Hello,

I am using .NET Framework 4.5.1 (so no WIF here) to create a custom STS implementation. This is based loosely on the code from this project:

http://code.msdn.microsoft.com/vstudio/Federation-Metadata-34036040/file/54332/10/Federation%20Metadata.zip

My version of the STS perform standalone authentication using claims pre-stored in a SQL database (this data is a mix of Windows Auth and OAuth information). For now, I havent plugged it into this SQL database, but proceeding with dummy claims until I can get this up and working.

When I use the "Issue" endpoint to generate the STS tokens, I get this exception:

------------------ EXCEPTION ---------------------------------

Server Error in '/' Application.

---

A SamlAssertion requires at least one statement.  Ensure that you have added at least one SamlStatement to the SamlAssertion you are creating.

Line 114:
Line 115:			SignInRequestMessage requestMessage = (SignInRequestMessage)WSFederationMessage.CreateFromUri(new Uri(fullRequest));Line 116:			SignInResponseMessage responseMessage = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(requestMessage, principal, _serviceInstance);Line 117:			responseMessage.Write(writer);
Line 118:

------------------------------------------------------------------

Any pointers?

Regards,

Sujay

----------------------- Sujay Sarma {Unbounded;}

Does the Web Application Proxy or AD FS have any separate controls for adjusting token lifetimes to a different value via WAP than directly at AD FS? I can see there's asession cookie for EdgeAccessCookie that WAP issues but this seems to be entirely undocumented at present. I've poked around inC:\Windows\ADFS\Config\microsoft.identityServer.proxyservice.exe.config (also undocumented as far as I can tell) but I'm not finding anything there either. We used to have some of these controls (sort of) with TMG/UAG. Are they totally gone now? With the AD FS Proxy this was less of an issue because it was only publishing AD FS but this is something that I'd hope to be able to control with a Reverse Proxy. Any ideas?

http://twitter.com/tristanwatkins http://tristanwatkins.com

Hi All,

I need a custom claim for one of my application where in I want to send only alias from email ID as claim, this is required to be used for an existing setup, wherein Alias are setup as UID's. SO my requirement is just to extract & send alias as claim.

EG I want to extract xxxxx from xxxxx@yyyyy.com. This need to be transformed so that shibboleth

I have a ADFS 2.1 server live on the internet without a proxy and it has three Relying Party Trusts configured and mostly working. The goal is to provide simple authentication for 3rd party websites without prompting for login when inside and outside of our network. I realize putting the ADFS server live on the internet isn't best practices...  

This is working for all but domain joined Windows 8.1 and non-domain joined machines.  The 8.1 machines work fine when they are on the domain but when they aren't and they try to access https://fs.domain.com/adfs/ls/IdpInitiatedSignon.aspx using IE they instantly get "Internet Explorer cannot display the webpage". When they use Chrome or Firefox the sign in page works just fine. 

When I run Fiddler to attempt to see what's going on it simply shows

• 200 Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. InnerException: System.Net.Sockets.SocketException (0x80004005)

I then installed an ADFS 3.0 server with the same configuration/certificates/etc with the goal of migrating to that server and hopefully resolving the issues. When using a HOSTS file to point my test clients at the new server the same problem happens, even when I point them at another server which has WAP installed and configured.

I'm a bit stumped at this point, how should I go about troubleshooting this issue? 

I'm having a problem with ADFS 2.0 not redirecting back to the url in the wreply parameter.  I'm using the form login page (authenticationType="urn:oasis:names:tc:SAML:1.0:am:password"), if that matters.

Essentially, I'm calling:

try

{

 FormsAuthentication.SignOut();

 WSFederationAuthenticationModule.FederatedSignOut(new Uri(issuer), new Uri(replyUri));

}

finally

{

 FederatedAuthentication.SessionAuthenticationModule.DeleteSessionTokenCookie();

}

Unfortunately, ADFS never redirects me back to the URL that I specified.  Does anyone have any ideas?

Thank you in advance.

I've set up extranet lockout in a lab environment and I can see that after five bad logons (my threshold), theBadPwdCount attribute on the AD user object stops incrementing, but if I put my IT support hat on for a minute and pretend that I'm troubleshooting this, I don't seem to have any concrete events to alert me that:

1. Extranet Lockout has been triggered.
2. Whether or not the logon attempts are still occurring after lockout.
3. When I can expect the observation window to clear.

