I have four ADFS servers in a cluster running on Windows Server 2008. They are virtual ( running on vmware). We are planning to perform a V2V of these ADFS servers and in the process the ip address of the ADFS servers is going to change.
What are things I need to keep in mind for a successful migration.
I'm new to ADFS and trying to figure a few things out. I have everything setup and working with a WAP in the DMZ. Our goal is to have all our apps in one locations. One of our vendors uses SAML Assertion and another is WS-Fed under endpoints.
When i go to this page i ONLY see the SAML apps, and they are also in a drop-down menu. https://sitename/adfs/ls/idpinitiatedsignon
Is there anyway to add the WS-FED apps to the drop down or are users going to have to visit the applicaiton vendors page and be redirected to access this app?
Can we also change the drop down to buttons? (similar to how azure does it)
Bonus question: using 2012 R2 with no built in IIS is there anyway to re-write the URL to something shorter (just https://sitename) without building out or installing IIS?
Thanks!
Having trouble with Single Sign out. Have got single sign in working, but can't logout from all Rps.
The signout page appears and places the iframes in it for all the rps with the correct wsignoutcleanup1.0 source, but no green ticks.
Whats going on.
Thanks Jamster
Hello,
we are running an Server 2012 R2 ADFS-Farm with WAP.
What is the recommended option to redirect http requests to https, so a user can use the urlhttp://app.domain.com and automatically gets redirected tohttps://app.domain.com?
IIS is no longer required for ADFS and starting with the August 2014 Windows Update rollup, the Application Proxy listens for health probes also on http, which may interfere with any software running on port 80 for https-redirection?
Thanks in advance,
Thomas
Hello Microsoft Team,
We recently deployed ADFS 3.0 in house to allow SSO with a service provider called Service Now. We do have multiple ADFS internal servers in a farm and db hosting on a SQL shared cluster and multiple WAP servers in the DMZ zones
So far, everything works well, my AD users can access the cloud application using IE with SSO, however using chrome system prompts for enter credentials.
After further investigation, I found that we may need to disable extended protection in ADFS as per links below
The issue is not unique to Service-Now but actually a known issue with ADFS disabling Extended Protection should allow for authentication.
Disable Extended Protection in ADFS
Details pertaining to extended protection
https://msdn.microsoft.com/en-us/library/dd639324(v=vs.90).aspx
Proof that the product supports this feature:
https://community.servicenow.com/thread/158681
Can you please validate if the steps on the links are accurate? Any service impact to existing ADFS?
Can you please elaborate why we need to disable Extendend protection in ADFS to allow SSO for Chrome?
Any gotchas, concerns, about following this?
Franki
I am new to Windows Identity Framework. My organization has multiple environments that make use of different 'authority' and 'endpoint' names. My application can detect the environment at runtime. I've looked through the WIF documentation and unable to find anything that I can use to help me with this problem.
The example below works in my localhost environment:
In my development environment the same section needs to be:
<add key="ida:FederationMetadataLocation" value="https://test.login.mycompany.com/FederationMetadata/2007- 06/FederationMetadata1.xml" />
<add key="ida:Realm" value="https://localhost/webapp" />
<add key="ida:AudienceUri" value="https://localhost/webapp/" />
I also need to make similar changes to the AudienceURIs and the federationConfiguration.
<add key="ida:FederationMetadataLocation" value="https://dev.login.mycompany.com/FederationMetadata/2007-06/FederationMetadata1.xml" />
<add key="ida:Realm" value="https://dev.mycompany.com/webapp" />
<add key="ida:AudienceUri" value="https://dev.mycompany.com/webapp/" />
Here is the full localhost web.config:
Does the WIF provide methods to do this? I've looked through the documents and can't figure out how to make these changes.
Thanks,
Matt
I posted my question earlier in this forum, but it was suggested to ask my question here.
I'm in the process of configuring automatic device registration in Azure AD. The steps are described in https://msdn.microsoft.com/en-us/library/azure/dn935033.aspx
One of the steps is to configure an additional Azure Active Directory relying party trust Authentication Class Reference with the PowerShell command:
Set-AdfsRelyingPartyTrust-TargetName'Microsoft Office 365 Identity Platform'-AllowedAuthenticationClassReferences wiaormultiauthn
With this command I receive the following error:
Set-ADFSRelyingPartyTrust : A parameter cannot be found that matches parameter name 'AllowedAuthenticationClassReferences'.
At line:1 char:80
+ Set-AdfsRelyingPartyTrust -TargetName 'Microsoft Office 365 Identity Platform' - ...
+
~
+ CategoryInfo : InvalidArgument: (:) [Set-ADFSRelyingPartyTrust]
, ParameterBindingException
+ FullyQualifiedErrorId : NamedParameterNotFound,Microsoft.IdentityServer.
PowerShell.Commands.SetRelyingPartyTrustCommand
We are running ADFS 2.0 on Windows 2008 R2.
Anyone has a clue of what is causing this?
I am working on a task to use LDAP attribute store in ADFS 3.0. It needs a custom attribute.
I created an AD LDS instance, which is my LDAP attribute store.
