Hi,
I have a very basic question regrading SSO implementation with ADFS 2.0 and SAML 2.0.
As per my limited knowledge on this, I am looking for some documentation on how to configure ADFS 2.0 to act as SAML 2.0 identity provider.
Please help me with this.
Thanks,
Trivedi
I'm getting the following error in my web application when it tries to authenticate to my service which uses IssuedTokenForCertificate authentication:
"ID3242: The security token could not be authenticated or authorized"
Here's the service configuration which specifies my Geneva STS as the token issuer:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<system.serviceModel>
<services>
<service name="MathService.MathService"
behaviorConfiguration="ServiceBehavior">
<host>
<baseAddresses>
<add baseAddress="net.tcp://localhost:50000"/>
</baseAddresses>
</host>
<endpoint name="MathService"
address="MathService.svc"
binding="customBinding"
bindingConfiguration="FederationTcpIssuedTokenForCertificateBinding"
contract="MathService.IMathService"/>
<endpoint address="net.tcp://localhost:50001/mex" serviceProxy.ClientCredentials.ClientCertificate.SetCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint,
binding="mexTcpBinding"
contract="IMetadataExchange"/>
</service>
</services>
<extensions>
<behaviorExtensions>
<add name="federatedServiceHostConfiguration" type="Microsoft.IdentityModel.Configuration.ConfigureServiceHostBehaviorExtensionElement, Microsoft.IdentityModel, Version=0.6.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
</behaviorExtensions>
</extensions>
<behaviors>
<serviceBehaviors>
<behavior name="ServiceBehavior">
<serviceCredentials>
<serviceCertificate findValue="CN={...}"
storeLocation="LocalMachine"
storeName="My"/>
</serviceCredentials>
<serviceMetadata/>
<serviceDebug includeExceptionDetailInFaults="True"/>
</behavior>
</serviceBehaviors>
</behaviors>
<bindings>
<customBinding>
<binding name="FederationTcpIssuedTokenForCertificateBinding">
<security authenticationMode="SecureConversation"
requireSecurityContextCancellation="true">
<secureConversationBootstrap authenticationMode="IssuedTokenForCertificate"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10">
<issuedTokenParameters keyType="SymmetricKey"
tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<issuer address="http://{...}/Trust/13/Certificate"
binding="ws2007HttpBinding"
bindingConfiguration="STS">
<identity>
<certificateReference findValue="CN={...}"
storeLocation="LocalMachine"
storeName="My"/>
</identity>
</issuer>
<claimTypeRequirements>
<add claimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" isOptional="true" />
<add claimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" isOptional="true" />
</claimTypeRequirements>
<issuerMetadata address="{...}"/>
</issuedTokenParameters>
</secureConversationBootstrap>
</security>
<binaryMessageEncoding/>
<tcpTransport />
</binding>
</customBinding>
</bindings>
</system.serviceModel>
</configuration>
Here's the web client config:
<system.serviceModel>
<bindings>
<customBinding>
<binding name="MathService">
<security defaultAlgorithmSuite="Default" authenticationMode="SecureConversation"
requireDerivedKeys="true" securityHeaderLayout="Strict" includeTimestamp="true"
keyEntropyMode="CombinedEntropy" messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
messageSecurityVersion="WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10"
requireSecurityContextCancellation="true" requireSignatureConfirmation="false">
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
<secureConversationBootstrap defaultAlgorithmSuite="Default"
authenticationMode="IssuedTokenForCertificate" requireDerivedKeys="true"
securityHeaderLayout="Strict" includeTimestamp="true" keyEntropyMode="CombinedEntropy"
messageProtectionOrder="SignBeforeEncryptAndEncryptSignature"
messageSecurityVersion="WSSecurity11WSTrust13WSSecureConversation13WSSecurityPolicy12BasicSecurityProfile10"
requireSignatureConfirmation="true">
<issuedTokenParameters keyType="SymmetricKey" tokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1">
<additionalRequestParameters>