In the event that this was a user simply forgetting their password, I could look at the security event logs, see the five bad logons and hopefully piece this together. I could also infer when the observation window should close by adding my observation window setting value to the last bad logon event. However, it would be much more straight-forward if there was an AD FS for Web Application Proxy event that clearly states that Lockout has been invoked. Also, I would really want to know if the bad logons are still occurring.

Is this some setting I'm simply overlooking, or do I need to crank up my event logging to verbose? I hope that's not the answer. I do see plenty of evidence of the five bad logons before lockout occurs, but I have no evidence that Lockout has been invoked or whether that condition is persisting once it has been triggered.

http://twitter.com/tristanwatkins http://tristanwatkins.com

http://twitter.com/tristanwatkins http://tristanwatkins.com

I am having a problem with the adfs authentication,

Lets say my domain is "X" and we have other domain called "Y" that we accept clients from there.

I want that the adfs will try to use an integreted authentication and if it failes it will pop up a TLSClient (PKI)

authentication, now it pop up a username and password box.

i went to the ls web.config and changed the order to integrated and then TLSCleint, but still it dosent work.

also went to the adfs properties at powershell and changed the AuthenticationContextOrder.

Hi All,

I have ADFS 2 setup as a passive RP-STS and FP-STS. This is federated with various RPs using SAML and WS-Fed. It has one claims provider trust to a SAML 2 IdP. This IdP is the one that authenticates the end user and ADFS simply brokers token. The SAML IdP and ADFS are tightly bound. They share a signing key even and the IdP runs in the same IIS Web server as ADFS. They have different host names though (e.g., fs.contoso.com and login.contoso.com).

The problem is that different RPs require different types of credentials for users to be able to access them. We can't rely on the RP informing ADFS of this using wauth (for WS-Fed) or an authentication class context reference (for SAML 2), so we need to pass along an RP-specific authN context.

Something like this:

We have customized HomeRealmDiscovery.aspx.cs to immediately redirect the user to the SAML IdP.We cannot find any way, however, to inject an AuthnContextClassRefat this point. The only hook where this even seems possible w/ ADFS is in IdpInitiatedSignOn.aspx.cs, but that's not in play here.

So, is it possible and if so how?

I have only come up w/ two ideas:

1. Rewrite the SAML IdP to use WS-Fed instead. Then, set hidden context to false.That way ADFS will pass the RP ID to the IP-STS and it can do a lookup there.

2. Get the RP ID in the home realm disco page, set it in a cookie, retrieve it in the SAML IdP, and do a lookup.

Both of those options undesirable. We're doing the 2nd option now and it works, but it is very kludge. Ideally, we would set the authN context in ADFS per RP kinda like Milos is doing in this case.

Any thoughts or suggestions?

TIA!

Regards,

Travis Spencer
http://travisspencer.com

So you know that Security Configuration Wizard (SCW) in Server Manager that nobody ever uses? I kind of like that thing. It's pretty good, especially for AD FS where it has been a recommended best practice for some time. That Best Practices documentation was updated with Windows Server 2012 to point at the new location of the SCW directory, at C:\Windows\ADFS\Scw. In that directory there have been four profiles for different ADFS topologies, as you will see described in that article.

In Windows Server 2012 R2, that "Scw" directory is gone, but the four XML files that used to be in it appear to have been moved to the root of C:\Windows\ADFS. However, they still have an old OS version in them. Also, the SCW itself has not been updated since Windows Server 2008 R2. I've tried changing the Minor OS Version to 3 (for Windows 6.3) and I do now get a selectable AD FS role in the SCW, but the role itself does not seem to be detected and I'm not clear what the effect of ticking it will be.

Hardening AD FS is pretty important I reckon, since it's a web server that surfaces AD. I'm concerned that the outdated guidance for the SCW is fundamentally inappropriate for the new version of AD FS (and the Web Application Proxy), since they've both changed so much in terms of new capabilities and the under-the-hood architectural changes in HTTP.SYS. Has anyone managed to put together a solid hardening profile for AD FS and the WAP for AD FS 2012 R2? Were there significant changes that need to be made from AD FS 2.0 specifically for HTTP.SYS? Should we throw out the Best Practice guidance for now until we get a clearer steer from Microsoft? Am I the only one who actually uses this?  

http://twitter.com/tristanwatkins http://tristanwatkins.com

http://twitter.com/tristanwatkins http://tristanwatkins.com

Hi folks.

I've implemented a custom SPClaimProvider and, for the time being, implemented some hard coded claims augmentation logic in FillClaimsForEntity.  I am currently simply testing with FBA.

