I have a telephone  textbox . which can support 1 800 ###-####

or 800 ###-#### format means telephone number can support both format.how to validate this using regular expressions?

please help me... 

Hello, i tried to implement a ADFS+MFA solution, so i am able to login to Azure Portal with my on-prem users

I got adfs working alright but whenever i enable Multi-factor authentication (MS Phonefactor) on ADFS i get the following error. Where should i look to troubleshoot?

--------------------------------------------------------------

Hi.  We have a relying party that expects the UPN to be case sensitive. In AD, we do not currently have a standard for UPN, so some users are First.Last@company.com, and others are first.last@company.com. For simplicity with this relying party, I would like to convert the outgoing UPN to be all lower case regardless of what case the UPN is in AD. Preferably without installing anything in ADFS or making any global changes. Is there any custom claim language or RegEx expressions that can be used to accomplish this? Thanks!

Hello,

At our company we have a web application based on ASP.NET, our data is saved on sql database. Through this application an user can take actions like adding a new payment, scheduling a future payment, add new clients, edit client information etc... I want to develop a tool to generate reports based on daily activity of each user, total number of payments per month/day/hour and to be even auto updated. My question is where I can start with creating this,what tools and resources do I need? I have never created an application that generates reports before.

PS: Sorry if I have posted at the incorrect forum.

Admir

Hi All,

trying to publish ADFS through TMG and am running into a weird problem. Everything works internally and even when VPN'ed in, but no connection through TMG is possible.

TMG logs show connection resets (Error 64 - Network Name no longer available). I did a NetMon trace on the ADFS server and can see that the traffic from the external client (or from TMG when doing a "Test Rule") hits the ADFS server, but the server immediately sends a connection reset back (Frame 73).

I can only guess that it's the application (i.e. ADFS), that's terminating the connection, but why?

Anyone seen this before?
Thx in advance for help and/or pointers!
M.

Note: the blacked out stuff is just "noise" (=other connections)

Hi,

I'm using WIF to read a message whose signature doesn't have KeyInfo element

<Response ID="idc640375b45ac4293ae9a70bab7991991" Version="2.0" IssueInstant="2016-01-11T09:40:28.6192428Z" Destination="https://idp.example.local/..." InResponseTo="idd14f45aa327748269e2d4adba05e52cd" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
 <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://samples.example.local/.../</Issuer>
 <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
   <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
   <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
   <Reference URI="#idc640375b45ac4293ae9a70bab7991991">
    <Transforms>
     <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
     <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
    <DigestValue>BvSo2SLM+rL+FCx9UwiWApIbT12/9ffKZbN9Iuc1O54=</DigestValue>
   </Reference>
  </SignedInfo>
  <SignatureValue>IkQ7iPrTPzmc+DWJ4J9AfBmZm1cOLrVQu2o6Dd0/jKvWp3xb8D1gNqrShHo57qx8t0cLatW2ZJvC/YtGCuXNUlm8VM7OTakn3rSBUJmY+5yWyhkD+EOPkBOZFoXYjQCtfLXaZhM8sYYeJnPEEpRF9Nl/Mop/15aQjbRczmiPiy0lgohMjF/TIQp401CUNbXcHsvUf+DDcTqNmUoyXE0cbrKr351bIqXsPLagQ7OW0nVDwD0B2s4uYkPR8ZJegaSma9keGI4fqRTteubRTznrxFdbi4yWof9McdlsYpzvaqIJsoQHSEpiKXeg1sK83KxLgMfHyRofznD7BW6iFhHAlA==</SignatureValue>
 </Signature>
 <Status>
  <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
 </Status>

WIF refuses to process the message and throws an exception:

[InvalidOperationException: ID3276: The signing credentials cannot be resolved because signed XML does not contain a SecurityKeyIdentifier.]
   System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials() +527
   System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement() +55
   System.IdentityModel.EnvelopedSignatureReader.Read() +90
   System.Xml.XmlReader.ReadEndElement() +54

signature is valid: "XML Signature defines usage of the <ds:KeyInfo> element. SAML does not require the use of <ds:KeyInfo>, nor does it impose any restrictions on its use. Therefore, <ds:KeyInfo> MAY be absent."

Could anyone please show me if there is a workaround for this issue? Why does WIF enforce such a rule? To make the situation more frustrating, all the relevant classes are marked as internal which makes extending them impossible.