I want use 'Send LDAP Attributes as Claims' template to create a rule.
How to add the custom attribute and make it available in the claim rule?
Thanks for reading and anwsering my question.
Runner288
Hello
i'm trying to deny some users access to a federated application based on custom attributes on their user account and i seem to be stuck.
on the claim descriptions (ADFS)while trying to create a claim name,I don't know where to retrieve the information of the claim identifier. I have created a custom attribute on AD schema and mapped it to user account. Can anyone help with the steps?
I am using server 2012r2
Hello all,
I have a 2012 R2 ADFS server farm consisting of 2 servers using WID. When I added the second server to the existing server, it completed the tasks just fine without any errors and shows in the ADFS management console as a secondary server to the primary.
My issue is that I cannot validate the functionality of the secondary server without taking the primary offline, which would cause an outage for my SSO users. When I try and perform the basic URL tests against the secondary server (the idpinitiatedsignon.aspx, etc.) , I get the "website not found" messages back from the browser with no events in the Event Logs. I cannot verify it's operation via PowerShell, as that generates the message that the commands cannot be executed on a secondary server. I see nothing but the usual messages in both the primary and secondary event logs so maybe this is "normal" or "as designed" behavior for v3.0?
Also, I noticed that contrary to what you would normally see in a ADFS 2.1 farm deployment in the management console, with v3.0 you do not see any configuration items in the secondary server's console. Just the message that it is a secondary server and that all changes must be made on the primary.
How do I know this farm is working? How do I test the secondary without incurring an outage?
Thanks for the help.
Hi,
I'm new to ADFS 3.0, but we've just started to implement it internally for access to 3rd party Software as a Service platforms and now I'm getting very popular at work! I'm learning this as I go, so forgive me if I'm not making my situation clear. One of our partners allows dynamic provisioning of accounts, but has a strict user limit, so we want to limit logins to users who are a member of an AD group, so users of other services don't inadvertently log in and get an account created.
My problem is that, after someone fails the AD group check they're brought to the "An error occurred" page, which I've customized to explain how to request access and a link to the Service request page, etc. The trouble is that there's no way to leave that page. I added a 'Sign-Out' link in the error message (using the WS-Fed signout, which I understand is wrong in a SAML setting) and one to 'Return to Sign-in Page' using the 'Helpdesk Link' customization in the WebTheme. The 'sign out' link works to sign the user out, and the .../idpinitiatedsignon.aspx link takes them back to the credentials page but signing in again just redirects them back through the same relying party claims path.
I'm sure this is due to a misconfiguration on my part at some point in my learning process. I'm hoping someone can get me pointed in the right direction.
Thanks,
Dirk
UPDATE: Closing the browser entirely resets things allowing the user to see the RP selection dropdown again, so it's clearly caching something which causes the redirect. Is there any way to resolve this, or is this a security feature? Is there some way to redirect the user or prevent this loop?
Hello,
I've already set up a federation server for SSO and I wanted to get some redundancy with it so I'm making a second server. I created another 2008 R2 server to host the service and installed it with the current hot fix. I imported the certificate from the ADFS01 server and installed it on this server as well as binded that certificate to the Default Web Site (on the 443 port).
I start the wizard and get up to the certificate page. When I get here it doesn't let me do anything. I cannot choose the certificate or anything. It just tells me I need to have the same certificate binded to the DWS. I should mention that it is a SAN certificate that is being used with our Exchange server(Not for long though). But MS has said that SAN and wildcard certificates work with ADFS.
Any help or ideas?
Thanks
Hi,
is there any clear instruction on how to disconnect ADFS from our network without affecting any other service?
I have office 365 hybrid environment, exchange 2010.
I have ADFS and DirSync, I want to remove the ADFS and keep the DirSync
please advise
thank you
Firas
Hi,
We have a configuration with 2 ADFS 3.0 servers configured in NLB + 2 external ADFS Proxies (WAP) also in NLB.
When we try to configure the second ADFS Proxy using PowerShell we receive the folioing error:
"
Install-WebApplicationProxy : An error occurred when attempting to establish a trust relationship with the federation
service. Error: Unauthorized. Verify that the service account has administrative access on the target Federation
Server.
At line:1 char:1
+ Install-WebApplicationProxy -CertificateThumbprint xxxxxxxxxxxxxxxxxx ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Install-WebApplicationProxy], ProxyTrustException
+ FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand
"
The powershell command is:
Install-WebApplicationProxy -CertificateThumbprint xxxxxxxxxx -FederationServiceName sts.xxxxxxx.com
The credentials that we enter are 100% valid, domain admin account.
Also the certificate thumbprint is valid, the certificate itself is also compliant, generated using Verisign services.
Everytime we enter the command specified above, ADFS Proxy generates a self signed certificate, using SubjectName = <computername>.
We found that a workaround will be to add in hosts file the FederationServiceName sts.xxxxxxx.com to point to ADFS1 server IP.
After couple of days of investigating, we did't find any solution for our problem.
We tried:
Checking the certificates on ADFS and ADFS proxies (nets http show sslcert) and matching the results with: http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx
Everything looks perfect.