The problem is that I've only see it called once and for one user.  I was under the impression that it would be called every time a user logged out or logged in.  I've checked with a simple claims viewer web part that indeed, for the second user (also FBA user), the claim is never augmented.  

So I'm curious why that's the case.

zaanglabs.com | charliedigital.com | linkedin.com/in/charlescchen

Hi all,

I have a question about the SPN for the ADFS service account. Microsoft technet advices to use HOST/FQDN,(they state WS-TRUST will not work when HTTP/ is used for ADFS 2.0, but no documentation about ADFS 3.0/2.2/2012R2) but I've seen several examples with HTTP/ SPN names.

What is best practice to use when we plan to use WS-trust profile for ADFS 3.0 regarding to the SPN, HOST or HTTP?

Robin

Find me on linkedin: http://nl.linkedin.com/in/tranet

I am trying to setup a test ADFS server environment with the goal of using federated Office 365.
My test environment has 
two domain controllers at 2008R2 functional level, 1 server 2008R2 and the other 2012 with one local (non-
routable) internal domain name and one externally routable name for mail. I have added the externally routable 
name as an alternate UPN suffix.
two exchange servers, 1 2010 and the other 2013.
one 2012R2 ADFS server and one 2012R2 WAP proxy server.
The 2 AD FS servers seem to work alright. I can login (adfsmachinename/adfs/ls/idpinitiatedsignon) and also pull 
the https://mycomp/adfs/fs/federationserverservice.asmx from any of the machines in the domain. All servers are 
joined to the domain and in the same subnet.

The problem is setting up the Web application Proxies to establish the trust. when I use the Web Application Proxy 
Configuration Wizard I put in the wildcard cert that is from comodo for the routable domain name and is on both 
the ADFS and WAP servers. I use either a domain admin or local admin of the ADFS server but it always fails with 
the same message:

"Unable to retrieve proxy configuration data from the Federation Server."

On the AD FS WAP server the event logs event 422:
Trust Certificate Thumbprint: 
6185C255555555544555555555535D06 
Status Code: 
Unauthorized 
Exception details: 
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()

note: the process creates a new cert ADFS ProxyTrust-localservername which has the thumbprint in the error listed.

at the same time the event log on the ADFS server it is trying to trust with comes up with event id 276:
The federation server proxy was not able to authenticate to the Federation Service. 

User Action 
Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host 
name that is identified in the certificate subject name and re-establish trust between the proxy and the 
Federation Service using the Install-WebApplicationProxy cmdlet. 
Additional Data 
Certificate details: 
Subject Name: 
<null> 
Thumbprint: 
<null> 
NotBefore Time: 
<null> 
NotAfter Time: 
<null>

No matter what I seem to try with local admin account it has the same error. verified the passwords, try domain 
admin, local admin, ADFS domain service admin etc.

Customer cannot connect Lync to O365 via ADFS 3.0 on Samsung Galaxy Note 4.3 (Jelly Bean).  We can connect to a non-ADFS account.  We can connect iPhone to an ADFS account.  Is there a setting on the ADFS server to allow Lync 2013 to connect via Android?  Or, is it an Android issue, and need Kit Kat? 

Thanks in advance.

Hello,

I have been trying to setup a custom claim with a SQL Attribute store.  I've followed numerous posts about how exactly to do this and I think I have everything setup correctly, however I am encountering a strange error that I will include below.  The goal of this setup is to pull DOB information from an HR database and send it to our relying party for identity verification.  the DBA team has create a stored procedure that takes sAMAccountName as an input and then returns DOB.

First here is everything that I have configured:

SQL Attribute Store: PSLocal - connection string: Data Source=DB-PSLD-P;Initial Catalog=PSData;Integrated Security=True

Custom Claims Descriptions: sAMAccountName - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/samaccountname and DOB - http://schemas.xmlsoap.org/ws/2005/05/identity/claims/DOB

Custom Claim rule language to get sAMAccountName so it can be used in SQL statement below:  c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => add(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/samaccountname"), query = ";sAMAccountName;{0}", param = c.Value);

Custom Claim rule language to use sAMAccountName claim to get DOB info using SQL:  c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/samaccountname"]
 => issue(store = "PSLocal", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/DOB"), query = "EXEC [app].procGetDOBFromLogin {0}", param = c.Value);

From what I know this should work.  I have the SQL attribute store defined, I get samaccountname in the claim rule language, then use samaccountname in the SQL query claim rule.

I can launch SQL management studio as my ADFS service user and connect and get the proper result using the stored procedure in the SQL claims rule.  If I substitute my username in the SQL statement I get my birthday.

