Quantcast
Channel: Claims based access platform (CBA), code-named Geneva forum
Viewing all 2535 articles
Browse latest View live

ADFS 3 Use Case - OAuth Claims Provider - Can I do this?

January 19, 2016, 8:00 am
$
0
0

Hello.

I want to use my application (which supports OAuth2) credentials (non Active Directory) to login Office 365 from the browser 

Can ADFS serve as a middle man, not authenticating Active Directory users, but rather Federating authentication to that application? I read that AD FS supports OAuth relying party trusts, but i'm interested in OAuth2 Claims Provider. I thought AD FS could be a middle man here, because it supports SAML2 (O365 talks SAML2 only), but app only supports OAuth2.

Something like extending this scenario, where tenant is not AD FS (Which I suppose talk over WS-Federation) but OAuth2: http://www.tech-coffee.net/windows-azure-pack-authenticate-tenants-ad-fs/

Search

250 Artifact errors 2012R2

January 21, 2016, 9:15 am
$
0
0

Getting errors such as these in the logs:

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/21/2016 11:52:04 AM
Event ID:      250
Task Category: None
Level:         Error
Keywords:      AD FS
User:          Company\SA_sts
Computer:      Server.company.local
Description:
Expiration of the artifact failed.

Additional Data
Exception message:
MSIS3115: Cannot connect to ArtifactStorage in the configuration database.

Get-ADFSProperties shows me this:

ArtifactDbConnection                       : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial
                                             Catalog=AdfsArtifactStore;Integrated Security=True

How can I fix this??

Changing ADFS 2.0 SSL certificate with new chain - Do clients need intermediate?

January 21, 2016, 12:02 pm
$
0
0

I have ADFS 2.0 running on windows2008r2. I am changing my SSL certificate with a new Verisign certificate chain.  The servers are 100% ready for the change.  I have done this before and looked through several of the documents, but still have 2 questions

1.  My clients do not have the intermediate verisign certificates, but they do have the root verisign cert for the SSL certificate.  Do the clients need the intermediate certificates?  Should I get the intermediate certificates delivered through group policy to all the clients?

2.   Do I need to inform all my Relying partners of the SSL certificate change?  I did not think I have done that in the past, but if I should send them the SSL cert(without the private key) let me know.

Thanks,

Dave



Device Registration and Custom Token Providers

January 22, 2016, 4:21 am
$
0
0

I have configured ADFS 3.0 Device Registration and registered my Ipad.

When logging in using the ADFS default provide I can now see a claim 

http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser set to true

being sent to my relying party.

However, I am using a custom WS-FED Token Provider and I would like to know in the custom token provider whether the user logging in is using a registered device.

Is that possible in any way?

Regards/Peter

Is there information on configuring IDP initiated SSO on ADFS 3.0 ?

October 9, 2014, 12:39 pm
$
0
0

Hi,

I have Windows 2012 R2 -- ADFS 3.0 installed.  I was wondering if there are any documentation concerning configuring for IDP intitiated SSO. 

The ADFS 2.0 discuss changing webconfig file, after applying ADFS Rollup 2.  According to the link below:

http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx

But ADFS 3.0 no longer install IIS.  So do I just need to make the changes at the login page ?

Thanks,

Mark

ADFS 3.0 SSO idp initiated

December 11, 2014, 12:24 pm
$
0
0

I would like our business partner to be able to do idp initiated single sign on using SAML-P to access claims aware application on my company side. So basically on my side we have:

1. ADFS 3.0 (https://adfs.mycompany.com)

2. Business Partner IDP server added as Claims Provider Trust in our ADFS (https://idp.partnercompany.com/idp/SSO.saml2)

2. ASP.NET MVC application that is setup as Relying Party Trust in ADFS (throught WS-FED endpoint) (https://portal.mycompany.com)

