Quantcast
Channel: Claims based access platform (CBA), code-named Geneva forum
Viewing all 2535 articles
Browse latest View live

RelayState Support in ADFS 3.0?

February 21, 2014, 1:06 pm
$
0
0

According to this: http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx

The RelayState parameter was supported as of ADFS 2.0 Update 2 with an edit to web.config. There is no information on RelayState support with ADFS 3.0 in WS 2012 R2, so I assume that RelayState is supported without any additional configuration. Is this correct?

We are having trouble passing a RelayState URL created with the URL generator to a third party STS. We are trying to figure out if the issue is with ADFS passing the URL or on the 3rd party STS. Can someone confirm if there is any additional configuration required on ADFS 3.0 to pass RelayState (like it was in ADFS 2.0)? Or is this supported right out of the box?

thanks,

Dustin

Search

Windows Server 2012 R2 ADFS proxy error Enter your user ID in the format domain\user

February 21, 2014, 2:34 pm
$
0
0
We installed web application proxy on Windows Server 2012 R2. Added relying party and authentication and claims are working fine. Only thing is on the sign in page the username needs to have the domain name prefix, which was not the case in the previous version of ADFS. Simply entering username gives the error "Enter your user ID in the format domain\user"

View sourcing the rendered sign-in page shows JavaScript which is validating the syntax of the username field. My first thought was to modify that JavaScript but I could not find any JavaScript code in any of the .aspx or .aspx.cs pages including Master pages. So where is it hiding? Or is there a cmdlet to override *just* this behavior? We would rather not have users re-learn how to log in.

Setup ADFS For External Access

January 9, 2014, 8:41 am
$
0
0

Hi all, I would like to setup ADFS for the following scenario below:

Internal intranet:

URL: https://intranet.acme.com

domain: ACME

ACME domain users: Acme\johndoe

External Vendor:

domain: ABC

ABC domain users: ABC\lucysmith

Goals: allow external vendor users ABC domain access internal intranet https://intranet.acme.com via SharePoint-ADFS

Questions:

1. Do I need to setup ADFS on both ACME & ABC domain or just one side? If it is one side, then which one - ACME or ABC?

2. When I setup SharePoint web application for https://intranet.acme.com, will this URL will be served for both internal and external users or do I have to extend it as different URL for external users?

         a. If https://intranet.acme.com served for both internal and external vendor users, will internal user get normal NT prompt for authentication or it will redirect to ADFS login page just like external user?

         b. If we need to extend web application for external vendor user, let's sayhttps://abcexternal.acme.com, will we only need to config adfs for this extended web application so external vendor user will get adfs redirect login where internal user got NT prompt for authentication?

Thanks

Exchange 2010 OWA SSO between 2 separate forests

September 12, 2012, 9:42 am
$
0
0

Hi,

I'm currently in the process of trying to configure OWA SSO between 2 different forests using ADFS 2 - guide at: http://allmsft.blogspot.co.uk/2012/02/owa-sp2-and-adfs.html

I'm running into some big issues, similar to the last posts on the thread. I don't have any ADFS or certificate errors in the event logs.

I repeatedly receive an error "Outlook Web App didn't initialize" with error 29 in the event log showing

The authentication type specified in the C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa\web.config file is incorrect. The correct authentication type is "Windows".

The web.config above has the authentication type set to Windows. The actual web app I'm using is a new OWA site, with a separate web.config and the authentication type set to "None". It's almost as if the wrong web.config file is being read.

If anyone has an idea on how to resolve this I'd love to hear it.

On a separate note, am I going about this the right way?

I have 2 different AD forests org A and org B. I want to give org A users Exchange mailboxes in orgB and I want orgA users to be able access these mailboxes without additional authentication.

What's the best way to achieve this? Is it possible?

Thanks

 

IT Support/Everything

New ADFS Server instalation

June 22, 2012, 8:53 am
$
0
0

Hi All

I m planing to install new adfs server in my environment for 3000 users to access some 3rd party application (They (3rd party company) need adfs xml file

For this i planing to do the two server instalation ADFS Proxy(in DMZ) and ADFS Server

For this requirment I m not able for fine best guide to follow , all guide they useing LAB environment.

