I am in the process of implementing AD FS 2012 R2. The problem I'm running into is implementing federated sign-out and redirecting back to the original relying party after the sign-out is completed. Here is the code I am using:

WSFederationAuthenticationModule fedAuthenticationModule = System.IdentityModel.Services.FederatedAuthentication.WSFederationAuthenticationModule;
fedAuthenticationModule.SignOut(false);

SignOutRequestMessage signOutRequestMessage = new SignOutRequestMessage(new Uri(fedAuthenticationModule.Issuer), @"https://app.domain.com/applicationname/");

Response.Redirect(signOutRequestMessage.WriteQueryString());

"https://app.domain.com/applicationname/" is the same uri specified as the WS-Fed Endpoint.

I used Fiddler and it looks like the Signout page is using an IFrame to sign-out the relying parties. However, AD FS is not redirecting back the relying party.

Does this scenario work? If so, what am I missing?

Mark Remkiewicz

I have a Windows Server 2012 R2 server with ADFS 3.0 in my environment.

My Question is if there is a chance to use Firefox or Chrome with the Integrated Windows Authentification? At the moment these browers always use the Form based authentification.

With Internet Explorer all works fine.

I have already set the property "ExtendedProtectionTokenCheck" to NONE on the ADFS-server but this doesn't solved the problem.

Hi

I tried to build the OAuth sample based on URL http://msdn.microsoft.com/en-us/library/dn633593.aspx.

The sample works just fine. I can see Authentication, and Bear token flying around ADFS and ToDoListService when I clicked ADD/GET button on WPF client .... Cool.

I then tried to access ToDoListService using browser REST client ..... What surprised me is that the access is successful. I checked HTTP transactions, and I don't see anything related token, NTLM inside.

What I missed?  Shouldn't I see credential challenge? and then access failure?

Regards

Yanchou Han

I have an application that does active authentication against ADFS using the windowstransport endpoint. This code has and is working perfectly for 90% of our deployments. We have one domain however that it is only working from certain locations. Also note that this was working perfectly up until yesterday afternoon.

The domain being authenticated against is iso.paretoplatform.com
The domain which fails authentication is paretoplatform.com (root domain, separate forest/domain completely)

This code works perfectly fine from my development environment, and 2 other production domains we have against the iso domain. This only seems to fail on iso itself and from the root domain.

My code and the exception are as follows.

namespace Pareto.Crm2011.Shared.Authentication.ADFS
{
	public static class SAMLToken
	{
		public static string GetSAMLToken(string rpurl, string username, string password, string domain, string adfsServer)
		{
			var baseUri = new Uri(rpurl);
			var baseURL = baseUri.GetComponents(UriComponents.SchemeAndServer, UriFormat.Unescaped);
			baseURL = baseURL.EndsWith("/") ? baseURL : baseURL + "/";

			var stsServer = adfsServer.EndsWith("/") ? adfsServer : adfsServer + "/";
			var stsUrl = stsServer + "adfs/services/trust/13/windowstransport";

			//get token from STS

			return GetResponse(stsUrl, baseURL, username, password, domain);
		}

		private static string GetResponse(string stsUrl, string baseUrl, string username, string password, string domain)
		{
			var rst = new RequestSecurityToken
			{
				RequestType = WSTrust13Constants.RequestTypes.Issue,
				AppliesTo = new EndpointAddress(baseUrl),
				KeyType = WSTrust13Constants.KeyTypes.Bearer
			};


			//bearer token, no encryption
			var trustSerializer = new WSTrust13RequestSerializer();
			var binding = new WSHttpBinding
			{
				Security =
				{
					Mode = SecurityMode.Transport,
					Message =
					{
						ClientCredentialType = MessageCredentialType.None,
						EstablishSecurityContext = false
					}
				}
			};

			binding.Security.Transport.ClientCredentialType = HttpClientCredentialType.Windows;
			var address = new EndpointAddress(stsUrl);
			var trustClient = new WSTrust13ContractClient(binding, address);

#pragma warning disable 618
            trustClient.ClientCredentials.Windows.AllowNtlm = true;
#pragma warning restore 618
			trustClient.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
			trustClient.ClientCredentials.Windows.ClientCredential = new NetworkCredential(username, password, domain);
			var response = trustClient.EndIssue(trustClient.BeginIssue(Message.CreateMessage(MessageVersion.Default, WSTrust13Constants.Actions.Issue, new RequestBodyWriter(trustSerializer, rst)), null, null));
			trustClient.Close();

			var reader = response.GetReaderAtBodyContents();
			response.Close();
			return reader.ReadOuterXml();
		}