I have read the following article:

http://technet.microsoft.com/en-us/library/jj127245%28WS.10%29.aspx

And came up with this url:

https://idp.partnercompany.com/idp/SSO.saml2?RelayState=RPID%3Dhttp%253A%252F%252Fadfs.mycompany.com%252Fadfs%252Fservices%252Ftrust%26RelayState%3DRPID%253Dhttps%253A%252F%252Fportal.mycompany.com

So what I basically have right now is url comprised of 3 parts:

part 1: partner's idp url from claims provider trust https://idp.partnercompany.com

part 2: RelayState=encoded[RPID=http://adfs.mycompany.com/adfs/services/trust]

part 3: RelayState=encoded[RPID=https://portal.mycompany.com]

The question I have are:

1. In part 2 of the url I use the saml endpoint for my adfs, is this correct? Should this instead be the identifier that the partner assigned to my adfs on their side?

2. In part 3 I use "RelayState=RPID=..." Do I need the RPID or should it be RelayState=encoded[https://portal.mycompany.com]?


I also wanted to add that I modified the config to include: <useRelayStateForIdpInitiatedSignOn enabled="true" />





ADFS + WIF + IdP-Initiated a dealbreaker?

November 22, 2010, 3:05 pm
$
0
0
We were hoping to use ADFS with our WIF-based web application but there appears to be a serious deficiency.

Our configuration is the highly recommended:

IdP's <-> FP (ADFS) <-> RP

where the RP is our application (WIF/WS-Federation) and we have many IdP's (our customers) using various SAML products.

ADFS works marvelously in the RP-initiated Web SSO protocol.

However, if I understand the dozen or so postings in this forum, ADFS does not work at all in this configuration with the IdP-initiated protocol.

So, ADFS is a total non-starter for us unless we are able to insist ALL of our customers use RP-initiated.

Is this correct?

Bill

AD FS 2.0 Installation SPN registration warning with error: The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again.

March 30, 2011, 5:38 am
$
0
0

Hello,

I don't have much hands on experience with AD FS 2.0 but i need to set one up for a dev team. I tried to use the WIF documentation.

I've got a newly installed member server, serverA (a VM on hyper-V) on which I install AD FS 2.0

For this purpose I have an account DOMAIN\adfsservice

All seems to go very well except for the following warning:

---------------------------

AD FS 2.0 Federation Server Configuration Wizard

---------------------------

An error occurred during an attempt to set the SPN for the specified service account. Set the SPN for the service account manually.  For more information about setting the SPN of the service account manually, see the AD FS 2.0 Deployment Guide. 

 

Error message: The SPN required for this Federation Service is already set on another Active Directory account.  Choose a different Federation Service name and try again.

---------------------------

OK  

---------------------------

I can indeed see host/serverA.domain.com  that is allready registerd to the serverA object. Registering manuallly leads to trust errors until you clear it. Some post claim you need to put another A records in DNS and register that (see community remarks below http://64.4.11.252/en-us/library/dd807078(WS.10).aspx). Some say you need an HTTP/ SPN and than MS states clearly that you need Host/   (see http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-configure-the-spn-serviceprincipalname-for-the-service-account.aspx)

I'm a bit confused here. Do I ignore the warning? Do I remove host from serverA and add it to adfsservice account? Do I use HTTP/

Search

ADFS 3.0 MFA will not work because IE will not prompt for Certificate

June 10, 2015, 1:29 am
$
0
0

Hello

I have the following Problem. ADFS 3.0 is working pretty good in my Environment.
But when i enable "MFA" with Certificates the Login accept the first Factor an prompt me to select a Cert. Here is the Problem the IE do not Show any Dialog to select the USER Certificate.

Can'f find anything in the logs.

The site is in the Trusted Zone & PopUpBlocker is disabled

Thx for your help

Daniel

ADFS 2.0 - Error sync'ing from Primary ADFS to Secondaries

March 10, 2015, 1:22 am
$
0
0

Hi,

First of all, thanks for reading this, english is not my mother tongue, so, don't hit me hard if I write something incorrect.