When I attempt to generate the claim by initiating a sign-on I see 3 errors in the ADFS 2.0 admin event log.  The first of the errors is event ID 376 and I believe is the cause of the other two errors so I haven't included those in this:

An Error occurred while executing a query in SQL attribute store.

Additional Data
 Connection information: POLICY3907: Server=DB-PSLD-P;Database=PSData.
 Query: EXEC [App].procGetDOBFromLogin @PARAMETER0
 Parameters: UserName,

User Action
Please examine the exception details to take one or more of the following actions if applicable.
  Verify that the connection string to the SQL attribute store is valid.
  Make sure that the SQL attribute store can be reached by the connection string and the SQL attribute store exists.
  Verify that the SQL query and parameters are valid.

Exception details:
Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SqlAttributeStoreQueryExecutionException: POLICY3904: Execution of query:'EXEC [app].procGetDOBFromLogin @PARAMETER0' with parameters:'UserName,' failed. Connection information:'POLICY3907: Server=DB-PSLD-P;Database=PSData.'. ---> System.Data.SqlClient.SqlException: Incorrect syntax near ' '.
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
   at System.Data.SqlClient.SqlDataReader.get_MetaData()
   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader()
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SyncQueryExecutor.BeginExecuteQuery(String query, List`1 queryParameters, AsyncCallback callback, Object state)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SyncQueryExecutor.BeginExecuteQuery(String query, List`1 queryParameters, AsyncCallback callback, Object state)
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SqlAttributeStore.BeginExecuteQuery(String query, String[] queryParameterValues, AsyncCallback callback, Object state)
   at Microsoft.IdentityServer.ClaimsPolicy.Language.AttributeLookupIssuanceStatement.BeginEvaluate(IEnumerable`1 matchedClaims, PolicyContext policyContext, AsyncCallback callback, Object state)

System.Data.SqlClient.SqlException: Incorrect syntax near ' '.
   at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
   at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()
   at System.Data.SqlClient.SqlDataReader.get_MetaData()
   at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)
   at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)
   at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)
   at System.Data.SqlClient.SqlCommand.ExecuteReader()
   at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Sql.SyncQueryExecutor.BeginExecuteQuery(String query, List`1 queryParameters, AsyncCallback callback, Object state)

I guess my question is does everything look correct?  The error deals with the connection string after the initial catalog statement but I don't know of any other way to write the connection string and I have verified that the ADFS service account has the proper SQL permissions. Is there anything I am missing?

As always, thanks for any help and have a good day!

Adam

Hello,

I do have ADFS configured for 365 service, working properly (configured in the past by ex employee).

I am planning to add redundancy to ADFS, how can I verify if my existing setup is a standalone or a single server farm?

Thanks 

I'm using an ADFS 2.1 (2012 R2) server to pass AD DS Claims (computed from a Kerberos Compound auth ticket - e.g. it has device claims inside of the presented user token) to an RP, as described below:<o:p></o:p>

http://technet.microsoft.com/en-us/library/hh831504.aspx<o:p></o:p>

This is a supported scenario, according to what little documentation I can find - unfortunately, the transform rules are hard to determine - the only guidance I've been able to find is this one paragraph from the below link (Using AD DS Claims with AD FS):http://technet.microsoft.com/en-us/library/dd807068.aspx<o:p></o:p>

If you are setting up the Dynamic Access Control scenario that
uses AD DS-issued claims, first create a transform rule on the claims provider
trust and in Incoming
claim type, type the name for the incoming claim or if a claim
description was previously created select it from the list. Second, in Outgoing claim type,
select the desired claim URL, and then create a transform rule on the relying
party trust to issue the device claim.

I have not been able to get the magic rules on the provider trust and RP trust to make this work – do anyone know of better documentation, or examples which may be able to help?<o:p></o:p>

Is an updated version of this script: http://gallery.technet.microsoft.com/scriptcenter/Active-Directory-381aa93c going to be coming out for Windows Server 2012r2?  We would like to change the service account being used by ADFS 3 without having to re-install it.

Thanks!

I was looking to configure a single ADFS farm with 3 servers located in different parts of the world allowing authentication to Office 365.  Our datacentre management tool (Akamai) will be used to direct users to the appropriate server based on Geolocation of IPs.

It's been suggested that instead of a single farm, I create 3 separate farms with a single server in each.  This means we wouldn't need NLB and there would be less replication traffic between datacentres.

Is this the best solution?  Any things I should be aware of?  Would the farm names all have to be different?