ADFS 3.0 Forms based not working in Firefox and Chrome

February 3, 2016, 3:25 am

≫ Next: ADFS/WAP - redirect http to https

≪ Previous: port between web application proxy and ADFS 3.0

Hi,

We have an ADFS 3.0 environment and have configured 2 SAML based trusts with Citrix Sharefile and another 3rd party room booking software. When I go to the sharefile and room booking login page, I am redirected to my ADFS form login page (we don't have WIA enabled at all).

If I login with my correct details, in Internet Explorer and Edge, it works, and I can access the third party systems. However Chrome and Firefox it doesn't, the connection times out and I get the relevant browser error page saying that the third party site took too long to respond.

Any ideas what is causing this? I am not using WIA but the Mozilla/5.0 user string is already added and I have turned off the Extended Protection.

Many thanks.

↧

ADFS/WAP - redirect http to https

September 14, 2015, 11:18 pm

≫ Next: Disable signing requirement for LogoutResponse SAML message

≪ Previous: ADFS 3.0 Forms based not working in Firefox and Chrome

Hello,

we are running an Server 2012 R2 ADFS-Farm with WAP.

What is the recommended option to redirect http requests to https, so a user can use the urlhttp://app.domain.com and automatically gets redirected tohttps://app.domain.com?

IIS is no longer required for ADFS and starting with the August 2014 Windows Update rollup, the Application Proxy listens for health probes also on http, which may interfere with any software running on port 80 for https-redirection?

Thanks in advance,
Thomas

↧

Disable signing requirement for LogoutResponse SAML message

February 4, 2016, 6:56 am

≫ Next: The signature verification failed

≪ Previous: ADFS/WAP - redirect http to https

With our ADFS 2.0 server acting as an IP, I am getting error events for one of our SAML RPs with the following message:

Error message: MSIS1014: SAML LogoutRequest and LogoutResponse messages must be signed when using SAML HTTP Redirect or HTTP POST binding.

Sure enough, the LogoutResponse message being sent from the RP is not being signed. Is there any setting within ADFS to turn off this requirement?

↧

The signature verification failed

February 5, 2016, 6:26 am

≫ Next: AD FS 2.0 + Federation Proxy + Unsecured or incorrectly secured fault errors

≪ Previous: Disable signing requirement for LogoutResponse SAML message

Hello everyone,

I'm working on getting a Claims Provider trust setup for an IdP that is NOT MS' ADFS.

I keep getting this error in the event log:

The Federation Service encountered an error while processing the SAML authentication request.

Additional Data
Exception details:
Microsoft.IdentityServer.Protocols.Saml.SamlProtocolException: MSIS1022: Cannot process SAML Response from ''.
Inner exception: ID6013: The signature verification failed.
at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)

------

This is a SAML-only IdP.

Any ideas on what I should look at? I'm looking at the <Response/> SAML document and can see the SignatureValue and the X509 certificate.

When the Claims Party does a Fiddler trace, they get back an HTTP 200 OK response from me but this event (ID 300) and event ID 364 with basically the same message gets generated.

At this point there is no app involved. This is just the CP going to my InitiateSignon.aspx on our ADFS server. Their metadata file is very short and I set up their Claims Party trust manually from the file they sent me.

Thank you for your time and attention,

Brian

↧

AD FS 2.0 + Federation Proxy + Unsecured or incorrectly secured fault errors

September 9, 2010, 7:02 am

≫ Next: ADFS + OpenID Connect email claim and external ADFS

≪ Previous: The signature verification failed

We are in the process of completing of AD FS 2.0 configuration. The AD FS Infrastructure includes (2) federation server proxies in a farm, (2) federation servers in a farm, and a cluster SQL Server 2008 backend.

With that said, we see a handful of unsecured or incorrectly secured fault errors in the AD FS 2.0 Admin log on the federation proxy. The AD FS 2.0 Windows Service does start, so I am curious if these errors can be ignored or if there is any modifications that can be done to resolve these errors. Connectivity on port 80 & 443 has been allowed between the federation server farm and federation proxy farm.

AD FS 2.0 Admin Log
-------------------

-------------------
Event ID: 248 - appears after the AD FS 2.0 Windows Service on the Proxy is restarted
-------------------
Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          9/8/2010 3:40:34 PM
Event ID:      248
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      Prxy1
Description:
The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at sts.domain.com. The error message is 'An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.'.

User Action
Make sure that the Federation Service is running. Troubleshoot network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the Federation Server Proxy Configuration Wizard again.