PLS provide me best guide and best practice do this

Hardware software everythings ok, also I can get the 3rd party certificate also

I m using inhouse Ent CA  and AD

Thanks

Srilal

ITS@JKH

ADFS 2.0- Invalid Name ID policy

February 24, 2014, 5:12 am
$
0
0

Hi,

I am configuring one SP initiated SAML SSO with one of the third party vendor application. But my ADFS 2.0 server is not generating any response to the request received from vendor server. I am getting event 364 - (Microsoft.IdentityServer.Protocols.Saml.InvalidNameIdPolicyException). Following is the NameID policy from Vendor.

<saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" SPNameQualifier="Vendor SAML Identifier"/>

Can anyone help in setting up the appropriate Name ID policy on ADFS 2.0 at my end to resolve this issue ?

Thank you in advance.

Regards,

Jnana R dash

 

Using two User Stores for one relying party trust

February 24, 2014, 2:16 am
$
0
0

Hi all,

We got a request to implement a trust with an external party. 
Internal users should be able to make use of that application. But also external users, which have their account stored in a different user store (question is asked if its a SQL or LDAP kind of store).

Is it possible to have a SSO effect for both internal and external users? 
Somehow ADFS has to know if the user is internal or external. I can imagine an internal user being in the office will get a nice SSO feeling. From what i think this is not possible for external users. External users should still authenticate once on our sts (adfs). Lets say this is true, is it possible for ADFS to see if a user is external, and then use the User Store that belongs to that external user?
You also must take in mind that an internal user could also be in a internet cafe, so SSO is not possible. Also this time the user should authenticate to the sts. But this time it has to use Active Directory as User Store.

I know internal users have a username in a different format then external users. 
Is it possible for ADFS to know which User Store to pick based on the format of the username?

Thanks in advance for the reaction.

AD FS Authentication

February 17, 2014, 12:07 pm
$
0
0

I have a ADFS 2.1 server live on the internet without a proxy and it has three Relying Party Trusts configured and mostly working. The goal is to provide simple authentication for 3rd party websites without prompting for login when inside and outside of our network. I realize putting the ADFS server live on the internet isn't best practices...  

This is working for all but domain joined Windows 8.1 and non-domain joined machines.  The 8.1 machines work fine when they are on the domain but when they aren't and they try to access https://fs.domain.com/adfs/ls/IdpInitiatedSignon.aspx using IE they instantly get "Internet Explorer cannot display the webpage". When they use Chrome or Firefox the sign in page works just fine. 

When I run Fiddler to attempt to see what's going on it simply shows

  • 200 Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. InnerException: System.Net.Sockets.SocketException (0x80004005)

I then installed an ADFS 3.0 server with the same configuration/certificates/etc with the goal of migrating to that server and hopefully resolving the issues. When using a HOSTS file to point my test clients at the new server the same problem happens, even when I point them at another server which has WAP installed and configured.

I'm a bit stumped at this point, how should I go about troubleshooting this issue? 


Search

Active Directory Federation Services 3.0 won't open

February 24, 2014, 1:35 pm
$
0
0

I was directed here from the Server 2012 > Active Directory forums.  

I am having a problem with ADFS 3.0. I have configured it according to http://goodworkaround.com/node/53 so far, but am not able to log into the ADFS website. I just get "this page can't be displayed" when I try from a remote computer. The local firewall is disabled and there is no other firewall in the way. When I try the ADFS webpage locally on the server then the page pulls up, but then gives me "An error occurred. Contact your administrator for more information". The error details are:

Error details
  • Activity ID: 00000000-0000-0000-1900-00800c0000fe
  • Error time: Mon, 24 Feb 2014 21:26:28 GMT
  • Cookie: enabled
  • User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)


We are running Server 2012 R2 hence there is no IIS involved, so I'm not even sure where to start troubleshooting this. Our server name is zzzadfs1; our federation service name is fs.ad.zzz.edu. Our cert is a star cert set to *.ad.zzz.edu and has an intermediate cert as well. Our domain has no Server 2012 R2 DC's yet so we couldn't use a group managed service account; we just used a normal service account. Any help is appreciated. Thank you.