After navigating so much, and without finding any useful info, or solution that work on my environment, Im kindly asking for help. Hope you can help me with this issue on the ADFS!!

By the way, the primary ADFS is working and is authenticating from Office 365 without problems so far.

The environment :

* 3 ADFS Backend 2.0 servers - All in Server 2012

* 3 ADFS proxies 

* Windows Internal Database in ADFS Backends.

The problem is that on the secondary servers im getting in the ADFS event logs : 345 and 344.

There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. 

Additional Data 

Master Name : ADFS1.contoso.com 
Endpoint Uri : http://adfs1.contoso.com/adfs/services/policystoretransfer 
Exception details: 
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http://adfs1.contoso.com/adfs/services/policystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. ---> System.Net.WebException: The remote server returned an error: (404) Not Found.
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---

Server stack trace: 
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]: 
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetHeaders()
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()

I have checked :

* Date and time on the servers - All OK

* Ports opened between them : 80,443,1500 and 1501 seems to be open. I can connect with telnet from the secondary to primary.

* ADFSsrv Account is local administrator in the 3 servers. It is the account which I start all the ADFS Services in all the servers. The WID service account is one generated with a MSSQL something in there.

* Three WIDs can be accesed and I can see the pipe data source using a get-wmi command (I dont remember

which one)

* Updated on the three servers the Accepted protocols to be http,net.tcp

* Same patch level on all the nodes . I know this is not the best scenario, but due to a problema with the WSUS, these servers have never been updated (so, no patches for the three of them).

* I can't see any endpoints for the Policystoretransfer, I guess is something internal always approved.

* The DNS resolution seems OK. It has 2 networks (management and service) but from nslookup I can get names with correct IPs and I can ping them from secondaries to primary.

By the way something curious, if I try to access the url on the error description : http://adfs1.contoso.com/adfs/services/policystoretransfer ,I can't access from any of the hosts (even the primary). And I can't see this on the IIS (I have on IIS only ADFS and LS virtual directories). I have both virtual directories on IIS : "adfs" and "ls", but don't know if i don't have some content on the server.

Thanks in advance to all!