Related unsecured or incorrectly secured fault errors:

-------------------
Event ID: 394
-------------------
Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          9/9/2010 7:41:54 AM
Event ID:      394
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      Prxy1
Description:
The federation server proxy could not renew its trust with the Federation Service.

Additional Data
Exception details:
An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.

User Action
Ensure that the federation server proxy is trusted by the Federation Service. If the trust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard by logging on to the proxy computer.

-------------------
Event ID: 364
-------------------
Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          9/8/2010 3:55:08 PM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      Prxy1
Description:
Encountered error during federation passive request.

Additional Data

Exception details:
System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
--- End of inner exception stack trace ---

Server stack trace:
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetServiceSettingsData()
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetFederationPassiveConfiguration()
   at Microsoft.IdentityServer.Web.PassivePolicyManager.GetPassiveEndpointAbsolutePath()
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveEndpointAbsolutePath()

System.ServiceModel.FaultException: An error occurred when verifying security for the message.

AD FS 2.0 Debug Log
-------------------
No warnings or errors in the AD FS 2.0 Debug log related to the errors above

Cross posted from: http://social.microsoft.com/Forums/en-US/partnerwinserver/thread/f9f11fac-abf2-4046-89fa-9054b6474f68

↧

ADFS + OpenID Connect email claim and external ADFS

February 9, 2016, 7:25 am

≫ Next: Remote Desktop with WAP on 2012 R2

≪ Previous: AD FS 2.0 + Federation Proxy + Unsecured or incorrectly secured fault errors

I'm having difficulties setting up ADFS with OpenID Connect on Windows Server 2016.

I've setup AD for testing and I can successfully authenticate, however the email claim is not in the id token.

Additionally I've setup an external ADFS in the Claims Provider trust. It is displayed as an option, however upon logging in I get the error:

MSIS9642: The request cannot be completed because an id token is required but the server was unable to construct an id token for the current user.

Anybody have suggestions on how to fix this?

↧

Remote Desktop with WAP on 2012 R2

October 20, 2014, 7:57 am

≫ Next: ADFS 3.0 Proxy Server Configuration

≪ Previous: ADFS + OpenID Connect email claim and external ADFS

I'm trying to setup RD Web with or without RD Gateway with AD FS and WAP. All on 2012 R2.

I have all the RD Roles on the same server inside the firewall and I would like to use the WAP server we are using for OWA for the same purpose for RD.

I have seen some bits of info that tells me it's possible but nothing more.

So any info would be greatly appreciated

↧

ADFS 3.0 Proxy Server Configuration

February 10, 2016, 6:09 am

≫ Next: ADFS and Azure AD Self-Service Password Reset Portal (SSPRP)

≪ Previous: Remote Desktop with WAP on 2012 R2

We are deploying ADFS 3.0 in our environment and have few questions

1) What should be the primary DNS suffix of ADFS WAP servers on DMZ set to: Internal Domain or External Domain?

2) What should be the host file entries on WAP servers? Someone told me to make host entry to point primary ADFS proxy to primary ADFS sevrer and secondary proxy to secondary ADFS server. I doubt this and feel that the host entry should just be ADFS farm service name pointing to the IP of internal load balancer or NLB cluster

3) To load balance ADFS servers over intranet can I just use DNS round robin using an A record or do I have to use NLB cluster?

↧

ADFS and Azure AD Self-Service Password Reset Portal (SSPRP)

February 11, 2016, 12:24 am

≫ Next: ADFS 3.0 Proxy Server Configuration

≪ Previous: ADFS 3.0 Proxy Server Configuration

We have ADFS 3.0 on premises and would like to integrate this with AzureAD Self-Service Password Reset Portal. The Idea is to display a to the SSPRP in ADFS the same way Microsoft does when hitting their login page (https://login.microsoftonline.com) - Link "Can't acces your account?" .Currently the only option I see to redirect use a static Sign-in Page Description Text with no username redirection to SSPRP and just a static localization.

Set-AdfsGlobalWebContent -SignInPageDescriptionText "<A href='https://passwordreset.microsoftonline.com/?mkt=en-US'>Unable to access your account?</A>"

Is there an easy way to achieve the same UX with ADFS 3.0 as when using office365 Portal to reset .onmicrosoft.com Accounts?

thanks & best regards

Pirmin

↧

ADFS 3.0 Proxy Server Configuration

February 11, 2016, 12:58 am

≫ Next: ADFS Oauth2.0 authorization endpoint in win 2012 r2 preview

≪ Previous: ADFS and Azure AD Self-Service Password Reset Portal (SSPRP)

I am deploying ADFS 3.0 in our environment and have few questions

1) What should be the primary DNS suffix of ADFS WAP servers on DMZ set to: Internal Domain or External Domain?