<trust:SecondaryParameters xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:TokenType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<trust:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity"
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsid:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity">
</wsid:ClaimType>
<wsid:ClaimType Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
Optional="true" xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity">
</wsid:ClaimType>
</trust:Claims>
</trust:SecondaryParameters>
</additionalRequestParameters>
<issuer address="http://{...}/Trust/13/Certificate"
binding="ws2007HttpBinding"
bindingConfiguration="STS">
<identity>
<certificate encodedValue="{...}"/>
</identity>
</issuer>
<issuerMetadata address="https://{...}/Trust/Mex" />
</issuedTokenParameters>
<localClientSettings cacheCookies="true" detectReplays="true"
replayCacheSize="900000" maxClockSkew="00:05:00" maxCookieCachingTime="Infinite"
replayWindow="00:05:00" sessionKeyRenewalInterval="10:00:00"
sessionKeyRolloverInterval="00:05:00" reconnectTransportOnFailure="true"
timestampValidityDuration="00:05:00" cookieRenewalThresholdPercentage="60" />
<localServiceSettings detectReplays="true" issuedCookieLifetime="10:00:00"
maxStatefulNegotiations="128" replayCacheSize="900000" maxClockSkew="00:05:00"
negotiationTimeout="00:01:00" replayWindow="00:05:00" inactivityTimeout="00:02:00"
sessionKeyRenewalInterval="15:00:00" sessionKeyRolloverInterval="00:05:00"
reconnectTransportOnFailure="true" maxPendingSessions="128" maxCachedCookies="1000"
timestampValidityDuration="00:05:00" />
</secureConversationBootstrap>
</security>
<binaryMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
maxSessionSize="2048">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
</binaryMessageEncoding>
<tcpTransport manualAddressing="false" maxBufferPoolSize="524288"
maxReceivedMessageSize="65536" connectionBufferSize="8192" hostNameComparisonMode="StrongWildcard"
channelInitializationTimeout="00:00:05" maxBufferSize="65536"
maxPendingConnections="10" maxOutputDelay="00:00:00.2000000"
maxPendingAccepts="1" transferMode="Buffered" listenBacklog="10"
portSharingEnabled="false" teredoEnabled="false">
<connectionPoolSettings groupName="default" leaseTimeout="00:05:00"
idleTimeout="00:02:00" maxOutboundConnectionsPerEndpoint="10" />
</tcpTransport>
</binding>
</customBinding>
<ws2007HttpBinding>
<binding name="STS" closeTimeout="00:01:00"
openTimeout="00:01:00" receiveTimeout="00:10:00" sendTimeout="00:01:00"
bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard"
maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true"
allowCookies="false">
<readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
maxBytesPerRead="4096" maxNameTableCharCount="16384" />
<reliableSession ordered="true" inactivityTimeout="00:10:00"
enabled="false" />
<security mode="Message">
<message clientCredentialType="Certificate"
negotiateServiceCredential="false"
algorithmSuite="Default"
establishSecurityContext="false"/>
</security>
</binding>
</ws2007HttpBinding>
</bindings>
<client>
<endpoint address="net.tcp://localhost:50000/MathService.svc"
binding="customBinding"
bindingConfiguration="MathService"
contract="MathService.IMathService"
name="MathService">
<identity>
<certificate encodedValue="{...}"/>
</identity>
</endpoint>
</client>
</system.serviceModel>
Here's the web client code to setup the service proxy:
"{...}");
serviceProxy.ClientCredentials.ServiceCertificate.SetDefaultCertificate("CN={...}", StoreLocation.LocalMachine, StoreName.My);
serviceProxy.ClientCredentials.ServiceCertificate.SetScopedCertificate(StoreLocation.LocalMachine, StoreName.My, X509FindType.FindByThumbprint, "{...}", new Uri("http://{...}/Trust/13/Certificate"));
Please let me know if anyone has an idea of how to determine why authentication is failing. I have Geneva STS tracing on verbose, but it's not giving me any messages about why the certificate isn't being authenticated. Also, the AD PDC's windows security log doesn't show any audit failures.
Thanks in advance.
Hi Guys!