Cheers,

sharp ثلاجات شارب العجوزة 01220261030 - 0235682820 خدمة الانترنت السريع

January 26, 2016, 12:36 am
$
0
0

لكم مننا كل احترام وامتنان ---- من فريق عمل صيانة شارب الرسمىعميل شارب العزيز // تتشرف صيانة شارب بالتعامل معها ل صيانة جهاز شارب الامريكىالاتصال بهذه الارقام فقط ||01095999314|| 01112124913 || 0235710008الادارة والصيانة الداخلى // 0235699066نحن اقوى مركز صيانة شارب فى الشرق الاوسط , نحن الوحدين المعتمدين الرسمين ,بالضمان الشامل لاجهزة شارب القوية الافضلاقوى عروض صيانة فورية بالضمان الشاملاقوى عروض قطع غيار اصلية مستوردة من الخارجاسرع صيانة فورية بالمنزل والضمان لجهاز شارب الامريكىعميل شارب العزيز // تتشرف صيانة شارب بالتعامل معها ل صيانة جهاز شارب الامريكىالاتصال بهذه الارقام فقط ||01095999314|| 01112124913 || 0235710008الادارة والصيانة الداخلى // 0235699066تعلن شركة شارب عن صيانة ثلاجات شارب , صيانة غسالات شارب ,صيانة ديب فريزر شارب ,صيانة مجفف شارب ,صيانة نشافة شارب ,صيانة لاندرى شارب ,صيانة ايس ميكر شارب , صيانة غسالات اطباق شارب , صيانة ديش ووشر شارب , صيانة ثلاجات نوفرست شارب , صيانة ثلاجات شارب 110 فولت , صيانة ثلاجات شارب 220 فولت ,صيانة ثلاجات شارب دوبليكس , صيانة ثلاجات شارب بالكروت الكنترول , صيانة غسالات ملابس شاربعصر التكنولوجيا ل صيانة شاربالاقوى فى صيانة شارب , الاحسن فى صيانة شارب ,الاجود فى صيانة شارب , الاضمن فى صيانة شارب ,الممتازون فى صيانة شارب , المميزون فى صيانة شارب ,الجيدون فى صيانة شارب ,الخبراء فى صيانة شارب ,المتطورين فى صيانة شارب , التقنيون فى صيانة شارب , الاحترافيون فى صيانة شارب , الافضل فى صيانة شارب , الاحسن فى صيانة شارب ,الاكثر جودة فى صيانة شارب , الاحسن استجابة فى صيانة شارب ,الرائدون فى صيانة شارب , العمالقة فى صيانة شارب , المتطورين فى صيانة شارب ,عميل شارب العزيز // تتشرف صيانة شارب بالتعامل معها ل صيانة جهاز شارب الامريكىالاتصال بهذه الارقام فقط ||01095999314|| 01112124913 || 0235710008الادارة والصيانة الداخلى // 0235699066نعلم سيادت عملاء شارب بأن الشركة قامت بفتح هذه الفروع لخدمة شارب فى انحاء القاهرة الكبرىصيانة شارب الزمالك , صيانة شارب المهندسين , صيانة شارب المعادى , صيانة شارب الدقى , صيانة شارب العجوزة , صيانة شارب الهرم , صيانة شارب 6 اكتوبر , صيانة شارب الشيخ زايد , صيانة شارب فيصل , صيانة شارب العمرانية , صيانة شارب شبرا ,صيانة شارب المقطم , صيانة شارب النزهة ,صيانة شارب حدائق الهرم , صيانة شارب كورنيش النيل , صيانة شارب الجيزة , صيانة شارب المريوطية , صيانة شارب القطامية , صيانة شارب الضاهر , صيانة شارب غمره وصيانة شارب العباسية , صيانة شارب مدينة نصر , صيانة شارب مصر الجديدة و صيانة شارب روكسى , صيانة شارب عين شمس , صيانة شارب الزيتون , صيانة شارب القبة , صيانة شارب حمامات القبة , صيانة شارب حدئق القبه , صيانة وستتنجهاوس الساحل , صيانة شارب شبرا مصر , صيانة شارب وداى حوف , صيانة شارب المنيل , صيانة شارب المنيب , صيانة شارب امبابه , صيانة شارب جسر السويس , صياة شارب عابدين , صيانة شارب جاردن سيتى , صيانة شارب باب اللوق , صيانة شارب باب الشعرية , صيانة شارب زهراء المعادى , صيانة شارب حلوان , صيانة شارب التعاون , صيانة شارب بولاق ابو العلا , صيانة شارب ماسبيرو , صيانة شارب اغاخان شبرا , صيانة شارب الوراق , صيانة شارب الكت كات , صيانة شارب وسط البلد , صيانة شارب التحرير , صيانة شارب رمسيس , صيانة شارب ميدان الجيزة , صيانة شارب القلعه , صيانة شارب منشية البكرى , صيانة شارب المطرية , صيانة شارب الاميرية , صيانة شارب الاهرام , صيانة شارب المبتديان , صيانة شارب القصر العينى , صيانة شارب الملك الصالح , صيانة شارب مصر القديمة , صيانة شارب بولاق , صيانةشارب ميت عقبه , صيانة شارب كورنيش المعادى , صيانة شارب كورنيش النيل , صيانة شارب الاوبرا , صيانة شارب عزبة النخل , صيانة شارب ارض الجولف , صيانة شارب النزهه الجديدة , صيانة شارب الماظه , صيانة شارب الرحاب , صيانة شارب مدينتى , صيانة شارب القاهرة الجديدة , صيانة شارب التجمع الخامس , صيانة شارب الحوامدية , صيانة شارب البحوث , صيانة شارب الاورمان , صيانة شارب حدائق حلوان , صيانة شارب كارفور , صيانة شارب هايبر , صيانة شارب حدائق المعادى , صيانة شارب طره , صيانة شارب المعادى القديمة , صيانة شارب كورنيش المعادى , صيانة شارب المطبعه , صيانة شارب الزهراء , صيانة شارب العشرين , صيانة شارب مدكور , صيانة شارب العريش , صيانة شارب حلمية الزيتون , صيانة شارب السيدة زينب , صيانة شارب باب الخلق , صيانة شارب الازهر , صيانة شارب العتبه , صيانة شارب الحسينتعمل مراكز صيانة شارب جاهدا لاسعاد عملاء شارب العزاز بتركيب قطع غيار اصلية مضمونه مستوردهمفاجاءة شارب سيارات مجهزة للاصلاح ب قطع غيار للاصلاح بالمنزل { حملة صيانة شامله للجهاز بالكامل داخل الضمان } اقسام خاصة لتجديد الجهاز بالكامل تحت شعار ( بند تجديد ) اصلاح جهاز شارب مهما كان الاعطال معقدة عندنا الحلنقدم خدمة ممتازة لعملاء القاهرة الكبرىاسعار الصيانة عندنا لاتقارن باى شركة تانى نحن الاول فى الصيانة الشامله بالضمان sharp  sharp sharp  sharp  sharp  sharp  sharp  sharp  sharp sharp  sharp  sharp  sharp sharp  sharp  sharp  sharp  sharp  sharp  sharp sharp  sharp  sharp  sharp  sharp  sharp  sharp  sharp  sharp sharp  sharp  sharp  sharp  sharp  sharp  sharp  sharp  sharp sharp  sharp  sharp  sharp  sharp  sharp  sharp sharp  sharp  sharp عميل شارب العزيز // تتشرف صيانة شارب بالتعامل معها ل صيانة جهاز شارب الامريكىالاتصال بهذه الارقام فقط ||01095999314|| 01112124913 || 0235710008الادارة والصيانة الداخلى // 0235699066