	}
}

namespace Pareto.Crm2011.Shared.Authentication.ADFS
{
	[ServiceContract]
	public interface IWSTrust13Contract
	{
		[OperationContract(ProtectionLevel = ProtectionLevel.EncryptAndSign, Action = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue", ReplyAction = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal", AsyncPattern = true)]
		IAsyncResult BeginIssue(Message request, AsyncCallback callback, object state);
		Message EndIssue(IAsyncResult asyncResult);
	}

	public partial class WSTrust13ContractClient : ClientBase<IWSTrust13Contract>, IWSTrust13Contract
	{
		public WSTrust13ContractClient(Binding binding, EndpointAddress remoteAddress)
			: base(binding, remoteAddress)
		{
		}

		public IAsyncResult BeginIssue(Message request, AsyncCallback callback, object state)
		{
			return base.Channel.BeginIssue(request, callback, state);
		}

		public Message EndIssue(IAsyncResult asyncResult)
		{
			return base.Channel.EndIssue(asyncResult);
		}
	}
}

namespace Pareto.Crm2011.Shared.Authentication.ADFS
{
	public class RequestBodyWriter : BodyWriter
	{
		readonly WSTrustRequestSerializer _serializer;
		readonly RequestSecurityToken _rst;

		/// <summary>
		/// Constructs the Body Writer.
		/// </summary>
		/// <param name="serializer">Serializer to use for serializing the rst.</param>
		/// <param name="rst">The RequestSecurityToken object to be serialized to the outgoing Message.</param>
		public RequestBodyWriter(WSTrustRequestSerializer serializer, RequestSecurityToken rst)
			: base(false)
		{
			if (serializer == null)
				throw new ArgumentNullException("serializer");

			_serializer = serializer;
			_rst = rst;
		}


		/// <summary>
		/// Override of the base class method. Serializes the rst to the outgoing stream.
		/// </summary>
		/// <param name="writer">Writer to which the rst should be written.</param>
		protected override void OnWriteBodyContents(XmlDictionaryWriter writer)
		{
			_serializer.WriteXml(_rst, writer, new WSTrustSerializationContext());
		}
	}
}

And my testing app which makes the call that fails

namespace ADFS_Transport_Tester
{
	class Program
	{
		static void Main(string[] args)
		{
			try
			{
				Console.WriteLine("Login Check: " + SAMLToken.GetSAMLToken("https://logincheck.iso.paretoplatform.com", <USER>, <ITS A PASSWORD!>, "iso.paretoplatform.com", "https://adfs.iso.paretoplatform.com"));
				Console.ReadKey();
			}
			catch (Exception ex)
			{
				Console.WriteLine(ex);
			}
		}
	}
}

And the exception

[Win32Exception (0x80004005): The target principal name is incorrect]
   System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) +7833059
   System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) +91
   System.Net.NegotiateClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) +7950568
   System.Net.NegotiateClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) +18
   System.Net.AuthenticationManager.Authenticate(String challenge, WebRequest request, ICredentials credentials) +149
   System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) +7949942
   System.Net.HttpWebRequest.CheckResubmitForAuth() +7953110
   System.Net.HttpWebRequest.CheckResubmit(Exception& e) +126

[WebException: The remote server returned an error: (401) Unauthorized.]
   System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +3236153
   System.ServiceModel.Channels.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result) +216

[MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate oXQwcqADCgEBomsEaWBnBgkqhkiG9xIBAgIDAH5YMFagAwIBBaEDAgEepBEYDzIwMTMwNTAzMTcxMzQ3WqUFAgMG2vSmAwIBKakYGxZJU08uUEFSRVRPUExBVEZPUk0uQ09NqhEwD6ADAgEBoQgwBhsEZGMxJA=='.]
   System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +4729427
   System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +1725
   Pareto.Crm2011.Shared.Authentication.ADFS.IWSTrust13Contract.EndIssue(IAsyncResult asyncResult) +0
   Pareto.Crm2011.Shared.Authentication.ADFS.WSTrust13ContractClient.EndIssue(IAsyncResult asyncResult) +102
   Pareto.Crm2011.Shared.Authentication.ADFS.SAMLToken.GetResponse(String stsUrl, String baseUrl, String username, String password, String domain) +1488
   Pareto.Crm2011.Shared.Authentication.ADFS.SAMLToken.GetSAMLToken(String rpurl, String username, String password, String domain, String adfsServer) +482

