it can give a string/any output to Monitoring tool (F5-GTM).

Please suggest on above or you can also provide any other better solution for this.  

Hello,

I'm struggling at understanding the use of OAuth2 in ADFS. From what I understood OAuth/OAuth2 are mostly authorization protocols such as to allow an applications to act on your behalf and/or access information/data from another application that you use.

What I'd like to understand is if OAuth might play a role (and why) in wanting to achieve web SSO in traditional web applications (e.g. aspx, jsp, etc.)

From what I read OAuth is suggested as an authorization mechanism for modern apps (including mobile apps running on other platform such as iOS/android) but not for traditional web applications.

I suppose that what might motivate adopting OAuth also in traditional web applications to achieve web SSO is easier implementation other than ws-fed and saml-p.

I'd appreciate contributions to the discussion.

Bob