We have a couple of internal asp.net web applications. Intranet users authenticate using AD, and are authorized in the internal apps using the web.config (<authorization> sections), by their AD groups or specific account names. Nothing fancy here. But recently, our organization has decided to move some of these internal apps to a cloud offered by a 3rd party.
The apps are reachable though our internal network using a VPN with the cloud. However, the apps are now in a different AD domain. We do not want to replicate our current directory in that new AD, and users do not want to log into another domain...
I was thinking on using ADFS for this. I found a similar scenario described inhttp://technet.microsoft.com/en-us/library/cc771308(v=ws.10).aspx. But, I feel mine it's much simpler.
Thus, the questions:
I would be grateful for any tip, pointers or recommendation on using ADFS in a similar scenario.
Many thanks
Jose Parra
HiEveryone
We are looking to deply ADFS servers and ADFS proxy servers in a secure, resilient fashion.
Our hosting company does NOT support Microsoft NLB but does support Cisco ACE kit to preform load balancing (similar to F5's I think?).
Our architecture:
DMZ
====
Cisco ACE module for ADFS proxy load balancing and SSL (not offloading)
Two ADFS proxies with SSL enabled
Configure ADFS proxies to talk to ADFS server load balancer....
Trusted Zone
========
Cisco ACE module for ADFS server load balancing and SSL (not offloading)
Two ADFS servers with SSL enabled using SQL server DB
Questions:
1. Are there specific load balancing cookies set by the ADFS servers for load balancers to use to setup sticky/persistant sessions?
2. Do we need to install TLS/SSL key pairs certs on the Cisco ACE kit for SSL pass-thru?
3. Do Adfs and Adfs proxies provide dedicated pages to inform load balancers they are "alive"
4. I have seen a thread with someone getting this working with Big IP F5's (I think)...any gotcha's. What was the actual config used?????
Many thanks
Tony
Presumably the Cisco F5 (or our ACE kit) has the ADFS proxy or ADFS server SSL key pairs and certs installed as well as the actual ADFS servers as well?
Thanks
Tony
Hi,
We have saml 2.0 relying party configured as a partner to ADFS 2.0. Also we Custom/Passive STS developed using .net framework 3.5 / WIF SDK added as CP for ADFS. We are trying to automate the home realm discovery page for ADFS to use custom
STS ADFS is throwing the following error/exception.
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.InvalidOperationException: MSIS7000: The sign in request is not compliant to the WS-Federation
language for web browser clients or the SAML 2.0 protocol WebSSO profile.
The following URL is used to automate the HRD in ADFS
https://<ADFS Host Name> /adfs/ls/?wa=wsignin1.0&wtrealm=<SAML 2.0 RP Identifier> &whr=<Custom STS-CP Identifier>
Can you please assist?
So i can specify as an Active Directory claim an objectGUID attribute and it retrieves it just fine. However it sends it as a Base64 encoded value.
Is there a way to format it like the SID is normally seen so there are no special characters being sent and it then doesn't need to be Base64 encoded?
I was hoping there was a Claim Description name and schema i could use for objectGUID like there is for Primary SID.
Does anyone have one and how to add it to ADFS 2.0 Claim Descriptions ?
I've been posting a number of questions and they have all been really helpful at getting me to where I am now, but now I'm finally at the end of the error trail and all I really need is somebody to post to me the claims rules they setup to get federated login with educause.edu. Here is the link to the configuration information they provide on their website:
https://www.educause.edu/idp_setup/info
I have been able to successfully create claims rules that put what I believe to be the correct information into the token ( I can see the info with my test setup of a WIF relying party created from the SDK), but I can't seem to find just the right set of rules. Or maybe there is somebody out there that has set this up and has it working and knows where I went wrong.
I've found that somewhere the SP has made reference to extentionAttribute#5 and I've populated that attribute in AD manually, but no where have I found any documentation on what an ADFS customer like me should be doing to get it to work with Educause.edu.
Thank you.
Hi everyone,
That the first time that I was not to be able to install correctly ADFS 2.0. I suspect the server, but I have no way where I need to get some information for fix that.