Thank you in advance,

Thuan.

I need to request a security token from an ADFS service deployed in Microsoft ADFS 2.0 server.

The service is https://yourcompany.com/adfs/services/trust/13/UsernameMixed

I have the below Soap envelope (generated from ADFS 2.0 Server's WSDL) that I post to the server,

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action><MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:e49f823f-938c-4891-af7a-50785daa341d</MessageID><To xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Id-1280721692">https://yourcompany.com/adfs/services/trust/13/usernamemixed</To><ReplyTo xmlns="http://www.w3.org/2005/08/addressing"><Address>http://www.w3.org/2005/08/addressing/anonymous</Address></ReplyTo><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" soap:mustUnderstand="true"><wsu:Timestamp wsu:Id="TS-95D9398249ED135AE8138537380334211"><wsu:Created>2013-11-25T10:03:23.342Z</wsu:Created><wsu:Expires>2013-11-25T10:08:23.342Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken wsu:Id="UsernameToken-95D9398249ED135AE8138537380334212"><wsse:Username>NA</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">NA</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://my.endpoint</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType><wst:Lifetime xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2013-11-25T10:03:23.340Z</wsu:Created><wsu:Expires>2013-11-25T10:03:31.340Z</wsu:Expires></wst:Lifetime><wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType></wst:RequestSecurityToken></soap:Body></soap:Envelope>

However I keep getting the below error in the ADFS server,

The Federation Service encountered an error while processing the WS-Trust request. 
Request type: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue 

Additional Data 
Exception details: 
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationException: ID3007: The element 'AppliesTo' with namespace 'http://www.w3.org/ns/ws-policy' is unrecognized.
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.ReadRSTXml(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context, WSTrustConstantsAdapter trustConstants)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrust13RequestSerializer.ReadXmlElement(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context)
   at Microsoft.IdentityServer.Protocols.WSTrust.MSISWSTrust13RequestSerializer.ReadXmlElement(XmlReader reader, RequestSecurityToken rst, WSTrustSerializationContext context)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustSerializationHelper.CreateRequest(XmlReader reader, WSTrustSerializationContext context, WSTrustRequestSerializer requestSerializer, WSTrustConstantsAdapter trustConstants)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.CreateDispatchContext(Message requestMessage, String requestAction, String responseAction, String trustNamespace, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)

Can someone please help to understand what is going wrong here...

Hi All,

I have on ADFS server and one ADFS proxy with IIS .When I try to hit ADFS metadata URL https://abc.xyz.com/FederationMetadata/2007-06/FederationMetadata.xml

from browser ,I am not able to get ADFS 2.0 metadata and getting some XML error on browser:

XML Parsing Error: no element found

Location: https://abc.xyz.com/FederationMetadata/2007-06/FederationMetadata.xml

Line Number 1, Column 1:

Can anybody tell me why I am no able to get the Metadata from this URL earlier it was working fine. Is this related to some certificate issue.

Thanks in advance

Hi,

We have a configuration with 2 ADFS 3.0 servers configured in NLB + 2 external ADFS Proxies (WAP) also in NLB.

When we try to configure the second ADFS Proxy using PowerShell we receive the folioing error:

"

Install-WebApplicationProxy : An error occurred when attempting to establish a trust relationship with the federation
service. Error: Unauthorized. Verify that the service account has administrative access on the target Federation
Server.
At line:1 char:1
+ Install-WebApplicationProxy -CertificateThumbprint xxxxxxxxxxxxxxxxxx ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : NotSpecified: (:) [Install-WebApplicationProxy], ProxyTrustException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand

"

The powershell command is:

 Install-WebApplicationProxy -CertificateThumbprint xxxxxxxxxx -FederationServiceName sts.xxxxxxx.com

The credentials that we enter are 100% valid, domain admin account.

Also the certificate thumbprint is valid, the certificate itself is also compliant, generated using Verisign services.

Everytime we enter the command specified above, ADFS Proxy generates a self signed certificate, using SubjectName = <computername>.

We found that a workaround will be to add in hosts file the  FederationServiceName sts.xxxxxxx.com to point to ADFS1 server IP.

After couple of days of investigating, we did't find any solution for our problem.

