Hi

I am using a ADFS 2.0 Server with Rollup 3.

I have added a SAML 2 based claims provider and a Relying Party to the A FS config. The SAML 2 based claims provider has it's own logon application, where users are redirect when a SSO is initiated. The great thing is that all of this works fine. Meaning users wanting to access the Relaying Party site will get a Federated identity from the Claims Provider as intended.

The problem is that this works as long has users has not logged been logged on for more than 5 minutes on Claims Provider. If a user has been logged on for more then 5 minutes ADFS will rejects it with this error:

Microsoft.IdentityModel.SecurityTokenService.NeedFresherCredentialsException: MSIS3070: The credentials provided do not meet the freshness requirement of '0' minute(s) for scope ...

After digging a little I have found the following problem. The Claims provider is using the SAML 2 Web Browser SSO profile with a HTTP-POST binding, and sending the ADFS server a SAML Response messing with the following interesting data:

<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="....." 
  ID="_e1721458-ecc2-4ca8-991c-1109a10adbe7" 
  InResponseTo="id-e78d84df-3224-4533-955e-d41fcfbce5d8" 
  IssueInstant="2013-08-23T12:51:59.737Z" Version="2.0" 
  xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">.....</saml2:Issuer>
...<saml2:AuthnStatement AuthnInstant="2013-08-23T11:41:22.776Z" SessionIndex="2148"> 
<saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> 
</saml2:AuthnContext> </saml2:AuthnStatement>
...

The import things to look at here is the IssueInstant in the first block, and AuthnInstant in the second block. They have more 5 minutes difference. This is caused by the user actually being logged in at an earlier time then when the fedration on the ADFS server occurred. This then causes an error message in the server. If the gap is less then 5 minutes everything works fine.

According to the SAML 2 specification AuthnInstant is required and should be the time when a user actually logged in.  This particular problem is discussed in https://lists.oasis-open.org/archives/saml-dev/200802/msg00003.html

I have tried to tweak every timeout property for both claims provider and relay trust, but to no end. All suggestions found in http://stackoverflow.com/questions/9130999/how-to-set-the-timeout-properly-when-federating-with-the-adfs-2-0 has been attempted, but always the same error.

Might this be a bug in ADFS, or have I just not set it up correctly, or is there a way to tweak this 5 minute timeout in another way

I am currently configuring ADFS to provide our staff SAML authentication to a partner web application. All is going well enough so far and we've established internal and external access to the partner site via the idpInitiateadSigon.aspx page. Internally, SSO is working nicely and externally access is being granted through our TMG server.

It is only at this point, when I'm beginning to look at page customization and such that I realize most of that documentation refers to customizing the user web experience of an ADFS proxy server. So now I'm wondering about my "shortcut".

I understand the optimal security of the proxy configuration, but I am also comfortable with the level of security provided by TMG. Is there any reason I shouldn't be?

My other concern was whether there might be fewer/different options for default page configurations and other customizations if not using the proxy. I am hopeful not, but don't want to find out at the last minute.

Finally, this not being a huge implementation by IT standards ( 3-4K users accessing a partner site over the course of a month), I'm thinking that simplicity is always a nice thing when you can get it. I've even seen a thread here where the post marked as the answer referred to advising clients to think carefully about whether or not they chosoe to deploy a proxy. I gather from that that it is not a given everyone will deploy a proxy for internet access.

I guess you can tell, I'm trying to talk myself into not having to use a proxy. Am I making a mistake?

Hi,

Abhijith here, i am new to this forum, actually i got struck in following scenario, need your help to resolve this

Here i am trying to encrypt my removable media(F:) using python but getting the error, my script is

from win32com.client import Dispatch

strComputer="."
objwmiservices=Dispatch("WbemScripting.SWbemLocator")
objSwbemservices=objwmiservices.ConnectServer(strComputer,"\\ROOT\\CIMV2\\Security\\MicrosoftVolumeEncryption")
colitem=objSwbemservices.ExecQuery("SELECT * FROM Win32_EncryptableVolume")
for objitem in colitem:
    if Driveletter=="F:"
       objItem.Encrypt()
       print objItem.GetConversionStatus



its showing following error

'int' object is not callable

please help to solve this

thanks

Hi

I read Vittorio Bertocci posts about ADAL and ADFS 2.0 for Windows Server 2012 here and here. I also follows ADAL samples here. 

In all the above ADFS acts at an OAuth authorization server and provides the client application with a JWT token after the client authenticates using username and password credentials.