Über Random

Web Application Proxy with ADFS 2.0

February 24, 2014, 6:16 pm
$
0
0

I've currently got ADFS 2.0 installed on twp Windows Server 2008 R2 machines and am looking to publish them through WAP. However, the documentation isn't clear on whether or not WAP on 2012 R2 can be used as a federation proxy for ADFS 2.0.  Can someone shed some light on this?

Thanks!

G. Samuel Hays, MCT, MCSE 2012, MCITP: Enterprise Admin

Blog:gsamuelhays.blogspot.com

twitter:twitter.com/gsamuelhays

Retreiving SAML token from ADFS programmatically

December 13, 2011, 6:02 am
$
0
0

Hi guys,

We have a ADFS installed in our domain, one of our WCF service (within the domain) needs to make a call to the ADFS to authenticate a user against the AD.

I need to do this programmatically and not using a federation binding. Would appreciate if someone can give me a code sample to make a call to the ADFS and retreive the SAML token

Regards,

Nairooz Nilafdeen

 

Migrating from WID to SQL2012 error when setting the ArtifactDbConnection

December 11, 2013, 6:57 am
$
0
0

We're deploying an ADFS 2.0 farm on 2008R2 servers utilizing mirrored SQL 2012 databases and getting an error when attempting to 'migrate' the ADFSArtifactStore database to SQL. Being unable to run the ADFS 2.0 FSconfig scripts to initially configure it for SQL instead of WID (due to an apparent compatibility issue), we had to resort to using the ADFS configuration wizard then migrating the local WID databases SQL. I'm following the steps from the "AD FS 2.0: Migrate Your AD FS Configuration Database to SQL Server" TechNet article and cannot get beyond Step 3, task 7:

7.       Change the artifact connection string to point to the new SQL Server-based artifact data location. Open a Windows PowerShell command-line, type the following command-line syntaxes in order, and then press ENTER after each one. In SQLServer\SQLInstance below, type in the appropriate SQL Server and SQL Server instance name where you are migrating the artifact data to. For example, contososrv01\adfs-artifact.

Add-pssnapin microsoft.adfs.powershell

Set-adfsproperties –artifactdbconnection “data source=<SQLServer\SQLInstance>; initial catalog=adfsartifactstore;integrated security=true”

My syntax (using the default SQL instance):

Set-adfsproperties -ArtifactDbConnection "Data Source=sql1;Failover Partner=sql2;Initial Catalog=AdfsArtifactStore;Integrated Security=True"

Resulting error:

Set-ADFSProperties : Exception of type 'Microsoft.IdentityServer.PolicyModel.Client.StorageOperationException' was thro
wn.
At line:1 char:19 + Set-adfsproperties <<<<  -ArtifactDbConnection "Data Source=sql1;Failover Partner=sql2;Initial Cata
log=AdfsArtifactStore;Integrated Security=True"
    + CategoryInfo          : InvalidData: (:) [Set-ADFSProperties], StorageOperationException
    + FullyQualifiedErrorId : Exception of type 'Microsoft.IdentityServer.PolicyModel.Client.StorageOperationException
   ' was thrown.,Microsoft.IdentityServer.PowerShell.Commands.SetServicePropertiesCommand

Everything up to this point has been successful, the databases have been migrated/updated and mirrored. The ADFS service starts fine with the migrated ADFSConfiguration SQL 2012 database. I have tried entering this CMDlet six ways from Sunday (including using FQDNs) and nothing works. I have also deleted the databases and started the migration from scratch with the exact same results. What am I missing?

Is ADFS 2.0 actually compatible with SQL 2012/is this configuration supported by Microsoft?

Once I cross this hurdle, I plan to go back to FSConfig to add the other ADFS servers to the farm.

Thanks,

Dave

***UPDATE***

SQL 2012 is not supported for use with ADFS 2.0 per Microsoft support. I don't believe this is actually documented anywhere, but finally, a support rep declared that SQL 2012 is not supported for use with the ADFS Artifact database, in particular.

