All,

Good day.  I am currently on a project that is creating a web application that uses AD FS for authentication.  We are using claims based authentication and its an ASP.NET application.  The relying party trust in AD FS is set to 90 minutes and the SSO token is set to 1 day.  

The app pool in IIS is set to 90 minutes and the cookie timeout is also set to 90.  

Problem: If we log in to the web application and leave the page idle for 90 minutes, we are not getting logged off.  After 90 minutes, we should be redirected to the log in page, assuming that our timers are correct.  However this is not what is happening.  Additional, after 90 minutes, clicking on a link within the page, doesn't force the user to re-authenticate and it just goes on functioning without a problem.  It's appears the the session/cookie is not expiring.

Any help the community can give would be excellent.  I am more of a liaison (systems engineer) so I will get answers to any questions that you all ask.  I have been assured by our web developers that this is something wrong on the server side because their code hasn't changed and apparently this used to function.  

Hence, while I wait for Microsoft to call us page, I thought turning to the forum of experts might yield some valuable information.  I am looking forward to your help.

ASP.NET - Session State = InProc

Terry

So, I'm working on implementing a .NET 4.5 version of the explicitly-managed ActAs token scenario as described on pp. 181-182 of Vittorio's Programming WIF book, and as demonstrated here by Thinktecture, to access a test WCF service from an WS-Fed-secured MVC application.  The STS is plain vanilla ADFS2.0 and I'm retrieving the ActAs token from ADFS's "/adfs/services/trust/13/usernamemixed" endpoint.

Unfortunately, the issued token, while signed and well-formed, and properly decrypted and accepted by the WCF service, is pretty much blank: looking at the WCF message captures, it contains no claims other than authenticationinstant and authenticationmethod; even the actor and subject names are blank.  It doesn't seem to make any difference if I specify required RequestClaims on the RequestSecurityToken or not, nor does the WCF service's RP claims issuance policy make any difference.

The bootstrap token at the MVC application contains nameidentifier, upn, name, authenticationmethod, and authenticationinstant claims.  Is there something else I'm missing here that would help ADFS to issue a meaningful ActAs token via the WSTrustChannelFactory?

I'm happy to post code excerpts if helpful, although it will take a little retooling to make it coherent in a single page.

Thanks,

Steve

Steve Kradel, Zetetic LLC

I have found conflicting information on the net about what the default value is for TokenLifetime for a relying party trust in ADFS 2.0.  This (http://technet.microsoft.com/en-us/library/cc782865(v=ws.10).aspx) says 480 minutes, but looks like it might apply to ADFS 1.0.  This (http://technet.microsoft.com/en-us/library/gg188586.aspx) says 60 minutes and the information looks more recent. I've seen other sites that claim the value is 600 minutes (http://stackoverflow.com/questions/14867613/adfs-2-0-time-out-and-relation-between-freshness-value-tokenlifetime-and-webssol). All very confusing. 

All my relying party trusts have the TokenLifetime set to 0 (so default settings) and I need to know how long this token is set for.  Thanks.

Hi,

I'm using Windows Server 2012 R2, to host my ADFS platform.  I have configured Azure ACS to interact w/ ADFS, and am in the process of working the SSO Windows Integrated Authentication in the mix.

I read at http://technet.microsoft.com/en-us/library/dn280949.aspx

"Windows authentication is not supported on all browsers. The authentication mechanism detects the user's browser user agent and uses a customizable setting to determine whether the user agent supports Windows Authentication".

It says you can use the powershell command "Set-AdfsProperties -WIASupportedUserAgents" to set the strings.

When I execute "Get-AdfsProperties", I get back a list, which contains:

WIASupportedUserAgents => {MSIE 6.0, MSIE 7.0, MSIE 8.0, MSIE 9.0...}

How can I retrieve the full list?  I'd like to see what is behind the "..."

I tried to execute "Get-AdfsProperties -WIASupportedUserAgents", but that does not work.

Any ideas?



Hi All ,

I am trying to integrate Saleforce.com with AD FS 2.0.

Both AD FS Idp and Salesforce SP links are working fine.

I need to do few customizations on ADFS login to display client company logo.

For this I want to read the “Audience” value from incoming  SAMLRequest.