I used my own deploy plan, that I already install with success before on my virtual machine. The target is one ADFS 2.0 who use a remote SQL Server. I generate scripts correctly with fsconfig, create SPN, create user on SQL and run my 2 scripts.
Then I try to create ADFS SQL Farm with fsconfig, all steps are done with success unless the last one concerning starting ADFS services. The event ID error 102 and 220 are logged in my envent viewer.
If i enable tracing on ADFS I have theses errors :
Nom du journal :AD FS 2.0 Tracing/Debug
Source : AD FS 2.0 Tracing
Date : 14/02/2011 17:37:31
ID de l’événement :37
Catégorie de la tâche :Aucun
Niveau : Erreur
Mots clés : ADFSPolicyServerService
Utilisateur : IRCPROTO\SVC-ADFS
Ordinateur : CINCA.ircproto.mpw.fra
Description :
An error occurred while trying to search in the policy store:
Message: Une exception a été levée par la cible d'un appel.
XML de l’événement :<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" /><EventID>37</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000080</Keywords><TimeCreated SystemTime="2011-02-14T16:37:31.594724800Z" /><EventRecordID>1</EventRecordID><Correlation /><Execution ProcessID="3092" ThreadID="556" ProcessorID="1" KernelTime="15" UserTime="28" /><Channel>AD FS 2.0 Tracing/Debug</Channel><Computer>CINCA.ircproto.mpw.fra</Computer><Security UserID="S-1-5-21-1556569207-3421234143-1596450342-86374" /></System><UserData><Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events"><EventData>An error occurred while trying to search in the policy store:
Message: Une exception a été levée par la cible d'un appel.</EventData></Event></UserData></Event>and
Nom du journal :AD FS 2.0 Tracing/Debug
Source : AD FS 2.0 Tracing
Date : 14/02/2011 17:37:31
ID de l’événement :53
Catégorie de la tâche :Aucun
Niveau : Avertissement
Mots clés : ADFSSTS
Utilisateur : IRCPROTO\SVC-ADFS
Ordinateur : CINCA.ircproto.mpw.fra
Description :
Got exception:ADMIN0012 : OperationFault with stacktrace: à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.Sql.SqlStore.Search(Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.<>c__DisplayClass4.<SearchCore>b__3()à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.AttemptDeadlockSusceptibleOperation(DeadlockSusceptibleOperation operation)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchCore(IPolicyStoreService store, Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchDirect(Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Configuration.SqlServiceConfigurationReader.LoadData()à Microsoft.IdentityServer.Service.Configuration.AdministrationServiceState.FetchAdministrationServiceStateData()à Microsoft.IdentityServer.Service.SecurityTokenService.STSService.FetchAdministrationServiceConfiguration() while fetching configuration. Will retry in 2000 ms.
XML de l’événement :<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" /><EventID>53</EventID><Version>0</Version><Level>3</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000400</Keywords><TimeCreated SystemTime="2011-02-14T16:37:31.610349600Z" /><EventRecordID>2</EventRecordID><Correlation /><Execution ProcessID="3092" ThreadID="556" ProcessorID="1" KernelTime="16" UserTime="28" /><Channel>AD FS 2.0 Tracing/Debug</Channel><Computer>CINCA.ircproto.mpw.fra</Computer><Security UserID="S-1-5-21-1556569207-3421234143-1596450342-86374" /></System><UserData><Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events"><EventData>Got exception:ADMIN0012 : OperationFault with stacktrace: à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.Sql.SqlStore.Search(Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.<>c__DisplayClass4.<SearchCore>b__3()à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.AttemptDeadlockSusceptibleOperation(DeadlockSusceptibleOperation operation)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchCore(IPolicyStoreService store, Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.SearchDirect(Filter filter, Int32 maxObjects, String[] propertyNames)à Microsoft.IdentityServer.Service.Configuration.SqlServiceConfigurationReader.LoadData()à Microsoft.IdentityServer.Service.Configuration.AdministrationServiceState.FetchAdministrationServiceStateData()à Microsoft.IdentityServer.Service.SecurityTokenService.STSService.FetchAdministrationServiceConfiguration() while fetching configuration. Will retry in 2000 ms.</EventData></Event></UserData></Event>Someone can help me how to interpret theses errors please ?