ADFS 2.0 + SQL 2012

April 5, 2012, 2:57 am
$
0
0

Hello All,

First off can I thank you for taking the time to read this forum post. It should be a quick question to answer.

Does anyone know if SQL 2012 is a supported SQL server for ADFS 2.0?

Regards

Stephen

Stephen Davies

MSIS7001: The passive protocol context was not found or not valid.

February 25, 2014, 11:46 am
$
0
0

I am trying to federate one ADFS server with another ADFS server so that the Identity can be provided with the second ADFS instance. So Relying Party Application  --> RP ADFS 1 --> ID ADFS

  1. I have the RP Application set up with a relying party trust in RP ADFS
  2. I have the ID ADFS set up with a Claims Provider trust in the RP ADFS
  3. I have the RP ADFS set up with a Relying Party Trust in the ID ADFS

When attempt to go to my relying part I am bounced to the ID ADFS logon page and I can Logon and it is bounced back to the RP ADFS where I receive the error.

MSIS7001: The passive protocol context was not found or not valid.

Encountered error during federation passive request.

Additional Data

Exception details:

Microsoft.IdentityServer.Web.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.

   at Microsoft.IdentityServer.Web.EncodedContext..ctor(String encodedValue, Boolean samlEnabled, Boolean wsFederationEnabled)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.ParseRelyingPartyInfoFromWCtx(String wctx, Boolean deleteCookie, String& contextId)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetOriginalRequest(FederationPassiveContext federationPassiveContext, Boolean deleteCookie, String& requestId)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetOriginalRequest(Boolean deleteCookie, String& requestId)

I have seen the Question: http://social.msdn.microsoft.com/Forums/vstudio/en-US/33518bc7-fffc-48de-a89a-d234ee598cb1/msis7001-the-passive-protocol-context-was-not-found-or-not-valid?forum=Geneva And I have ensure that the answer has been followed.

I have also seen the question: http://social.msdn.microsoft.com/Forums/vstudio/en-US/47fbd023-7983-412c-82af-2d2de47e3ba8/msis7001-passive-protocol-context-error?forum=Geneva Its not clear what solution this one proposes.

Thanks Noel

MSIS7001: Passive protocol context error

January 25, 2010, 9:56 am
$
0
0

I'm trying to do a lab exercise to federate authentication between two domains.

The domain hosting the application is yjb.gov.uk:
- yjb-DC (10.0.0.1) is DC with ADDS and ADCS.  It also hosts ADFS on sts1.yjb.gov.uk (10.0.0.20)
- app.yjb.gov.uk (10.0.0.2) hosts the quickstart WFE claims-aware application
- yjb1 is a client

The domain hosting the claims provider is hmp.gov.uk
- hmp-DC (10.0.0.101) is DC with ADDS and ADCS.  it also hosts ADFS on sts2.hmp.gov.uk (10.0.0.120)
- hmp1 is a client

I've done: setspn -a host/sts1.yjb.gov.uk adfssrvc and similar for sts2.hmp.gov.uk
adfssrvc is set up as a domain user in each domain each with Administrator and Domain Admin membership.
The ADFS service is running with adfssrvc as the Logon user on both STSs.
All server certificates are domain certs generated by the respective ADCS.
On yjb-DC IIS uses a wildcard domain cert to cover *.yjb.gov.uk.
On hmp-DC IIS uses a domain cert covering just sts2.hmp.gov.uk.
I've swapped CA root certs between the two DCs and installed them using the Group Policy Editor so they deploy to clients.

On yjb1 I browse to https://app.yjb.gov.uk/WFE. I get prompted by sts1 to authenticate and I get a list of Claim Types and Claim Values from WFE

On hmp1 I browse to https://app.yjb.gov.uk/WFE. I get prompted first to choose my organization. I choose HMP.  I get prompted by sts2 to authenticate. I enter a valid HMP domain user but get the following error message:

An error occurred during processing of the request.

MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.

This error is displayed in the browser and appears in the AD FS 2.0 Eventing log for sts1.
I get nothing in the Eventing log for sts2.