I would like to test a federation scenario. There are two ADFS servers with mutual trust. The client authenticates against one ADFS and receives a SAML token, then it request an OAuth token from the second ADFS server and authenticates using the SAML token it has.

In the OAuth specification there is no definition how users should authenticate before they can get the OAuth token, yet I have not seen any reference for different types of user credentials in ADAL API, I could find find any clue about a federation scenario in which client wish to authenticate using a SAML token.

Can anyone refer me to a sample or the relevant area in ADAL API that supports federation?

Thanks

Manu 

Manu

Hi

As discussed in length in the "ADFS 2.0 Web SSO not working in current versions of Safari for Windows or iOS", the pre-Windows Server 2012 R2 ADFS creates cookie data to track single-sign-on (e.g the MSISAuth* cookies), which exceeds the limitations of the Safari browser.

Has there been any changes made to the Windows Server 2012 R2 ADFS cookie handling to limit the amount of data stored, as to allow SSO to work on Safari (e.g on iPads and iPhones)?

Regards
Michael

I have a SSO setup with Google Apps.  When I go to gmail.com and enter my email address and a password, I am redirected to my federation login (https://federation.domain.com:443) page as I should be.  I then enter my Active Directory credentials. After entering my AD credentials, I am sent to a page with the following error: Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.

The page itself has the following test on it: The webpage at https://federation.domain.com/adfs/ls/auth/integrated/?SAMLRequest=fVLJTsMwEL0j8Q%2bR71kRCFlNUAEhKrFEbeDAzXUmiVXHEzxOC3%2bPm4KAA1yf38xbPLOLt14HW7Ck0OQsjRIWgJFYK9Pm7Km6Cc%2fZRXF8NCPR64HPR9eZJbyOQC7wk4b49JCz0RqOghRxI3og7iRfze%2fveBYlfLDoUKJmweI6Z7LusN0MSop23a571WyE7NZSqBprxGYQypjOdJ79%2fGUr29taEI2wMOSEcR5K0pMwOQ%2bzsypLeZbw05MXFpSfSpfKHBL8Z2t9IBG%2fraoyLB9X1bRgq2qwD56dsxax1RBJ7PfypSBSWw83QhOwYE4E1nmDV2ho7MGuwG6VhKflXc465wbicbzb7aLvNbGIW%2be7i0jQxoE%2bYJJYMRXMp4z2R7P%2fJxBfDljxrTGLf6wqPj9un2dxXaJW8j2Ya427KwvC%2bTDOjj7LDdpeuL%2fV0iidEFWHzUTlo6EBpGoU1CyIi4Pq7wvxd%2fMB&RelayState=https%3a%2f%2faccounts.google.com%2fCheckCookie%3fcontinue%3dhttp%253A%252F%252Fmail.google.com%252Fmail%252F%26service%3dmail%26ltmpl%3ddefault has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.

When I check the security log on my ADFS server it shows an audit success event ID 4624 for the user I am attempting to logon.  However, the details of this event show it as a NTLM logon.  Additionally, my PDC does not show the user in the security log, so it does not look like the authentication is reaching the PDC like it should.  

I am also getting an event ID 303 in the AD FS 2.0 event log, stating: The Federation Service encountered an error while processing the SAML authentication request.  Additional Data Exception details: Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'google.com' could not be located.  This error appears each time that I attempt a login.  I get the error 9 times for each login attempt. Additionally, I have a trust setup with an identifier name of google.com/a/ourdomain.com, which is how to setup the trust according to Google.

Any ideas on this one?

Hi,

I had listened to Vitorrio and Caleb's video on the new ADFS support for Oauth2.0 in Win 2012 r2 preview.

Accordingly, I did the following:

We installed windows server 2012 R2 and then setup a DNS server and AD DS services.

Also installed IIS ( looks like it may not be needed).

Anyway, then went ahead and installed ADFS Server role and configured it as a federation server.  We only required oauth2 – so SAML and WS-Trust were not configured.

There is no federation proxy either or multi-factor authentication.  

the ADFS service is running and there are  no errors in the logs.  Self-signed cert for the domain was used while configuring ADFS. After ADFS installation, this cert along with two other certs for token decryption and token-signing can be seen under ADFS->Service->Certificates.

ADFS Relying Party trust was configured to identify our resource app. Oauth2 clients were registered via the powershell cmdlets.

Setspn cmd was run on the  Administrator account associated with managing ADFS.

On running Get-ADFSEndpoint in the powershell, it lists https:<FQDN of my server>/adfs/oauth2.  