I have tried with below piece of code:

    String mySAMLRequest ="xxxxyyyyzzzz”;

    MemoryStream memStream = new MemoryStream(Convert.FromBase64String(mySAMLRequest));

    memStream.ReadByte();

    memStream.ReadByte();

    DeflateStream deflate =newDeflateStream(memStream,CompressionMode.Decompress);

    string myDoc =newStreamReader(deflate, System.Text.Encoding.UTF8).ReadToEnd();

 but I am getting the below error with my SAMLRequest.

“Unknown block type. Stream might be corrupted."

Can anybody tell me how I can decode this SAMLRequest and read “Audience” attribute value.

<Audience>https://xxx.abc.salesforce.com</Audience>

Or is there any other way to read this "Audience value" from SAMLRequest

My link is as below:

ADFS 2.0 installed on server 2008 R2. I configured ADFS with a wildcard certificate and if I remember correctly I was able to test the url in a browser and got an XML response. Now I wanted to continue to work on this project and noticed that ADFS was not working. The eventlog shows event id 133:

• During processing of the Federation Service configuration, the element 'serviceIdentityToken' was found to have invalid data. The private key for the certificate that was configured could not be accessed. The following are the values of the certificate:
• Element: serviceIdentityToken
  Subject: CN=*.org.nl, OU=Comodo PremiumSSL Legacy Wildcard, OU=org, O=org, STREET=Org 7, L=Org, S=Org, PostalCode=Org, C=NL
  Thumbprint: EE55C0AE7AF33A1FA6C3CA78DEFAEDB4C12AFAE3
  storeName: My
  storeLocation: 0
  Federation Service identity: ORG\svc_adfs
• The Federation Service will not be able to start until this configuration element is corrected.
• This condition can occur when the certificate is found in the specified store but there is a problem accessing the certificate's private key. Common causes for this condition include the following:
  (1) The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file.
  (2) The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store specified above.
  (3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.
  (4) The Federation Service identity 'org\svc_adfs' has not been granted read access to the certificate's private key.
• User Action
  If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file).
  If the certificate was imported in a user context, verify that the store specified above matches the store the certificate was imported into.
  If the certificate was generated by a certificate request that did not specify the "Machine Key" option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file and import it again directly into the store specified in the configuration file. If the key is not marked as exportable, request a new certificate using the "Machine Key" option.
  If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition using the Certificates snap-in.

I checked the certificate with the Digicert certificate tool and everything seems allright. Checked access of the service accounts to the private keys of the certificate, the account has read access. I tried to reimport from the PFX file and even exported and importer the certificate and private key.

Any ideas how to troubleshoot next?

Hi,

I am having troubles to get the syntax right to query the samAccountName and userPrincipalName. I have the objectGUID provided as a string from an external database, but the samAccountName & userPrincipalName is stored in the Active Directory.

I tried several things such as ";sAMAccountName,userPrincipalName;objectGUID={0}"

Result:

Query ';sAMAccountName,userPrincipalName;objectGUID={0}' to attribute store 'Active Directory' failed: 'POLICY3826: User name 'objectGUID=E74920C4-5821-4284-B660-D4C2173EBCB9' in LDAP query ';sAMAccountName,userPrincipalName;objectGUID=E74920C4-5821-4284-B660-D4C2173EBCB9' is not in the required 'domain\user' format. The LDAP query to the Active Directory attribute store must have three parts separated by semicolons. The first part is the LDAP query filter, the second part is a comma-separated list of LDAP attribute names, and the third part is the user name in 'domain\user' format.'. 

Or i tried: "objectGUID;sAMAccountName,userPrincipalName;{0}'"

Result:

User name 'E74920C4-5821-4284-B660-D4C2173EBCB9' in LDAP query 'objectGUID;sAMAccountName,userPrincipalName;E74920C4-5821-4284-B660-D4C2173EBCB9' is not in the required 'domain\user' format. The LDAP query to the Active Directory attribute store must have three parts separated by semicolons. The first part is the LDAP query filter, the second part is a comma-separated list of LDAP attribute names, and the third part is the user name in 'domain\user' format.'. 

Any ideas how to get this right?

Thank you,
Dominik

So, I've been pulling my hair out trying to get the user id out of my application. I'm using the Visual Studio 2013 Preview for Web. I know back in the day, you'd call the Membership object and get the Username or ID out of that. I'm trying to get the User ID so I can add a user to a role calling IdentityConfig.Roles.AddUserToRole. I came close when I tried instantiating a new <ProjectName>.Models.IdentityModels.User user = new Models.IdentityModels.User(); using the blank constructor, but it didn't give me the current user, just a random id. It's a webform project, if that helps (it's not supposed to make a difference now, is it?).