I have seen and dealt with the negotiate exception before (typically due to spn issues) but I've determined the spns are correct. I have never seen the exception accompanied by the "The target principal name is incorrect"

Thank you in advance for your help. If you think you may be able to help with any of my unanswered threads please look at them here

Assuming passive / ws-federation use case, can ADFS service domain and subdomain signin requests?  For example, we have bar.com and foo.bar.com domains each with their own web servers (relying parties).  Would like to be able to set up trust between ADFS and the web servers in foo.bar.com and bar.com.  Can ADFS do this?

I have had a ton of issues with the System.Security.Cryptography.CryptographicException: Key not valid for use in specified state. error. This seems to only occur now when IIS is reset and I try to resume my browsing session. So I am logged into the application, I reset IIS on the server, refresh the page and see the error.

I am building an application in .NET 4.0 MVC with a Secure Token Service that is using WIF 4.0. Everything works as expected, except this case. I even tried to use a custom error page, but the error is happening there as well. Because of that, I can't get the custom page to show either. One thing I noticed is that if I switch my IIS APP Pool user back to Network Service account it doesn't throw the error any more. We have some restrictions (mostly network related) in the application that we need to use an account in our AD for the app pool sections

Anybody have any experience with this issue?

Cross posted from: http://social.technet.microsoft.com/Forums/windowsserver/en-US/f15dff1d-4409-4c35-9e23-b0220f97197e/adfs-30-customize-claims-provider-trust-logo?forum=winserverDS

I have 2 Claims providers setup in ADFS 3.0 (Windows Server 2012 R2) 

On the Home Realm Discovery Page I would like to customize the logo next to each Identity Provider.

Is there a PowerShell command to do this? How does one do this?

Thanks;

Jonathan

To clarify:

Assume that a person has two trusted identity providers setup (so more than just Active Directory to authenticate against; for example Facebook/Google/Twitter/ a partners' Active Directory/ etc / etc.)

The user is then presented with the (in ADFS 2.0 terminology - maybe this has changed on me) Home Realm Discovery Page. Where the user has to select "Active Directory" or "Facbook" or "Google" (for example, we're not actually using Google or Facebook but you get the idea). So which Identity Provider they wish to Authenticate against.

There is a ugly as hell "icon" on the left hand side next to each identity provider - the icon that comes out of the box.

I did not see a PowerShell command to customize it. Nor did I see a way with jQuery since the <img> element in the raw HTML that ADFS 3.0 spits out does not assign the <IMG> tag an ID. (I'm not a jQuery guru so if someone else has an idea on how to navigate the DOM of the HTML to get there I'm all ears...)

I would rather have the "Facbook" or "Google" Logos next to their respective providers than ye old ugly as hell out of the box icon... :)

Hi there,

we are hosting Microsoft Dynamics CRM 2013 for us and a few other companies. The authentication was realized via ADFS, which was working very well since now.

As suggested we used a Self-Signed Cert for Token-decrypting and Token-signing. For service communications we were using our Wildcard-Certificate *.company.biz. Since Yesterday (Thursday) this Cert is outdated, so we replaced it on Wednesday with our new WC-Cert. I got no errors at this point, so it looked very well. But when I came to work this morning and tried to test our services, I became an CertDate-Expiration-Warning when I tried to access our CRM. This Error came when I got redirected to our ADFS-Server.

Since there is no more IIS with ADFS 3.0 I've got no idea, where I have to apply the new Certificate for the Login-Page. I already googled and binged how I have to do this, but it seems like nobody beside us has got this error.

Can you help me please?

Thank you so much,
Carsten

Carsten Brenner IT-Engineer at cloud4you GmbH (Germany)

Currently have a 2012 R2 Proxy Server and a 2012 R2 ADFS AD Server.  Everything works fine if I attempt to access ADFS locally on the Proxy server via the fully qualified domain name of the ADFS website however when I try to access things externally - via hitting the proxy - I will receive a "503 Service Unavailable" error.  Any thoughts?