Thank you so much,
Alex
http://wp.me/p1fcz8-3YF shows two WS-FEDP responses (in XML).
How to I make an older PRP-era response, using the WIF STS framework?
is there some "binding" property I can set on the configuration object, perhaps - that changes the way that the outer ws-fedp protocol wrapper get formatted - as it wraps the SAML assertion?
Hi,
I have configured ADFS 2.0 to work with an application vendor that only accepts IdP-Initiated SSO using SAML 2.0; they do not send a SAMLRequest.
When the user goes to the Application page...
The application vendor say they do not provide a SAMLRequest to start and expect the ADFS server to do the IdP initiation login directly, so ADFS is suppose to understand the SSO cookie and login the user directly.
Hany Elkady
Infrastructure Consultant
Hi,
I'm doing an SP-initiated sign-on from a SAML web application to an AD FS 2.0 IdP and specifying an authentication context class URI of urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Logging on to AD FS via the proxy works fine.
Authentication Handler Overview
http://msdn.microsoft.com/en-us/library/ee895365.aspx
I've used the above document as a reference. On the farm side, the Forms handler is listed in my local authentication types within the web.config. Because no comparison attribute is specified in the request, according to SAML specs, this defaults to Exact .. Equally, if ForceAuthn=True is set, existing session cookies are ignored, and provided an authentication context class reference is specified, AD FS will serve up the appropriate authentication handler. Given that the URI specified is password, I would expect to see the forms sign-in page, however, it's ignoring the authentication context class and defaulting to the integrated handler (urn:federation:authentication:windows)
Am I missing something here as the documentation suggests that this is possible? I've done SAML traces and the authentication context class reference is being passed correctly from the SP. As expected, if a user does integrated auth then they're denied at the SP because the class reference doesn't match. I understand that in IdP initiated sign-on scenarios some customization is required, but in SP-initiated scenarios I would expect this to work. I could always pass the appropriate desired context back via a custom claims rule, but I want to force forms logon, i.e. break SSO for this particular SP..
Regards,
Mylo
SO what is the form of a customBinding for hosting an activeSTS in IIS - launched by a foo.svc file available on both https and http endpoints?
The answer is... its the same as the expansion of the ws2007binding.
Lets assume ones ws2007binding is the SIMPLEST possible - no service cert negotiation, no security context token agreement, and it expects the ws-trust (feb05) request whose SOAP header has a username token (with username and password that having nothing to do with windows domains).
Finally the twist.
Assume your IIS website under which issuer.svc is activated has **BOTH** http and https bindings (with suitable public cert, with CRLDP, OCSP pointers, etc). But your load balancer terminates the SSL.
Now, Microsoft apparently prepares for this - giving a magical flag one can add to a customBinding [service] (allowing for insecure final-leg transport).
Logically, the hop from LB to resource server is now http. Does this mean - FOR THE WSTRUST CASE - one removes the resource server's https binding in IIS, or not?
Now the syntax for custom bindins is NOTHING like the canned-bindings. And, I for one cannot fathom how to make a custom binding that is the same as my ws2007binding (and then add the insecuretransport=true flag).
Try as I may one fiddling with the 150 settable flags in the custom binding they are not like the wstrust2007 binding (that dumbs it all down, mostly). The dumb version doesn't have the allowinsecuretransport option, though. And the complex form is too hard... (for me).
Dears,
I have tried to build a custom STS with a custom SQL Server as an attribute store. I tried to download Thinktecture and custom it with no hope, as it has a lot of complications that i dont need right now.
I'm targeting .NET 4.5 and now sample template to start with. Any help with basics and standards that the one start with and build the solutions step by step.
Thanks.
It appears that the WIF 3.51 nuget package may not be the latest (6.1.7600.16394 vs 6.2.9200.16384).
Any reason for this?