3) To load balance ADFS servers over intranet can I just use DNS round robin using an A record or do I have to use NLB cluster?

↧

ADFS Oauth2.0 authorization endpoint in win 2012 r2 preview

August 28, 2013, 9:42 am

≫ Next: Authentication problems with Azure AD

≪ Previous: ADFS 3.0 Proxy Server Configuration

Hi,

I installed ADFS services and configured it successfully as a federation server. I intend to use it for Oauth2 flows as announced recently by Vittorio and Caleb Baker in recent blogs and videos. The service is running - however when I try to access the oauth2 endpoint I get a error message as shown below. I can access some other endpoints listed by Get-ADFSEndpoint cmd run in powershell. This command lists the Oauth2 endpoint as https:<FQDN of server>/adfs/oauth2 and I tried accessing the authorization endpoint as - https:<FQDN of server>/adfs/oauth2/authorize?client_id=<registered_client_id>?redirect_uri=<registered uri>.... The detailed error message from eventViewer is:

Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/oauth2/authorize to process the incoming request.

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So my question is - what is the correct Oauth2 authorization endpoint to use?

thanks,

Shanthi

↧

Authentication problems with Azure AD

February 10, 2016, 9:32 am

≫ Next: Process to migrate Azure/365 to new onsite ADFS infrastructure

≪ Previous: ADFS Oauth2.0 authorization endpoint in win 2012 r2 preview

I’m trying to convert a basic MVC 4.6 SharePoint Add in to an Office 365 Azure AD app. I started the app from a fresh template with organisational accounts connected to our Azure AD. We have an on premises ADFS server setup.

Using just the Visual studio 2015 generated code I get:-

“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' or 'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' was not present on the provided ClaimsIdentity.”

On any POST action whenever “@Html.AntiForgeryToken()” is called.

As suggested online, making changes in “AntiForgeryConfig.UniqueClaimTypeIdentifier in global.aspx.cs” fixes this but produces

HTTP error 400 – request too long errors on most browsers. Oddly Microsoft Edge works.

Any thoughts, as this is driving me nuts?

↧

Process to migrate Azure/365 to new onsite ADFS infrastructure

February 12, 2016, 2:27 am

≫ Next: Send Custom SAML Response to RP using ADFS 2.0

≪ Previous: Authentication problems with Azure AD

I have 2x ADFS infrastructures on different external DNS, One is live but I need to migrate to the new one. How to I move Azure/365 from looking at ADFS.domain.com to ADFSv3.Domain.com infrastructure?

Would it be along these lines?

Run cmdlet below to set imported SSL certificate to AD FS 3 server:Set-AdfsSSLcertificate -Thumbprint “xxxxxxxxxx” Check whether the certificate is successfully updatedGet-AdfsSSLcertificate

4. Install Azure AD Module. Follow TechNetlink for step by step Connect to MS Online services on new AD FS 3 server. 5. Connect AD FS 3 server with Office365 tenant by using MSOL PS command: Connect-MSOLservice . Use Office365 global admin account and password

6. Run cmdlet : Set-MsolADFSContext -computer ADFS3.wasita.net *ADFS3.wasita.netis AD FS 3 server FQDN

7. Run cmdlet below to update the Office365Update-MsolFederatedDomain-DomainName adfs.wasita.net–SupportMultipleDomain

↧

Send Custom SAML Response to RP using ADFS 2.0

February 12, 2016, 6:11 am

≫ Next: How to build a custom claim rule to manipulate two string get fist character from one string and last two characters of second sting in ADFS 3.0

≪ Previous: Process to migrate Azure/365 to new onsite ADFS infrastructure

Hello,

I've worked with ADFS a fair amount and have created a few custom claim attributes before. However I'm being asked to send some data I've never sent before in a format I've never used before.

Background: A RP we use wants us to start sending a standardized "Authentication Level" URN to them to show if we used 2 factor or regular windows auth(high vs low). In the document provided to us they said they needed this information in the SAML response "urn:Custom:saml:auth-level:1.0:High/Low". We only use integrated windows auth so our default authentication level is "low".