Thanks!

Has anyone gotten Chrome for Windows / ADFS 2012 to inter-operate for Single Sign-on?  Are there special steps required for ADFS config and Chrome config?  I remeber that in IE you must add the ADFS url to the client's trusted sites list.

ADFS3 rollout has been pretty disastrous so far - lots of errors which neither ourselves nor Microsoft can resolve.

Hoping someone can help on the latest issue though:

When we try to edit documents in Office365 using "Edit in Powerpoint") we get an additional login screen(s) which we can't get past.  Editing in e.g. PowerpointOnline works fine though.  Same for Word, Excel etc.

Pop-up errors are:

"Call us overprotective but we need to verify your account again before opening the document"

When trying to login, we get

"We are unable to connect right now.  Please check your network and try again later."

or sometimes something along the lines of "your account is already signed in to this document"

Tried testing with different windows profiles, running klist purge, rebuilding the farm - unable to determine what is causing it though.

This issue only occurs on ADFS3.  When we rollback to ADFS2.1, this error goes away after waiting 30-60 minutes (I'm really curious about what is changing in this time frame).

Most users are affected, but some are fine.  Sometimes the issue goes away for a user for no apparent reason.  Microsoft already confirmed the setup of ADFS seems to be fine.

Anyone else had this?  We had this issue previously and it turned out to be certificates, but the certificate seems to be fine and is the same one as we use on the old ADFS farm.

Hi,

I am setting up ADFS 2.0 as identity provider and service provider. Does anyone know where I can disable http post and redirect binding as identity provider and enable artifact binding?

Thanks in advance!

Servers

ADFSSERVER
- Windows Server 2008 R2 Standard x64
- ADFS 2 RC

WEBSERVER
- Windows Server 2008 Standard x64
- Windows Identity Foundation
- Trusted for delegation
- Correct SPN configuration
- Delegates fine within ASP.Net (historically and currently)
- Claims to Windows Token Server (started and set to automatic)
- c2wtshost.exe.config: <add value="NT AUTHORITY\Network Service" />
- Local Security Policy: User Rights Assignment: Impersonate a client after auth: NETWORK SERVICE (among others)

Web Application

ClaimsBasedApplication
- Configured as a relying party in ADFS
- Recieves and presents all claims per the claim rules in ADFS (working great)
- App Pool: Integrated, 32bit=false, NetworkService
- Anonymous Auth: App pool identity
- SSL using domain cert (trusted on client but no chain verification)

Code

PublicFunction GetImpersonationText(ByVal claimsIdentity As IClaimsIdentity) AsStringDim builder AsNew StringBuilderDim result As ServiceReferences.ImpersonationTestProxy.SingleObjectResponseOfImpersonationResultBXe52vhv
Dim upn = GetClaim(claimsIdentity, System.IdentityModel.Claims.ClaimTypes.Upn)'Errors here !!!!!!!!!!!!!!!!!!!!!Using ctx = Microsoft.IdentityModel.WindowsTokenService.S4UClient.UpnLogon(upn).Impersonate()
            result = (New ServiceGateways.ImpersonationTestGateway).TestImpersonation()EndUsing

        builder.Append(GetHeaderText("IMPERSONATION RESULT"))
        builder.Append(GetObjectPropertiesText(result.TransferObject))
        builder.Append("<hr>")
        builder.Append(GetHeaderText("CALL INFORMATION"))
        builder.Append(GetObjectPropertiesText(result.CallInformation))Dim text = builder.ToStringReturn textEndFunction

 Error

[Win32Exception (0x80004005): No credentials are available in the security package]
   System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10259418
   System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +539
   WebApplication1.ServiceReferences.ImpersonationTestProxy.IImpersonationTestService.TestImpersonation() +0
   WebApplication1.ServiceGateways.ImpersonationTestGateway.TestImpersonation() in C:\Source Control\Sandbox\ClaimsBasedApplication\1.0.0\ClaimsBasedApplication.UserInterface\ImpersonationTestGateway.vb:21
   WebApplication1.ObjectDisplayUtility.GetImpersonationText(IClaimsIdentity claimsIdentity) in C:\Source Control\Sandbox\ClaimsBasedApplication\1.0.0\ClaimsBasedApplication.UserInterface\ObjectDisplayUtility.vb:14
   WebApplication1._Default.Page_Load(Object sender, EventArgs e) in C:\Source Control\Sandbox\ClaimsBasedApplication\1.0.0\ClaimsBasedApplication.UserInterface\Default.aspx.vb:11
   System.Web.UI.Control.OnLoad(EventArgs e) +132
   System.Web.UI.Control.LoadRecursive() +66
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428