We tried:

Checking the certificates on ADFS and ADFS proxies (nets http show sslcert) and matching the results with: http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx

Everything looks perfect.

Reinstalling ADFS, WAP.

Please help.

Regards,

Andrei

Our application uses WIF 3.5 to authenticate in a STS server. The first time it works as it should, but when the session expires and the user goes back to the login page and tries to log in again, it stops at the issuer URL and give us a blank screen. This problem started to happen after we migrated from Windows Server 2003 to Windows Server 2012.

What we already tried:

• Investigating IIS and FREB logs on both servers (our application and STS) didn't show any error
• When we use tools like Fiddler or iDNA and try to reproduce the problem, strangely it does not occur

Hello Everyone,

I am trying to setup ADFS for an organization with 4 Office 365 domains.

AD FS works fine if I enable one domain as  federated without parameter "–SupportMultipleDomain"

When I enable multiple domains using command

Convert-MsolDomainToFederated -DomainName domain2.qld.edu.au –SupportMultipleDomain

I receive following error after entering username/password on ADFS page

Additional technical information:
Correlation ID: 17e57dac-31bc-4863-946c-d145740092d2
Timestamp: 2016-01-13 12:02:33Z
AADSTS50107: Requested federation realm object 'http://college.domain1.qld.edu.au/adfs/services/trust/' does not exist.

I am enabling ADFS for following sample domains:

Domain1.qld.edu.au
Domain2.qld.edu.au
Domain3.qld.edu.au
Domain4.qld.edu.au

My ADFS server published onadfs.domain1.qld.edu.au

On-premise environment consists of a single AD domain/forest and AD domain name is "college.domain1.qld.edu.au" and there is no UPN configured for users. 

Any idea why I am facing this error?

Thanks in advance for help and support.

Mubbashir

Mubbashir Ahmad

Hi

Got a strange issue on a couple of servers with an asp.net site receiving the SAML token from the ADFS server. Normally FedAuth cookies are returned and the page is redirected based on what's encoded in the wctx ru querystring parameter, but on a development site the response is the result of the default page, no cookies are returned and the redirection isn't performed. We've tied this on several different servers to the same outcome.

The STS is just the basic test on created by visual studio. I've compared the web.config and federationmetadata for both the STS and site against several copies of both sites that both work and except for the urls there are no differences.

This is running against the Microsoft.IdentityModel 3.5 (we've not gone through and upgraded to 4.0). Any ideas on the cause or what else to check.

Thanks

Hello!

We are looking to implement ADFS extranet protection. A point was made that our helpdesk would have issues diagnosing an account locked out at the ADFS extranet level. Internally, the AD account would look fine, but from the external Office365 side, once the threshold was made, the observationwindow would be set at 61 minutes (1 minute above out Domain policy). They would then have to pass this on to another group to troubleshoot.

Is there an easy powershell command that can be run or an easy way for a normal user to determine if the account was "locked" by ADFS or a way to easily reset the observation window temporarily? This seems to be the only stopping point with proceeding for our organization.

Thanks!

Michael

Hello everyone!

First, I want to say thank you to everyone who takes time out of their busy days to answer questions and point all of us in the correct direction.  Thank you especially to nzpcmad1, for helping me out in getting over the hump of getting an ADFS -> ADFS solution to work.

I have another problem with this same setup, but I think it is all on my side but as I'm confused a little on cookie vs. tokens, I want to ask one more time for some guidance.

I have an ADFS - ADFS setup.  We are the RP on their side.  They are the Claims Provider on our side.  Further, I have an ASP.NET MVC app using OWIN WS Federation for authentication.

This app receives a set of claims and uses those claims to spin up a valid "user" (read FormsAuthentication) for our ASP.NET web form applications. 

When a user comes in for the first time, everything works beautifully.  They get redirected properly to the correct STS for authentication, claims get passed back to us, I spin up a "user" and redirect to our web forms application.  Wonderful.

The problem comes in if the user closes their browser and then tries the same path again.  They could wait 2 minutes, an hour, whatever.  However, this time, their STS is remembered (no HRD), so they get silently authenticated then redirected back to us. 

However, no claims come across.  My app dies.

Does this have to do with a session security token lifetime?  One of these? Coordinating AD FS 2012 R2 token lifetimes to reduce logon prompts, enforce revocation and limit session duration over public networks.  I also decided to try to help myself out and stash the claims I need in a cookie local to my RP app.