I took that requirement to mean they needed an attribute with the name of "urn:Custom:saml:auth-level:1.0" and then a subsequent value of "low" so I came up with this claim:

<--

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(Type = "urn:Custom:saml:auth-level:1.0", Value = "Low", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:Custom:saml:auth-level:1.0");

-->

That claim language in turn sent the following claim:<Attribute Name="urn:Custom:saml:auth-level:1.0"><AttributeValue>Low</AttributeValue>

The RP then told me what I sent them wasn't going to work and instead they need this:

<saml:AuthnStatement AuthnInstant=""SessionIndex=""><saml:AuthnContext><saml:AuthnContextClassRef>urn:Custom:saml:auth-level:1.0:low</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement>

I have no idea how to put straight <saml:> items into my claim language. I'm a normal AD/Windows guy and just dabble with ADFS so my customization skills with it are less than stellar.

We are using ADFS 2.0 on win 2008 R2 servers. No Proxy, just internal access to the ADFS servers. I'll keep on the bing machine looking for answers too, but any help provided here is greatly appreciated.

Thanks,

Adam

↧

How to build a custom claim rule to manipulate two string get fist character from one string and last two characters of second sting in ADFS 3.0

February 10, 2016, 11:04 am

≫ Next: Signed XML signature verification for SSO SAML (Using sha256)

≪ Previous: Send Custom SAML Response to RP using ADFS 2.0

I would like to build a custom rule in ADFS 3.0. Situation:

would like join the first character of the FirsrName and last two character of the EmployeeID to issue it as EmpCode.

Help,

↧

Signed XML signature verification for SSO SAML (Using sha256)

May 22, 2013, 5:20 am

≫ Next: ADFS3.0 Single Sign on to Power BI

≪ Previous: How to build a custom claim rule to manipulate two string get fist character from one string and last two characters of second sting in ADFS 3.0

Hello,

Using VS 2008 with .Net Framework 3.5 on windows 2003 server.

We have implemented SSO with SAML for security. We work at service provider end where we validate the Signed XML SAML Assertuib token generated from client's system.
As of now whatever signed documents we came across were using the Signature Algorithm "rsa-sha1", but now we have new customer who sends a file with the signature algorithm as "rsa-sha256" and here is the problem started.

I am not having any background on either on web security or on SSO SAML :( but I have a look at the current implementation and it is as below -

public static string VerifySignature()
        {
            if (m_xmlDoc == null)
                return "Could not load XMLDocument ";

            try
            {
                XmlNamespaceManager nsm = new XmlNamespaceManager(new NameTable());
                nsm.AddNamespace("dsig", SignedXml.XmlDsigNamespaceUrl);
                XmlElement sigElt = (XmlElement)m_xmlDoc.SelectSingleNode(
                    "//dsig:Signature", nsm);

                // Load the signature for verification
                SignedXml sig = new SignedXml(m_xmlDoc);
                sig.LoadXml(sigElt);

                if (!sig.CheckSignature())
                    return "Invalid Signature";
            }
            catch (Exception ex)
            {
                return ex.Message;
            }
            return string.Empty;
        }

Please note: NO CERTIFICATE USED IN THIS CODE.

Now, when I try the same code for this new customer (with signature algorithmrsa-sha256h) - this is not working and I am getting the error "SignatureDescription could not be created for the signature algorithm supplied."

Going through many blogs and articles in last 2-3 days, I came to know that SignedXml does not support sha256. Fine. But what next. There are different solutions provided but nothing is straight forward and on top of it "AS A NOVICE" I am not able to understand much out of it. Somewhere its mentioned that use the WIF, I have also checked & tried http://clrsecurity.codeplex.com/wikipage?title=Security.Cryptography.RSAPKCS1SHA256SignatureDescription&referringTitle=Home&ProjectName=clrsecurity

Can anyone help with kind of simple solution :) ? Thanks in advance for any help.

"An investment in knowledge pays the best interest." - Ben Franklin

↧

ADFS3.0 Single Sign on to Power BI

February 17, 2016, 3:11 pm

≫ Next: ID4291: The security token 'Microsoft.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint

≪ Previous: Signed XML signature verification for SSO SAML (Using sha256)

I am successfully can do SSO to O365 with ADFS3.0 and Azure AD connect. Once landing in O365, user click on button to go to Power BI and see Power BI Dashboard. From here I have option to share Dashboard URL with other user by enter Corporate user email address.

All is good till user who received the shared URL Dashboard. Opened this URL user has to enter his/her Corporate email address at O365 login prompt before cane be redirected to my ADFS.