 

Asp.Net site not returning FedAuth Cookies or performing 302 Redirect

January 14, 2016, 1:48 am
$
0
0

Hi

Got a strange issue on a couple of servers with an asp.net site receiving the SAML token from the ADFS server. Normally FedAuth cookies are returned and the page is redirected based on what's encoded in the wctx ru querystring parameter, but on a development site the response is the result of the default page, no cookies are returned and the redirection isn't performed. We've tied this on several different servers to the same outcome.

The STS is just the basic test on created by visual studio. I've compared the web.config and federationmetadata for both the STS and site against several copies of both sites that both work and except for the urls there are no differences.

This is running against the Microsoft.IdentityModel 3.5 (we've not gone through and upgraded to 4.0). Any ideas on the cause or what else to check.

Thanks

ADFS 3 and multiple MFA providers

July 15, 2014, 12:57 am
$
0
0

Hi all,

I have a question regarding ADFS 3 and multiple configured MFA providers. Let say I have a ADFS 3 server, configured with the Microsoft MFA plugin and SupplierX MFA plugin, both enabled in the Global Authentication Rules for users who want to authenticate to ADFS from the internet (WAP).

I have 2 usergroups (also represented by 2 groups in AD); 1 group user which have a Microsoft MFA token assigned and a group which have a token from SupplierX.

How does ADFS 3 work in this scenario? Does it show endusers a selection screen upon authentication in which the user has to tell ADFS if he wants to use MS MFA or SupplierX MFA? Or will ADFS requiere the user to enter both MFA tokens?

Robin

Find me on linkedin: http://nl.linkedin.com/in/tranet

ADFS Design

January 28, 2016, 2:21 am
$
0
0

Hi,

I have a number of web based application that are currently available to internal users using their domain credentials, I want to make these web application available to external user.  My thinking was to create a new external forest and use ADFS including a proxy to authenticate the external users, but what is my best option for authenticating internal users I could create a trust but I want to avoid this if possible...  