I'm stumped...

I've added all referenced websites to the Local Intranet zone for hmp1 and dropped security to permit all cookies.

I've tried with a newly created HMP domain user account to eliminate possibility of cached tokens.

Any suggestions would be gratefully received!

regards
jks

Search

ADFS multiple farms - how many certificates

February 26, 2014, 8:16 am
$
0
0

I have an existing ADFS setup - 1 x ADFS server in a farm using a 3rd party certificate foradfs@mydomain.com

I'm considering creating two additional farms in other sites, each with a single ADFS server (with Web Application Proxy in all sites). 

The new farms will presumably have to have a different name when I run the install wizard - how does this affect the certificate?  Do I need to add the new farm names to the certificate or can I use the sameadfs@mydomain.com certificate on all the farms?

Thanks in advance!

Google SSO and Name ID Format

February 26, 2014, 12:01 pm
$
0
0

We are currently running ADFS on Windows Server 2012 version 6.2 build 9200 and attempting to configure SSO to our Google Apps for Education domain.

I am currently stuck on a Google error, "This account cannot be accessed because the login credentials could not be verified" which is described by Google here,https://support.google.com/a/answer/2463723?hl=en .

Specifically, the requirement is given that:

  • If you are using a full email address in your NameID element (you must be if you are using SSO with a multidomain Apps environment), ensure that theFormat attribute of the NameID element specifies that a full email address is to be used, as in the following example:Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"

In a SAML trace, I show that I am not outputting the NameID in this format, but instead output the following:

<Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">user.name@mydomain.net</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="kcdpcdbfpbccffniihhalfchnidmifhpbhjnchkp"
                                         NotOnOrAfter="2014-02-26T19:56:29.445Z"
                                         Recipient="https://www.google.com/a/mydomain.net/acs"
                                         /></SubjectConfirmation></Subject>

I assume this is the reason for the error I am receiving and I have deleted and recreated the RP to be certain that I did not select SAML 1.0/1.1 anywhere during the setup. I definitely chose SAML 2.0.

Interestingly, I encountered a comment in the following blog discussing ADFS / Google SSO that describes the exact issue I'm encountering. It is the comment by a poster named Lucas LaCroix about 1/3 of the way down the comments, http://www.huggill.com/2012/01/12/setting-up-google-apps-single-sign-on-sso-with-adfs-2-0-and-a-custom-sts-such-as-identityserver/ .

In the blog the poster mentioned "modifying the transform rule" to resolve this issue, but I have been unable to determine how to do this.

I feel I am very close to completing this configuration and this might be the final step. Can anyone advise me how to troubleshoot this, or how to "modify the transform rule"?

Roslyn-powered .NET Reference Source browser for 4.5.1

February 26, 2014, 5:46 pm

Logout the right way, Window Identity Foundation

February 27, 2014, 12:41 am
$
0
0

I'm new to WIF and have some questions to the logout process.

This is what I have:

  • A local STS provider, based on the sample from Steve's Dev Box.
  • A MVC5 client, selected new ASP.Net Web Application, MVC, authentication set to Organizational Accounts, On-Premises.
  • The client is then changed to allow anonymous connections, AuthenticationMode set to Forms, added a login page and the AuthorizeAttribute to some methods in HomeController. And it all works nicely.

To the question - how to logout the right way ?

If I simply call:

            FederatedAuthentication.WSFederationAuthenticationModule.SignOut(true);
            return Redirect(Url.RouteUrl(new { controller = "home", action = "index" }));

-the client seems to have been loggedout (Thread.CurrentPrincipal.Identity.IsAuthenticated is false), but the STS service doesn't know about it (the service is not called). I guess the token is still valid since the service hasn't deleted it. So, how should I logout ?

Thank you in advance.

/Peter


What's the official name of the new version of AD FS in Windows Server 2012 R2?

February 7, 2014, 5:11 am
$
0
0
AD FS 2.2, AD FS R2 or AD FS 3.0. Which is it? Does anyone actually know?

http://twitter.com/tristanwatkins http://tristanwatkins.com

Viewing all 2535 articles
Browse latest View live
Search