If I instruct the user to clear their cookies, results are unpredictable.  Sometimes after doing that, things work great.  Other times, no joy.

Thank you for your time and attention.

--Brian

Hi All

I’ve just rolled out ADFS 3.0 within my company and everything is working great but now I would like to enable Client certificate authentication and this is where the fun has started.

My environment is the following:

Windows 2012 r2 Domain controller with domain/forest functional level at windows 2012 r2

One domain controller installed as a certificate authority and currently giving out client certificate which is used for client authentication through TMG

ADFS server running windows 2012 r2 which is joined to our domain

ADFS server in the DMZ which is the ADFS proxy server and it in a “WORKGROUP”

Firewall ports which have been opened are HTTP, HTTPS and tcp/49443

When I enable cert auth and try to signin on the following URL (https://sts.my domain.com/adfs/ls/IdpInitiatedSignon.aspx) I get the following error:

An error occurred

Authentication attempt failed. Select a different sign in option or close the web browser and sign in again. Contact your administrator for more information.

Sign in with other options

Error details

• Activity ID: 00000000-0000-0000-1601-0080000000f2
• Error time: Wed, 10 Dec 2014 13:03:26 GMT
• Cookie: enabled
• User agent string: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36

I’ve tried running this internally (Using chrome as my browser to ensure I get prompted for my users cert) to avoid firewall issues with the above result.

When I have a look at the event viewer on the ADFS server the following is logged:

Level: Error

Source:  AD FS

Event ID: 364

Task Category: None

Gerneral:

Encountered error during federation passive request.

Additional Data

Protocol Name:

Saml

Relying Party:

http://sts.<my domain>.com/adfs/services/trust

Exception details:

Microsoft.IdentityServer.AuthenticationFailedException: There is a problem with the X509Certificate provided by the client. The error code is: -2146885613

  at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ProcessIntranetRequest(ProtocolContext context, WrappedHttpListenerRequest request)

  at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)

  at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

I’m now at a loss as what else I should try to get this working. Can anyone advise how I should proceed or how I should be troubleshooting this problem?

Many thanks in advance

I am configuring a series of ADFS 3.0 independent servers in a hierarchical layout.  The relying party trusts are being added when the partner entity is ready, which is not in alphabetical order.  Short of removing the relying party trust and adding it back in the proper order, is there any way to re-order the relying party trusts once configured?  See below for a visual example of what I am looking for.  I'm fine with having the local option being at the top (in this case the one labeled NNNC), but I would like to reorder the configured ones.

And while 4 items may seem like a minor issue, my entire layout involves up to 100 individual servers and I really don't want to have to remove and re-add those.

I've got a WAP and an ADFS farm with a single server using WID.

Users can log into Office 365 successfully, but SSO is not working so they need to login to the adfs login page as well as the Office365 page.

Errors are 364 and 511 as per below.  I've read some articles but no concrete solutions for 3.0

How can I troubleshoot this.  I did find one mistake in my setup (the host file on the ADFS server was pointing adfs.mydomain.com to the WAP).   Could this be the cause - I am unable to test this right now as I can't bring down production.  Any other solutions?  I need to stop these errors occurring and ensure SSO works.

We are trying to enforce MFA for all connections to Office 365 except those not supported - specifically ActiveSync.

Currently, our rule allows for no MFA when connecting from the corporate network and only for browser based requests when not on the corporate networks.  This works for web based access but allows apps with Modern Auth (ADAL) enabled to access with no MFA when connecting from outside.  What we want is ADAL enabled applications to enfore MFA.  Here is our current claim rule:

What we have tried:

- and - 

c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && [Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn"); exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy"])&& NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.Autodiscover"]) && NOT exists([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application", Value=="Microsoft.Exchange.ActiveSync"]) => issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = "PermitUsersWithClaim");

Nothing seems to work and the examples all talk about deny when external vs. enforce MFA when external.

Thanks

Microsoft.IdentityServer.Protocols.Saml.NoPassiveException: MSIS7088: There are multiple identity providers found for SAML request with IsPassive set to true. Unable to complete home realm discovery.

Not sure where to start looking on this....  Any ideas what to look for?

Thanks

Mike