This defeat purpose of doing SSO with Azure O365. How can I let user opens shared URL to Dashboard having same log in experience like if he/she using this SSO URL from desktop?

From desktop, if user already authenticate to corp. network, open this URL will do SSO to O365 and Power BI

https://adfs.XXX.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline

If open shared Dashboard URL, user get prompt to log in to O365

Thanks

↧

ID4291: The security token 'Microsoft.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint

September 24, 2010, 6:10 am

≫ Next: Custom attribute and Dynamic Access Control: Claim Types

≪ Previous: ADFS3.0 Single Sign on to Power BI

We have a website protected by WIF which all works until i goto a specific subdir. I get the error

ID4291: The security token 'Microsoft.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.


Exception Details: System.IdentityModel.Tokens.SecurityTokenException: ID4291: The security token 'Microsoft.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint.

Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:
[SecurityTokenException: ID4291: The security token 'Microsoft.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint.]
 Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ValidateToken(SessionSecurityToken token, String endpointId) +224
 Microsoft.IdentityModel.Web.SessionAuthenticationModule.ValidateSessionToken(SessionSecurityToken sessionSecurityToken) +112
 Microsoft.IdentityModel.Web.SessionAuthenticationModule.SetPrincipalFromSessionToken(SessionSecurityToken sessionSecurityToken) +22
 Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +17
 Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +344
 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68
 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

The only difference I can see with this subdir is that it is defined as an application within IIS with its own web.config file. In ADFS1 we just defined the SSO settings in the root web.config and this protected all subdirs whether they were apps or not. Is this still the same with ADFS2?

Do i need to treat this subdir as a new relying party in ADFS2?
Could anyone explain what this error means?

Thanks

Have done some more playing...... I created a second relying party for www.test.com/subdir. Now it gets fun.....
If i goto www.test.com/subdir it logs in and we see the page, then i gotowww.test.com and we also see that page too. Coool
But if i goto www.test.com first, it logs in and we see the page, then i gotowww.test.com/subdir and we get the error above. Doh!!!

What should i be doing to get this working?

PS. We are using passive login.

↧

Custom attribute and Dynamic Access Control: Claim Types

February 19, 2016, 3:40 am

≫ Next: ADFS 3.0 Client certificate authentication not working

≪ Previous: ID4291: The security token 'Microsoft.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint

Hi,

I would like to create a Dynamic Access Control Claim type using a custom attribute I created in AD Schema, however when I create a new claim type it doesn't appear in the list of source attributes. Is there a way to do this?

↧

ADFS 3.0 Client certificate authentication not working

December 10, 2014, 7:25 am

≫ Next: ADFS and Relying party

≪ Previous: Custom attribute and Dynamic Access Control: Claim Types

Hi All

I’ve just rolled out ADFS 3.0 within my company and everything is working great but now I would like to enable Client certificate authentication and this is where the fun has started.

My environment is the following:

Windows 2012 r2 Domain controller with domain/forest functional level at windows 2012 r2

One domain controller installed as a certificate authority and currently giving out client certificate which is used for client authentication through TMG

ADFS server running windows 2012 r2 which is joined to our domain

ADFS server in the DMZ which is the ADFS proxy server and it in a “WORKGROUP”

Firewall ports which have been opened are HTTP, HTTPS and tcp/49443

When I enable cert auth and try to signin on the following URL (https://sts.my domain.com/adfs/ls/IdpInitiatedSignon.aspx) I get the following error:

An error occurred

Authentication attempt failed. Select a different sign in option or close the web browser and sign in again. Contact your administrator for more information.

</form>

Error details

Activity ID: 00000000-0000-0000-1601-0080000000f2
Error time: Wed, 10 Dec 2014 13:03:26 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36

I’ve tried running this internally (Using chrome as my browser to ensure I get prompted for my users cert) to avoid firewall issues with the above result.

When I have a look at the event viewer on the ADFS server the following is logged:

Level: Error

Source: AD FS

Event ID: 364

Task Category: None

Gerneral:

Encountered error during federation passive request.

Additional Data

Protocol Name:

Saml

Relying Party:

http://sts.<my domain>.com/adfs/services/trust

Exception details:

Microsoft.IdentityServer.AuthenticationFailedException: There is a problem with the X509Certificate provided by the client. The error code is: -2146885613

at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ProcessIntranetRequest(ProtocolContext context, WrappedHttpListenerRequest request)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

I’m now at a loss as what else I should try to get this working. Can anyone advise how I should proceed or how I should be troubleshooting this problem?

Many thanks in advance

↧