However, on trying to access the authorization endpoint from IE (javascript and cookies are enabled on the browser) by extending the above endpoint URL I get a “http 503 no service available” error.

There is no node or site under IIS associated with ADFS – as seen with ADFS on win server 2008 R2.

We also tried accessing the ADFS endpoint after stopping IIS service.

What is wrong or missing from the above steps? What are the exact Oauth2 authorization and token endpoints to use?

Let me know if any specific screen shot or output will help.

Thanks,

Shanthi

Hi guys,

We are allowing users in our corporate environment to sign-up for a cloud service that automatically provisions an account for them, if they are a new user and coming from our domain.  We like that method as we are trying to not have to manually setup new users in this cloud service.  We are using ADFS 2.0, but we are having too many employees sign-up for this cloud service and management does want to control that.  Basically, we want to try and keep it simple and let our helpdesk control ActiveDirectory membership to a security group, and then only allow members of that security group to be issued claims for that site.  We do not care about trying to add security groups as a claim, etc. and letting the vendor control access based on that claim, etc. unless we have to.

So I am trying to create a custom issuance rule and trying to use something similar to the rule below.  Trying to set it up to check AD and see if users are a member of a security group, before allowing them permissions to be issued a claim. Can anyone tell me if this will work?  I am basing this from the following website - http://blogs.technet.com/b/askds/archive/2012/06/26/an-adfs-claims-rules-adventure.aspx

exists([Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "S-1-5-24-836767959-1620075141-410060929-74931"])

=> issue(Type = http://schemas.microsoft.com/authorization/claims/permit, Value = "true");

Dan Heim

I am having difficulty correctly setting up an ADFS test environment. There are three parts to my configuration.

1. A portal website that posts a SAML2 response to ADFS.

2. ADFS configured with a SAML2 claims provider trust with the portal website.

3. A WIF claims aware website configured as a relying party with ADFS.

My understanding was that since Rollup 2, this is a valid scenario for ADFS. Is that incorrect? I am using SAML Tracer in Firefox, so I can see that the SAML response contains all of the correct assertion, and the parameters in the post to the WIF application contains the translated claims. I even set up custom claims rules in ADFS to make sure they were in the correct namespace (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/) Is there something I'm doing wrong?

Thanks

UPDATE:

Yes, it might be a good idea to include the problem. The problem is that the WIF application doesn't recognize the user as having authenticated. They are instead redirected back to the ADFS home realm discovery page. If I point to a SAML2 ready application by changing the RelayState, everything works fine. It also works fine if I do SP-initiated SSO with a custom STS.

Hi

I want get active directory user password to plaint text or give it to some script using password filter dll.

If any one implement acctync tool. Please tell me the setup how to enable this tool.

As per instruction given in acctsync installation.

(a) Copy "passwdhk.dll" to C:\Windows\system32

(b) Edit the "HKLM->SYSTEM->CurrentControlSet->Control->Lsa->Notification Packages" registry value and add "passwdhk" (without the quotes) to the list of names there (on a new line).

(c) Edit the file "passwdhk.reg" to suit your environment and then import it into the registry by double-clicking that file or use passwdhk_config.exe to configure settings.

(d) Set "Domain Security Policy\Windows Settings\Security Settings\Account Policies\Password Policy\Passwords must meet complexity requirements" to enabled to enable both complexity checking and the password filter.

(e) Reboot.

Please tell me any other to get active directory user password in plaint text format.

Regards,

Nilesh Bhanage

I have configured SSO for Google Apps.  I am able to log into the Google SSO fine from our internal networks.  However, when I try and access it from an internet network (external to our corporate LAN) I get a "401 - unauthorized page". I am getting the Google SSO "splash page" stating that I am being redirected to my federation server as expected, but then I do not get prompted for my Active Directory (AD) credentials.  The 401 page comes up without asking for any AD credentials. 

I can do a nslookup for our federation.ourdomain.com and it brings back the correct IP address for the hardware balancer sitting in front of our paired ADFS proxy servers.  A nslookup from within our LAN brings back the hardware balancer in front of our internal ADFS server pair as expected as well. 

When I check the security and ADFS event logs, there are no events on either the internal ADFS pair nor the proxy ADFS pair when I attempt a log in.  

Any ideas?

