http://twitter.com/tristanwatkins http://tristanwatkins.com
I am trying to chain 2 adfs instances together. We have an application protected by one ADFS and users that are in another AD that also uses ADFS to protect applications. Now I am trying to give access to an application protected by one ADFS to the users in the Other ADFS.
In the ADFS that has the users in AD, I have set up a new RelyingParty that is the other ADFS instance.
In the ADFS that protects the application I have set up a Claims Provider trust, I did this by pointing at the metadata of the ID ADFS instance. This seems to be working.
Now when I try to access my protected application, I get certificate errors for the SSO certs, I click through those then it bounces me to the RP ADFS and a page displays giving me the choice of authentication either AD or my ID ADFS instance. I choose the ID ADFS that I have just set up, click continue and it bounces me to the log in page. After logging in it bounces me back to the RP ADFS server and then I get an error, with a reference number. When I look up the reference number in the event log I see either 2 or 3 errors. Others have posted about this but know one has had an answer.
the first is about a revocation list
An error occurred during an attempt to build the certificate chain for the claims provider trust 'http://dev-sso.xxxxxxx.com/adfs/services/trust' certificate identified by thumbprint '54xxxxxxxxxxxxxxxxxxxxxxE28C9A57481'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period.
The second is
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadAssertion(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
Thanks Noel
I have an issue where i am able to utilize Kerberos (WIA) internally with the loginToRP in the URL for automatic redirection to the SP. However, when I try to use automatic redirection externally, using TLS (certificates) for user credential handoff, it fails. This makes the internal user experience seemless, and not so much for the external users. Any suggestions on how to get this to work externally?
I have 2 externally load balanced proxies in the dmz. I have two internally load balanced feds. TLS automatically signs them in without user interaction, but it doesnt complete the URL redirect via the loginToRP portion. It requires the user to select RP from drop down and press GO button. I only have one configured SP so the forms page is useless.
Help?
Setup ADFS 2012 with ASP.NET MVC web app as a relying party trust in hopes of getting relying party initiated SSO going so that our internal active directory users can use our web app with their windows account instead of a separate loginid/password.
At the point where the relying party redirects to ADFS, ADFS prompts user for active directory credentials. I enter my ad login and pwd. I get the following browser / client error:
If i look on the ADFS server, this corresponds to the following event log error:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.AuthenticationFailedException: MSIS8108: Authentication failed.
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, MSISSession& session)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)
Note, I did try browsing to https://devproc2.acme.com/adfs/ls/IdpInitiatedSignOn.aspx and successfully authenticated without any error so not sure what is wrong.
ADFS 2012
Internet Explorer 10
How do I troubleshoot this issue?
thanks
I currently have Office 365 federated to our ADFS 2.0 deployment. We have a limited number of federations (but crucial) and felt more comfortable in standing up a completely separate ADFS 3.0 deployment outside the ADFS 2.0 production environment. What I'm looking for is any guidance on how to the move the federation for Office 365 from our ADFS 2.0 implementation over to ADFS 3.0. I've seen several posts about creating federation to O365 with ADFS 3.0 but I haven't found any guidance on how to move the federation from one environment to the other.
Any help would appreciate. Thanks in advance.
HI,
I installed the AD FS 2.0 into Windows server 2008 R2 following http://technet.microsoft.com/en-us/library/adfs2-federation-wif-application-step-by-step-guide(v=ws.10).aspx. However, when trying to add relying party, an error comes up saying,
An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.
Hello,
Looking at the ADFS sdk I found ClaimsAwareWebiste in C#. Is there an example in VB.net as well?
Regards.
Hi,
I run into a problem as cannot open localhost/adfs/Is after setup AD FS 2.0 returning service unavailable.
Hello,
I do have ADFS configured for 365 service, working properly (configured in the past by ex employee).
I am planning to add redundancy to ADFS, how can I verify if my existing setup is a standalone or a single server farm?
Thanks
I have deployed a new Windows Server 2012 R2 Standard server on-premise in anticipation of deploying SSO between Office 365.
I have enabled the AD FS Role on the 2012 R2 server. The installation completed without errors.
The federation server URL for our server is https://sts.mycompany.com/ I have replaced with mycompany.com for purposes of posting.
When I try to test the service in a browser via:
https://sts.mycompany.com/adfs/ls/IdpInitiatedSignon.aspx
I receive an error in the browser and 2 errors in the event log as below. I have seen this article (http://social.technet.microsoft.com/Forums/en-US/cb15677d-a7f5-4b47-84ae-1826252bb4ae/adfs-error-364-111-after-windows-update-kb2843639) but this relates
to ADFS 2.1 and the errors are slightly different.