PS, the Context.Current.User and Page.User give me the UserName, but not the ID.

Thanks for any help you guys can give.

Jack Schaible Student, DMIT Northern Albert Institute of Technology Edmonton, Alberta, Canada

I have configured an ADFS 2.0 farm with three web servers, two in the main site and one in our DR  site.  I will be using an f5 to do network load balancing across the three web servers, and for the Databases we have two SQL servers that our DBA's set up in a mirror config,  and the three web servers have this configured as their connection string for ADFS Configuration:

"Data Source=aADFSDB;Failover Partner=aADFSDBDR;Initial Catalog=AdfsConfiguration;Integrated Security=True"

and the artifact store DB connection string:

"Data Source=aADFSDB;Failover Partner=aADFSDBDR;Initial Catalog=AdfsArtifactStore;Integrated Security=True"

so as you can see SQL Server 1 (aADFSDB) hosts the active Database and SQL server 2 (aADFSDBDR) hosts the failover partner/mirror.

How exactly do I get ADFS to failover to the second DB server?  I tried blocking one of the Web server's access to the main database server hoping I would see an event confirming it attempting to connect to the failover partner but all I got were event's like the one at the bottom of this page.

So can anyone tell me how exactly this configuration fails over to the failover partner DB, what is required for it to do so and how I can test it?  I have looked for documentation but Microsoft give precious little info on using SQL, which we needed for security reasons (token replay detection is only available in SQL config not windows internal DB config)

And I found many pages on how to setup the SQL with failover partner config but none with any details on how ADFs actually detects and performs failover and what manual steps may need to be taken in the event that it does.

I am using Thinktecture Identity provider for Claims Based Identity Validation. Thinktecture in turn uses Identity Model to issue tokens.

When I enable FIPS mode through GPO, I have got the below error message, 

[InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.] System.Security.Cryptography.SHA256Manageg..cctor() +14289230

We're in critical implementation and require urgent support to resolve this problem.. 

And gave the stack trace to the below,

Hi guys,

We have ADFS 2.0 running on 2008r2.  We are about to change an ADFS-SAML connection with one of our relying partners so that only users from a specific internal AD group will be allowed to authenticate to the relying partner.  We have the Issuance Authorization rule ready to apply, but does anyone know what happens to our users that do not meet the criteria in the rule? I know they are denied access, but where? I was guessing our users would start off getting bounced back to us for authentication, they still can authenticate with us, but they are not given a token and thus given a denied access by the relying partner?  If someone could let me know how that works, I would appreciate it.

Thanks,

Dan 

Dan Heim

We have a website protected by WIF which all works until i goto a specific subdir. I get the error

ID4291: The security token 'Microsoft.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 


Exception Details: System.IdentityModel.Tokens.SecurityTokenException: ID4291: The security token 'Microsoft.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint.

Source Error: 
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: 
[SecurityTokenException: ID4291: The security token 'Microsoft.IdentityModel.Tokens.SessionSecurityToken' is not scoped to the current endpoint.]
 Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ValidateToken(SessionSecurityToken token, String endpointId) +224
 Microsoft.IdentityModel.Web.SessionAuthenticationModule.ValidateSessionToken(SessionSecurityToken sessionSecurityToken) +112
 Microsoft.IdentityModel.Web.SessionAuthenticationModule.SetPrincipalFromSessionToken(SessionSecurityToken sessionSecurityToken) +22
 Microsoft.IdentityModel.Web.SessionAuthenticationModule.AuthenticateSessionSecurityToken(SessionSecurityToken sessionToken, Boolean writeCookie) +17
 Microsoft.IdentityModel.Web.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +344
 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68
 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

The only difference I can see with this subdir is that it is defined as an application within IIS with its own web.config file. In ADFS1 we just defined the SSO settings in the root web.config and this protected all subdirs whether they were apps or not. Is this still the same with ADFS2?

Do i need to treat this subdir as a new relying party in ADFS2?
Could anyone explain what this error means?