I am working with a client to establish SAML 2.0 authentication, and specifically pass objectGUID in the SAML assertion for use due to its uniqueness and immutability. However, for some unknown reason, the attribute is not being passed. These claim rules have worked successfully for ADFS 2.0 on Server 2008 R2.

Details: 

AD FS 3.0 running on Server 2012 R2.

We are using the following rules to 1) GET the attributes from AD, and 2) Transform it to the urn:oasis:names:tc:SAML:2.0:attrname-format:uri nameFormat:

c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("urn:oid:0.9.2342.19200300.100.1.1"), query = “;objectGUID;{0}”, param = c.Value);

Any thoughts or suggestions are appreciated - thank you.

I was referred here by someone from the Windows Directory Services forum.  Please advise if I'm posting in the wrong place.

AD FS 3.0 (part of Windows Server 2012 R2) is installed in preparation for deploying an Office 365 hybrid configuration.

The default install of AD FS fails when users authenticate via the pop-up dialog when connecting from the intranet using Windows Authentication. The /adfs/ls/idpInitiatedSignon.aspx URL pops up an authentication dialog, completion of which results in a 400 Bad Request error.  This occurs even when connecting using IE on the server itself. After changing AD FS to use forms authentication for intranet connections, the forms logon screen appears and upon filling in the ID and password, the logon is succesful.

Where do I start diagnosing this?  I have been through the few articles on the Internet about the 400 Bad Request errors but none seem relevant.

Thanks in advance.

Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi,

New in ADFS configuration. I was trying to build a demo on workplace join of w8.1 client VMs to ADFS firm.

1) I have created a new ADFS with a domain name MytestlabADFS.Mytestlab01.onMicrosoft.com

2) My DNS is configured with 3 forward looking zone, as following, please find the screen short:

mytestlabADC1.Mytestlab.onMicrosoft.com

- Forward looking

--- _MSDCS.Mytestlab.onMicrosoft.com

--- Mytestlab.onMicrosoft.com (AD integrated)