Browser Error: Error details Activity ID: 00000000-0000-0000-1f00-0080000000fb Error time: Tue, 24 Sep 2013 11:11:56 GMT Cookie: enabled User agent string: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.76 Safari/537.36
=================== EVENT ID 1 - ID 111 =================== The Federation Service encountered an error while processing the WS-Trust request. Request type: http://schemas.microsoft.com/idfx/requesttype/issue Additional Data Exception details: System.TypeInitializationException: The type initializer for 'Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService' threw an exception. ---> System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName) at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context) at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext) at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather) at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather) at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists) at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize) at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor() --- End of inner exception stack trace --- at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark) at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes) at System.Activator.CreateInstance(Type type, Object[] args) at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService() at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet) System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName) at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context) at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext) at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather) at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather) at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists) at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize) at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()
=================== EVENT ID 2 - ID 364 =================== Encountered error during federation passive request. Additional Data Protocol Name: Saml Relying Party: http://sts.mycompany.com/adfs/services/trust Exception details: System.TypeInitializationException: The type initializer for 'Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService' threw an exception. ---> System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName) at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context) at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext) at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather) at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather) at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists) at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize) at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor() --- End of inner exception stack trace --- at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark) at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes) at System.Activator.CreateInstance(Type type, Object[] args) at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService() at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context) System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName) at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context) at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext) at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather) at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather) at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists) at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize) at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()
Hello,
The ADFS v2 service account is exposed to the internet via the endpoint /adfs/services/trust/mex.
Apparently MS is not admitting that exposing the service account poses a security concern.
(you can see the service account of MS adfs v2 by following this link:
https://corp.sts.microsoft.com/adfs/services/trust/mex)
This service account can be hidden by disabling the endpoint:
https://corp.sts.microsoft.com/adfs/services/trust/2005/windowstransport
however I was not able to get the list of drawback or services affected.
Another option is to force authenticaiton to the MEX endpoint but is it supported??
So be aware of the potential bruteforce attacks or account lock out which will bring your platform down.
Hi,
I am noticing a strange difference in my ADFS and my customer's. I am receiving a SAML 2.0 Bearer assertion via WS-Trust and a .Net Client making use of WIF. In my ADFS I get the recipient. My customer is using the same code but here there's no recipient in. Configuration is the same as far as I could see.
When does ADFS put a recipient into the assertion?
Mine
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Bob</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2014-01-30T16:40:21.776Z"/>
</SubjectConfirmation>
</Subject>
The customers subject
<Subject>Regards,
Mathias
Hello,
I have a Single server ADFS farm using WID and no proxy / NLB (available to both internal and external users)
I am planning to add another server to ADFS farm with WID and would achieve fault tolerance (2nd copy of read database)
how can this 2nd server also provide me load balancing, I have less users would like to keep things simple
Can I achieve this with only DNS load balancing (internal and external) or do I need to install NLB?
Thanks
apologues if this is the wrong forum.
CRM 2013 & ADFs is on Windows 2012 Server.
I have configured the ADFS following several threads.
Outside of the domain or when connected using a soft VPN, when accessing https://xxxx.xxxxx.xxx:444 i can see it resolve to the ADFS server on https://MYADFS.xxxxx.xxx, and i can log in using my credentials
Whilst in the office and inside the domain, I cannot log into the CRM, it will not accept my credentials
Can anyone suggest where the problem may lie
Dont ask me .. i dont know
Hi All
I am going to implement ADFS V2.0 to integrate SSO for sharepoint 2010 and Peoplesoft application. I would just like to brief on the environment.
We have parent domain A where SharePoint 2010 and peoplesoft application is hosted. This needs to be share with Account partner from other domains. ADFS server will be configured in NLB at domain A with SQL clustered for database and ADFS proxy as configured with NLB in DMZ.
I would like to know on the number of SSL certificates required, also would like to know if each partner ADFS server also require SSL certificate or we can use the certificate used by domain A on other partner network.
Any help on this and document on implementation of ADFS would be highly appreciated.
Bharat
Hello clever ADFS people
Both my token signing and token decryption certificates expire in around a month.
The current certs are self signed and auto certificate roll over is disabled (I created them manually in IIS a year ago).
The replacement certs are chain SSL certs from our internal CA.
The majority of our RP's cannot consume/update metadata and so I have to send them the new token signing cert with public keys. I plan to send it in p7b format so that all cert keys in the chain are provided. Then we have to agree a time to make the change.
I'm curious about the token decrytion cert. I'm certain I don't need to send them that one - right? My understanding is that all certs are in the metadata so I'm not sure if I need to send my RP's a new metadata file after I add the new token decrypting one.
I have looked through this article and its very helpful:
That said, I'd be grateful for any input on how to minimise outages and ensure a smooth change over.
Thanks
Piley
IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
Hi,
we are trying to configure the dynamic ax env for companion apps.
in the doc it says
Before you can configure the Microsoft Dynamics AX environment for companion apps, you must complete the following prerequisites:
Set up and configure the Active Directory server:
The Active Directory server and domain controller should have been set up during the installation and configuration of Microsoft Dynamics AX 2012.
my question is, can this be installed on a 2008r2 server standalone in a domain that is 2003 level. The 2008 server from my understanding can just have the adfs 2.0 installed and work on its own with the AX installation on a different server.
or
does the adfs, ad, ax all need to be on the same box?
thanks
phill