Thanks

Have done some more playing...... I created a second relying party for www.test.com/subdir. Now it gets fun.....
If i goto www.test.com/subdir it logs in and we see the page, then i gotowww.test.com and we also see that page too. Coool
But if i goto www.test.com first, it logs in and we see the page, then i gotowww.test.com/subdir and we get the error above. Doh!!!

What should i be doing to get this working?

PS. We are using passive login.

I am working on a demo which uses ADFS 2.0 as identity provider. All is working fine except for log out functionality.

The following is the code I am using to log out the user:

Dim url As String = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl("https://winstd.development.com/adfs/ls/", "https://coldfusioniis.winstd.development.com/WebAppsUserManagement/default.aspx", Nothing)

WSFederationAuthenticationModule.FederatedSignOut(New Uri(url), New Uri("https://coldfusioniis.winstd.development.com/WebAppsUserManagement/default.aspx"))

My expectations are that the user after being signed out at ADFS 2.0 would return to the home page at which point the WIF would return to login page: https://winstd.development.com/adfs/ls/. And as a matter of fact the uses is being returned to the home page after sign out and then redirected to ADFS login page. But the ADFS is not displaying the log in page at all. Instead, it log the user in automatically and redirects to the home page.

What am I missing here?

For your convenience I compiled a list of of the request and corresponding results once the sign out process is initiated by navigating to https://coldfusioniis.winstd.development.com/WebAppsUserManagement/logoff.ashx:

Request: GET https://coldfusioniis.winstd.development.com/WebAppsUserManagement/logoff.ashx <<<< this where the log out process process starts
Result: 302 Redirect to: https://winstd.development.com/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fcoldfusioniis.winstd.development.com%2fWebAppsUserManagement%2fdefault.aspx 

Request: GET https://winstd.development.com/adfs/ls/?wa=wsignout1.0&wreply=https%3a%2f%2fcoldfusioniis.winstd.development.com%2fWebAppsUserManagement%2fdefault.aspx
Result: 200 text/html 

Request: GET https://coldfusioniis.winstd.development.com/WebAppsUserManagement/default.aspx
Result: 302 Redirect to: https://winstd.development.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcoldfusioniis.winstd.development.com%2fWebAppsUserManagement%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fWebAppsUserManagement%252fdefault.aspx&wct=2010-06-25T19%3a44%3a32Z 

Request: GET https://winstd.development.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcoldfusioniis.winstd.development.com%2fWebAppsUserManagement%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fWebAppsUserManagement%252fdefault.aspx&wct=2010-06-25T19%3a44%3a32Z  
Result: 302 Redirect to: /adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcoldfusioniis.winstd.development.com%2fWebAppsUserManagement%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fWebAppsUserManagement%252fdefault.aspx&wct=2010-06-25T19%3a44%3a32Z <<<<<<<< This is where the user is being signed in automatically instead of being prompted to enter the user name and password.

Request: GET https://winstd.development.com/adfs/ls/auth/integrated/?wa=wsignin1.0&wtrealm=https%3a%2f%2fcoldfusioniis.winstd.development.com%2fWebAppsUserManagement%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fWebAppsUserManagement%252fdefault.aspx&wct=2010-06-25T19%3a44%3a32Z
Result: 200 text/html 

Request: POST https://coldfusioniis.winstd.development.com/WebAppsUserManagement/
Result: 302 Redirect to: /WebAppsUserManagement/default.aspx 

Request: GET https://coldfusioniis.winstd.development.com/WebAppsUserManagement/default.aspx
Result: 200 text/html

Any help would be greatly appreciated.

Thanks!

Zen

I have a client who implemented an ADFS 2.0 farm, initially for use with O365.  The third-party code-signing certificate uses SHA256 for the Signature Algorithm and SHA256rsa for the Signature Hash Algorithm.  My client now wants to federate with a relying party who still uses ADFS 1.x, which doesn't support SHA256 and SHA256rsa algorithms.  Has anyone else dealt with this situation and found a work-around?  Replacing the code-signing certificate with one that uses a different algorithm is not an option.

Thank you.

Ian Kahn
InfraScience, LLC
Alpharetta, GA
ikahn@infrascience.com

Good day. We have set up a Relying Party Trust and all is working fine for authentication to the partner website. However, I'm getting varying behavior during authentication depending on the browser, specifically IE.

This is our first foray into ADFS so we only have a single claims provider, our Active Directory. So I'm assuming that Home Realm considerations are not a factor in our environment.