ADFS Design

January 28, 2016, 2:21 am
$
0
0

Hi,

I have a number of web based application that are currently available to internal users using their domain credentials, I want to make these web application available to external user.  My thinking was to create a new external forest and use ADFS including a proxy to authenticate the external users, but what is my best option for authenticating internal users I could create a trust but I want to avoid this if possible...  

Search

Sharing ADFS Relying Party with a Development Team

June 14, 2012, 1:37 am
$
0
0

I can't seem to find an answer on this matter.

Here is the situation.

A Development Team wants to develop an application. This means source controlling code including web.config.

Normally every developer works in his own environment and that means different host names.

Based on WSFederarion protocol you should be able to setup one relying party on ADFS with multiple identifiers reflecting the variety of host names in the Development Team. Then when the WIF redirects to the ADFS, it could use the wreply parameter to instruct ADFS to redirect to the developer's environment.

But it seems ADFS doesn't respect this parameter and you are always redirected to the endpoint defined in the Endpoints list configured in the Relying Party configuration. But there you can only specify one WS-Federation configuration endpoint.

The only available solution is to create different Relying Parties per Developer. But this case is hard to maintain and synchronize. Our scenario is even more complex because we have a backend WCF service with identity delegation.

Is there a workaround around WIF for this matter? Maybe I'm missing something really obvious.

AD FS 3.0 Firefox and Chrome no integrated windows authentification

December 16, 2013, 2:14 am
$
0
0

I have a Windows Server 2012 R2 server with ADFS 3.0 in my environment.

My Question is if there is a chance to use Firefox or Chrome with the Integrated Windows Authentification? At the moment these browers always use the Form based authentification.

With Internet Explorer all works fine.

I have already set the property "ExtendedProtectionTokenCheck" to NONE on the ADFS-server but this doesn't solved the problem.

ADFS WAP frustrated with NLB

January 29, 2016, 6:45 am
$
0
0

Current setup

ADFS Server joined to domain school.edu

Added a WAP for outside users to authenticate to 365 address school.net

Worked fine

Added second WAP for NLB and now external access unavailable.

Changed original WAP ip address to .10

New WAP address .11

NLB address is the original ip address of the original WAP .9 (before NLB)

Not even sure where to start troubleshooting.  Not getting any errors.  Both WAP's on physical servers.

Followed the guide here (only difference is he has the WAP's joined to domain)

http://blogs.technet.com/b/platformspfe/archive/2015/02/16/part-6-windows-server-2012-r2-ad-fs-federated-web-sso.aspx

Is it acceptable to do initial IDP initiated sign on testing from the ADFS server?

January 30, 2016, 1:59 pm
$
0
0

Hi everyone.

I have a ADFS server installed on server A, and the federation proxy installed on server B. For requests in our internal network to the ADFS server point directly to server A. To test the IDP initiated sign-on from our internal side, I was planning on testing directly from our ADFS server box (i.e. server A).

Is there any problem in doing this for initial testing?

port between web application proxy and ADFS 3.0

November 19, 2015, 6:37 pm
$
0
0

Hello,

In my environment, there are two AD FS 3.0 servers and two web application proxy servers. There are 2 Windows NLB, one is for ADFS servers, the other is for Web Application proxy servers. 

Recently, In ADFS proxy server, I get the following error:

Event ID 222:

The federation server proxy was unable to complete a request to the Federation Service at address 'https://xxxxxxxxxxxxxxxxxxx' because of a time-out. This might mean that the Federation Service is currently unavailable. 

User Action 
Verify that the Federation Service is running.

User sometimes need to wait 1~2 second to get AD FS login page. After the page is displayed, they can login. 

I think it may due the connection between ADFS and WAP. I only open 443 port between ADFS and WAP. is it enough? (or it is related to window NLB?)

Thank you very much.

Winter

Viewing all 2535 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>