Reinstalling ADFS, WAP.
Please help.
Regards,
Andrei
I am planning to use ADLDS as identity store for outside users. I heard that ADFS 3.0 does not support ADLDS as identity store. Besides Azure AD, is there a workaround to use AD LDS?
My work environment: Windows Server 2012 R2 with ADFS 3.0
Thanks for reading and sharing your knowledge.
Runner288
I'm trying to configure the ADFS role on a new 2012 R2 domain controller following these steps:
http://technet.microsoft.com/en-us/library/dn303424.aspx
However, if I try to create a new service account using the GUI I get the following error:
The specified service account 'CN=adfstest' did not exist. Attempt to create the group Managed Service Account failed. Error: There is no such object on the server.
I added the KDS root key yesterday.
If I add the service account manually:
New-ADServiceAccount adfstest -DNSHostName fs.contoso.ie -ServicePrincipalNames http/fs.contoso.ie -Path "OU=Managed Service Accounts,DC=contoso,DC=ie"
This works fine, but configuring the ADFS farm with this service account I get a similar error:
PS C:\Windows\system32> Install-AdfsFarm -CertificateThumbprint xxxxxxxxxxxxxxx -FederationServ iceName fs.contoso.ie -GroupServiceAccountIdentifier contoso\adfstest$ | fl Install-AdfsFarm : The system cannot find the file specified At line:1 char:1+ Install-AdfsFarm -CertificateThumbprint xxxxxxxxxxxxxxxxxxxxxxxxxx...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Install-AdfsFarm], DisplayableArgumentException+ FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.InstallFarmCommand Message : Unable to retrieve group Managed Service Account information. The system cannot find the file specified Context : DeploymentTask Status : Error
What am I missing?
Hi,
I have an existing ADFS farm on Server 2012 but I'm replacing it with a new farm with the same name on Server 2012 R2. There will be an ADFS server and a Web Application Proxy.
I've installed the first Federation server and can open https://localhost/adfs/ls/IdpInitiatedSignon.aspx so all seems well.
I have exported the existing 3rd party certificate *.mydomain.com onto the ADFS server and the proxy and installed it in Personal container under computer certificates. I also exported/imported the Token-decrypting and Token-signing certificates onto the ADFS server (though not onto the proxy as I don't see how to do this - can't see it in certmgr only in ADFS snapin which doesn't seem to allow export)
I can ping both ways and I can telnet from the proxy to the ADFS server on 443 (though not the reverse direction) Windows firewalls are off and there is an any/any rule between the servers.
I am trying to run the proxy wizard but it fails with a couple of errors depending on what I use for the Federation Server Name (I've created the name as adfs.mydomain.com but TechNet says use the FQDN of the ADFS server, so I'm trying both)
An error occurred when attempting to establish a trust relationship with the federation service. Error: Forbidden (if I use adfs.mydomain.com as the Federation Server Name)
An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: An unexpected error occurred on a send. (if I use the hostname of the ADFS server)
I think the adfs.mydomain.com is the right one - can you confirm this and advise how I can fix this issue. The account I am using in the proxy wizard is the local admin password though have tried my own admin account too.
Have tried the links in http://social.technet.microsoft.com/Forums/windowsserver/en-US/e04fe6fe-3415-45c2-a1ec-0c76be8ae3a5/web-application-proxy-configuration-error?forum=winserver8gen with no success
I've been following the main install link on TechNet - not sure what I've done wrong.
Any assistance very welcome.
I have ADFS 2.0 running on Windows 2008R2. A scan is showing me those federated and federatedproxy servers have SSLv2, SSLv3, and RC4 enabled, and all of those protocols have known exploits. I do have TLS 1.0 enabled, but it also recommends to enable TLS 1.2. Does anyone know if I will have any issues from a ADFS perspective if I disable SSLv2, SSLv3, RC4, and enable TLS 1.2? I will leave TLS 1.0 enabled, so hopefully that would cover me for browsers that are a few years older like IE9, etc. but just trying to figure out any impact these changes will have in the way ADFS handles authentication.
Thanks,
Dave
If as a member of domain admins, I access https://adfs.domain.tld/adfs/ls/IdpInitiatedSignon.aspx and "Sign On" I am presented with a client certificate prompt, select the appropriate cert, hit ok, and boom success. If I go to the same URL as a user that is not a domain admin, I am presented with the client cert prompt, select the appropriate cert, hit ok, and boom !success...
In the Event Viewer I get a couple of errors that seem relevant, the most interesting being an AD FS 2.0 111 event that starts with:
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
System.ComponentModel.Win32Exception: Logon failure: the user has not been granted the requested logon type at this computer
I found an article that suggests putting the ADFS service account into the "Windows Authorization Access Group", but that didn't have any effect for me. (Additionally, it didn't really make sense that the permissions of the service account would make it able to to things on admin accounts that couldn't be done on user accounts...). Seems more likely that my user accounts don't have a permission needed to make this work, perhaps something removed by one of the bazillionty GPOs being used here... Help is greatly appreciated.