Right now, in IE I am currently forced to use the "Down-Level Logon Name" format, that is domain\username. In any other browser, on any platform, I can simply use username. UPN will also work in IE but unfortunately in our environment the UPN is not in a format familiar to the staff (ie not the same as the email address) so it is not a good option.

I can see in the web.config for adfs/ls that local authentication types has integrated at the top of a list that also includes forms, tls, and basic. Would adjustment of this order have any effect?

Based on what you can tell from our environment, what might my options be to allow login using only username when browsing using IE? 

I've built an ADFS 2.0 server and used sample code to get a claims aware app using WIF 4.0 in VS 2010.  TheAdd STS Reference command sorted everything out for me and it worked: I saw a list of claims on the page.

Now I'm trying to do the same thing in VS 2012.  I've added the Identity and Access extension but it doesn't have the same functionality as Add STS Reference.  One of the things Add STS Reference used to do was populate

<claimTypeRequired></claimTypeRequired>

<fed:ClaimTypesRequested><auth:ClaimType Uri...</fed:ClaimTypesRequested>

ADDITIONAL:

Even though claimTypeRequired is part of the schema (see here), I got Parser Error Message: Unrecognized element 'claimTypeRequired'. when I copied them from my Visual Studio 2010 app's web.config to the WIF 4.5 web.config.

Is anyone using CertificateWSTrustBinding with SecurityMode.Transport, and/or SecurityMode.TransportWithMessageCredential, for manually requesting tokens from WSTrustChannelFactory?  I can't seem to get the formula quite right... my client and ADFS host are using certs issued by a common enterprise CA, and access to the private key is well sorted.  The client cert is mapped directly to an AD user via altSecurityIdentities and has both Client Authentication and Server Authentication enhanced usage flags.

The HTTP request was forbidden with client authentication scheme 'Anonymous'

CertificateWSTrustBinding(SecurityMode.TransportWithMessageCredential) pointed to /certificatemixed produces good old "An unsecured or incorrectly secured fault was received from the other party" with nothing too helpful in svclog / WCF traces; the reason text is "An error occurred when verifying security for the message."

FWIW here is my basic WSTrustChannelFactory setup:

var uri = new Uri(stsUrl);

            var ep = new EndpointAddress(uri, DnsEndpointIdentity.CreateDnsIdentity(uri.Host));

            _factory = new WSTrustChannelFactory(binding, ep)
            {
                TrustVersion = TrustVersion.WSTrust13
            };

            bool set = false;

            _factory.Credentials.ServiceCertificate.Authentication.CertificateValidationMode = X509CertificateValidationMode.PeerOrChainTrust;
            _factory.Credentials.ServiceCertificate.Authentication.RevocationMode = X509RevocationMode.NoCheck;
            _factory.Credentials.SupportInteractive = false;

            foreach (var ft in new[] { X509FindType.FindByThumbprint, X509FindType.FindBySerialNumber, X509FindType.FindBySubjectName })
            {
                try
                {
                    _factory.Credentials.ClientCertificate.SetCertificate(
                        StoreLocation.LocalMachine,
                        StoreName.My,
                        ft,
                        certIdentifier);

                    logger.Debug("Found cert {0} by {1}", certIdentifier, ft);

                    logger.Debug("Subject = {0}, validFrom = {1:R}, validTo = {2:R}",
                        _factory.Credentials.ClientCertificate.Certificate.Subject,
                        _factory.Credentials.ClientCertificate.Certificate.NotBefore,
                        _factory.Credentials.ClientCertificate.Certificate.NotAfter);

                    set = true;

                    break;
                }
                catch (InvalidOperationException) { }
            }

Thanks,

Steve

Steve Kradel, Zetetic LLC

I'm having a problem with ADFS 2.0 not redirecting back to the url in the wreply parameter.  I'm using the form login page (authenticationType="urn:oasis:names:tc:SAML:1.0:am:password"), if that matters.

Essentially, I'm calling:

try

{

 FormsAuthentication.SignOut();

 WSFederationAuthenticationModule.FederatedSignOut(new Uri(issuer), new Uri(replyUri));

}

finally

{

 FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();

}

Unfortunately, ADFS never redirects me back to the URL that I specified.  Does anyone have any ideas?

Thank you in advance.