We have a legacy .NET 3.5 asp.net app that uses WIF 3.51. Our other web apps are in .NET / WIF 4.5. However, it is non-trivial to update this one particular web app from 3.51 to .NET 4.5.
This leads to the following two questions:
1. Is it possible for a 3.51 ASP.NET/WIF web app to consume a SAML token generated by a WIF 4.5 token issuer?
2. Is it possible for a 3.51 ASP.NET/WIF web app to consume the WIF cookie generated by a WIF 4.5 relying party?
Hi,
My ADFS 2.0 that I use for CRM2011 worked without problem until few days ago.
Now I got following errors:
Event 364:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred
while connecting to the federation service. The service endpoint URL 'net.tcp://localhost:1501/adfs/services/trusttcp/windows' may be incorrect or the service is not running. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening
at net.tcp://localhost:1501/adfs/services/trusttcp/windows that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
Server stack trace:
at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost:1501/adfs/services/trusttcp/windows' may be incorrect or the service
is not running. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://localhost:1501/adfs/services/trusttcp/windows that could accept the message. This is often caused by an incorrect address or SOAP action. See
InnerException, if present, for more details.
Server stack trace:
at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.Issue(Message request, WCFResponseData responseData)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, WCFResponseData responseData)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://localhost:1501/adfs/services/trusttcp/windows that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present,
for more details.
Server stack trace:
at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityModel.Protocols.WSTrust.IWSTrustContract.Issue(Message message)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(Message message)
at Microsoft.IdentityServer.Protocols.WSTrust.WSTrustClientManager.IssueWorker(Message request, Boolean firstTry, WCFResponseData responseData)
Event 102:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Additional Data
Exception details:
System.ArgumentNullException: Value cannot be null.
Parameter name: certificate
at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate, String id, Boolean clone, Boolean disposable)
at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate)
at Microsoft.IdentityServer.Service.Configuration.MSISSecurityTokenServiceConfiguration.Create(Boolean forSaml)
at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.ConfigureWIF()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISConfigurableServiceHost.Configure()
at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.Create()
at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.StartProxyPolicyStoreService(ServiceHostManager serviceHostManager)
at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.OnStartInternal(Boolean requestAdditionalTime
Event 381:
An error occurred during an attempt to build the certificate chain for configuration certificate identified by thumbprint '135187EB8C087177CEB54B71A5E2BDD1B0995189'. Possible causes are that the certificate has been revoked or certificate is not within its
validity period.
The following errors occurred while building the certificate chain:
MSIS2013: A required certificate is not within its validity period when verifying against the current system clock.
I'am using wildcard certificate and this is single server AS FS 2.0 and CRM 2011 deployment.
Hi, i'm having some troubles while trying to configure active federation on a WCF service, i will explain myenvironment configuration:
WINSERVER2012 (VM) Windows Server 2012 + AD + AD FS 2.0
WIN-DEV1 (VM) (WCF Host + WCF Consumer)
WIN-DEV1 has joined the domain hosted by WINSERVER2012 called FMTemporary.fm.
Following i describe my requirements:
Since the WCF service is hosted by a machine which is into FMTemporary.fm domain, all clients that belongs to the same domain should be allowed to call the service without the need of Username and Password (SSO).
I've configured AD FS and everything is working fine using the endpoint /services/trust/13/usernamemixed in conjunction with username + password, but i cannot get the endpoint /services/trust/13/windowsmixed with windows authentication working.