I am converting Forms Authentication applications that are for internal use only to use Claims Authentication using ADFS 2.0 with wia. We are doing this to give our clients a SSO environment. However there are cases where our clients will need to sign in as a different user. What is the best way to achieve this? As the users already have usernames and passwords for the app one approach might be to have fba side-by-side with wia. Is this possible? If so how can this be achieved? Can this be done using a single AFDS server? We do not need a proxy server as the application is only for use on the domain. I realize that users logging in as other users is not a great practice, but I do not see that practice changing in the near future.

Any advice on the best method to achieve this would be very appreciated.

Thank you.

Joseph

Hi

We would like to use the OAuth2 Endpoint and JWT Tokens Features from the Windows 2012 R2 Server in MVC 4 and Web API Services.

But all Examples related to this Topics are leading to Win Apps and the ADAL Library (which is only usable in Client Software).

Did anyone make a successful Example in getting JWT Tokens from the new ADFS Version?

Kind Regards
André

I'm setting/adding claim rules to ADFS using PowerShell, using the following commands:

Add-PSSnapin Microsoft.Adfs.PowerShell
Set-ADFSRelyingPartyTrust –TargetName "MyApplication" -IssuanceTranformRulesFile "C:\Temp\Claims.txt"

The file claims.txt contains the following rules:

@RuleTemplate = "PassThroughClaims"
@RuleName = "Pass Through - Name"
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"]
=> issue(claim = c);

@RuleTemplate = "MapClaims"
@RuleName = "Transform - WinGroup"
c:[Type == "http://schemas.xmlsoap.org/claims/Group", Value == "TestGroup"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/role",
    Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = "TestRole", ValueType = "string");

Both rules work fine, but when looking in ADFS, the second one has no name and is a custom rule, as shown in the dialog below:

This is very annoying for our administrators, because they can't see what the rule does from this dialog. They have to look at the rule itself. It would be nice if the name would be there at least, and preferably the destination claim type as well, as is the case when we manually enter them by clicking Add Rule... You would think PowerShell would pickup the name and destination claim type, because the @RuleName and @RuleTemplate parameters are set.

Thanks for any insight into why this is happening (and what we can do about it).

Hi,

   I installed ADFS services and configured it successfully as a federation server. I intend to use it for Oauth2 flows as announced recently by Vittorio and Caleb Baker in recent blogs and videos. The service is running - however when I try to access the oauth2 endpoint I get a error message as shown below.  I can access some other endpoints listed by Get-ADFSEndpoint cmd run in powershell.  This command lists the Oauth2 endpoint as https:<FQDN of server>/adfs/oauth2 and I tried accessing the authorization endpoint as - https:<FQDN of server>/adfs/oauth2/authorize?client_id=<registered_client_id>?redirect_uri=<registered uri>....  The detailed error message from eventViewer is:

We are creating a new SSO environment but, would like to migrate our existing Claims Provider Trust. 

I have tried export a trust a trust named "test" as so 

Get-ADFSClaimsProviderTrust -name Test -MetadataFile | Export-Clixml "c:\temp\Test-CPT.xml"

than import on the new SSO environment using

 Add-ADFSClaimsProviderTrust -Name TestIDP -Metadatafile "c:\temp\Test-CPT.xml" and I the error below. I am not sure how to get the trust migrated without configuring each trust manually and we have over 100 to migrate. 

Add-ADFSClaimsProviderTrust : ID3260: The root element of a metadata document must be either an EntityDescriptor or an
EntitiesDescriptor.
At line:1 char:1
+ Add-ADFSClaimsProviderTrust -Name TestIDP -Metadatafile "c:\temp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidData: (:) [Add-ADFSClaimsProviderTrust], MetadataSerializationException
    + FullyQualifiedErrorId : ID3260: The root element of a metadata document must be either an EntityDescriptor or an
    EntitiesDescriptor.,Microsoft.IdentityServer.PowerShell.Commands.AddClaimsProviderTrustCommand

Can anyone assist?

I am having some problems that I think are related to the token being past back to my Google service.  I see lots of places on the net where people are saying "check the token".  I do not know how to turn on this token tracking.  

What do I do on my ADFS servers so that I can see the tokens as they are passed between Google and my ADFS servers?

Hi All,

I am trying to integrate the Saleforce with ADFS 2.0.

I am using the IDP URL to access the Salesforce Link and I am also able to land to the Salesforce page by the below link.

 https://xyz.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://xxx.salesforce.com/

But I am getting  the Identity Provider Dropdown and forced to select the IDP and only then I can land into Salesforce application.

Can anyone tell me what should be the exact URL or any other way so that I can bypass this Identity Provider Dropdown selection.

Thanks in Advance