The error i get on the client is the following:
The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was host/winserver2012. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (FMTEMPORARY.FM) is different from the client domain (FMTEMPORARY.FM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
WCF Host config:
<system.serviceModel> <services><service name="WebApplication.Service"><endpoint binding="ws2007FederationHttpBinding" contract="WebApplication.IService" address="" /></service></services><serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true"><serviceActivations><add service="WebApplication.Service" relativeAddress="~/Service.svc" /></serviceActivations></serviceHostingEnvironment><behaviors><serviceBehaviors><behavior name=""><serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" /><serviceDebug includeExceptionDetailInFaults="true" /><serviceAuthorization principalPermissionMode="Always" /><serviceCredentials useIdentityConfiguration="true"><!--Certificate added by Identity and Access Tool for Visual Studio.--><serviceCertificate findValue="ServicesCert" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" /><clientCertificate><authentication revocationMode="NoCheck" certificateValidationMode="None"/></clientCertificate></serviceCredentials></behavior></serviceBehaviors></behaviors><protocolMapping><add scheme="http" binding="ws2007FederationHttpBinding" /></protocolMapping><bindings><ws2007FederationHttpBinding><binding name=""><security><message><issuer address="https://winserver2012/adfs/services/trust/13/windowsmixed"
binding="ws2007HttpBinding"
bindingConfiguration="ADFSConfiguration" /></message></security></binding></ws2007FederationHttpBinding><ws2007HttpBinding><binding name="ADFSConfiguration"><security mode="TransportWithMessageCredential"><message clientCredentialType="Windows"
establishSecurityContext="false" /></security></binding></ws2007HttpBinding></bindings></system.serviceModel><system.identityModel><identityConfiguration><audienceUris><add value="http://localhost:33169/Service1.svc" /></audienceUris><issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry"><authority name="http://WINSERVER2012.FMTemporary.fm/adfs/services/trust"><keys><add thumbprint="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" /></keys><validIssuers><add name="http://WINSERVER2012.FMTemporary.fm/adfs/services/trust" /></validIssuers></authority></issuerNameRegistry><certificateValidation certificateValidationMode="None" revocationMode="NoCheck" /><!--certificationValidationMode set to "None" by the the Identity and Access Tool for Visual Studio. For development purposes.--></identityConfiguration></system.identityModel>WCF Consumer config:
<system.serviceModel><bindings><ws2007FederationHttpBinding><binding name="ServiceConfiguration"><security><message><issuer binding="ws2007HttpBinding" bindingConfiguration="ADFSConfiguration" address="https://winserver2012/adfs/services/trust/13/windowsmixed" /></message></security></binding></ws2007FederationHttpBinding><ws2007HttpBinding><binding name="ADFSConfiguration"><security mode="TransportWithMessageCredential"><message establishSecurityContext="false" clientCredentialType="Windows"/></security></binding></ws2007HttpBinding></bindings><client><endpoint address="http://localhost:33169/Service.svc" binding="ws2007FederationHttpBinding" bindingConfiguration="ServiceConfiguration" contract="ServiceReference1.IService" name="WS2007FederationHttpBinding_IService"><identity><certificateReference storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectName" findValue="ServicesCert"/></identity></endpoint></client></system.serviceModel>
P.S AD FS endpoint (/services/trust/13/windowsmixed) is enabled and I've added the Relying Party to AD FS, I'm pretty sure AD FS is configured fine because switching to /services/trust/13/usernamemixed endpoint gives no error.
Any help is greatly appreciated.
Massimiliano.
We have implementented ADFS 2.0 to provide SSO to Office 365 and our HR system (Saas).
We would like to know how to configure/implement with ADFS to provide SSO with an internal Web Application that we purchased and installed on our local AIX/WebSphere server...
What would be the steps to accomplish this? We are able to work with the vendor of the web app as well if some configuration on their web app is required.
Thanks.
I am configuring an environment where a custom MVC app is using ADFS to authenticate. I have the Relying Party trust configured and working in our development environment, but I am trying to understand what changes I need to make in order to make the configuration Production ready. Here are the following questions I have:
In general, I've found the documentation for ADFS configuration lacking on the why and what for. Most of the steps are documented on how to do a given task, but not why and what it will be used for within a given scenario. If anybody knows of a resource
that goes into more of those details, I would be interested in reading that as well as I feel like I don't have enough information to make an intelligent decision.
-Brian
Hi,
I have successfully done the SSO for Office 365 using ADFS and its works fine. But when users try to access OWA(office365) directly instead of office365 portal SSO doesnt works. So for the i need to add some metadata and relay trust relation for that.. Help me if we have any script for that. I got powershell script for Office365 metadata update. But i need for OWA which we use in Office 365.
Regards,
Sridhar R