--- Mytestlab01.onMicrosoft.com (public domain - from intune)

~~~~~~~~~~~~~~~~~~~

https://EnterpriseRegistration.Mytestlab01.onmicrosoft.com:443/EnrollmentServer/contract?api-version=1.0 is working fine and I could workplace join using user1@Mytestlab01.onmicrosoft.com.

Problem occurred at Device registration. To generate the DeviceEnrollmentWebService.svc & proxy I am hitting :

https://enterpriseregistration.MyTestlab01.onmicrosoft.com/EnrollmentServer/DeviceEnrollmentWebService.svc?wsdl but the ADFSWCF generating the proxy that points to my AD integrated domain, that is Mytestlab.onMicrosoft.com, where my ADFS do not point to.

Please find the attached proxy XML.

<?xml version="1.0" encoding="utf-8"?><wsdl:definitionsname="WindowsDeviceEnrollmentService"targetNamespace="http://tempuri.org/"xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"xmlns:i0="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:wsa10="http://www.w3.org/2005/08/addressing"xmlns:wsp="http://www.w3.org/ns/ws-policy"xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"xmlns:xsd="http://www.w3.org/2001/XMLSchema"xmlns:tns="http://tempuri.org/"xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><wsp:Policywsu:Id="WSHttpBinding_IWindowsDeviceEnrollmentService_policy"><wsp:ExactlyOne><wsp:All><sp:TransportBindingxmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"><wsp:Policy><sp:TransportToken><wsp:Policy><sp:HttpsTokenRequireClientCertificate="false"/></wsp:Policy></sp:TransportToken><sp:AlgorithmSuite><wsp:Policy><sp:Basic256/></wsp:Policy></sp:AlgorithmSuite><sp:Layout><wsp:Policy><sp:Strict/></wsp:Policy></sp:Layout></wsp:Policy></sp:TransportBinding><wsam:Addressing><wsp:Policy><wsam:AnonymousResponses/></wsp:Policy></wsam:Addressing></wsp:All></wsp:ExactlyOne></wsp:Policy><wsdl:importnamespace="http://schemas.microsoft.com/windows/pki/2009/01/enrollment"location="https://enterpriseregistration.MyTestlab.onmicrosoft.com/EnrollmentServer/DeviceEnrollmentWebService.svc?wsdl=wsdl0"/><wsdl:types/><wsdl:bindingname="WSHttpBinding_IWindowsDeviceEnrollmentService"type="i0:IWindowsDeviceEnrollmentService"><wsp:PolicyReferenceURI="#WSHttpBinding_IWindowsDeviceEnrollmentService_policy"/><soap12:bindingtransport="http://schemas.xmlsoap.org/soap/http"/><wsdl:operationname="RequestSecurityToken"><soap12:operationsoapAction="http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep"style="document"/><wsdl:input><soap12:bodyuse="literal"/></wsdl:input><wsdl:output><soap12:bodyuse="literal"/></wsdl:output><wsdl:faultname="WindowsDeviceEnrollmentServiceErrorFault"><soap12:faultname="WindowsDeviceEnrollmentServiceErrorFault"use="literal"/></wsdl:fault></wsdl:operation></wsdl:binding><wsdl:servicename="WindowsDeviceEnrollmentService"><wsdl:portname="WSHttpBinding_IWindowsDeviceEnrollmentService"binding="tns:WSHttpBinding_IWindowsDeviceEnrollmentService"><soap12:addresslocation="https://enterpriseregistration.MyTestlab.onmicrosoft.com/EnrollmentServer/DeviceEnrollmentWebService.svc"/><wsa10:EndpointReference><wsa10:Address>https://enterpriseregistration.MyTestlab.onmicrosoft.com/EnrollmentServer/DeviceEnrollmentWebService.svc</wsa10:Address></wsa10:EndpointReference></wsdl:port></wsdl:service></wsdl:definitions>

Need some idea what I am missing. Is there anyway I can ask ADFS to point to another domain, in-place of  AD Integrated domain for WCF service hosting.

indranil

With Azure Active Directory, if you have a native client you can use ADAL and then the Graph API to get information about the user e.g. Groups.

With ADFS 3.0, you can use ADAL / OAuth to get the token. Is there a way to get more information e.g. the information supplied in the form of claims via WIF.

Environment:
-----------
IDP: ADFS 2.0 on Win2008 Server R2
RP: SAML 2.0 based Service Provider that we are developing

Issue:
------
SP initiated SSO works fine once in a while and fails most of the time with the following error message (in the web browser) from IDP (for both signed & un-signed AuthnRequest):

"There was a problem accessing the site. Try to browse to the site again. If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: 18c71c1e-f83d-47c0-8fc7-2e61db054dc7 ".

But the IDP initiated SSO is working fine all the times.
SP is sending the AuthnRequest to IDP's HTTP-POST binding endpoint.

Error/Warning in Event Viewer @ AFDS:
-------------------------------------
When SP initiated SSO failed, there is no error or warning in the Event Viewer @ ADFS.

Un-signed AuthnRequest sent by SP to IDP (ADFS 2):
------------------------------------------
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://inw00003973/ma/acs/u0nxkdfs"
Destination="https://psvo28adicst1/adfs/ls/" ID="6cdd848b-ed6e-40f2-ba98-b68437198ac9"
IssueInstant="2014-05-07T15:31:39.689Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://u0nxkdfs.inw00003973:16006
</saml2:Issuer>
<saml2p:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</saml2p:AuthnRequest>

Signed AuthnRequest sent by SP to IDP:
--------------------------------------
<saml2p:AuthnRequest AssertionConsumerServiceURL="https://inw00003973/ma/acs/u0nxkdfs"
Destination="https://psvo28adicst1/adfs/ls/" ID="ec13d8d8-2425-40bb-8efa-ad8b9741ff39"
IssueInstant="2014-05-07T15:24:31.536Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://u0nxkdfs.inw00003973:16006
</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#ec13d8d8-2425-40bb-8efa-ad8b9741ff39">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>BwTBTTl/kpmbWW8yCIJAMVLMSVI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>4lzPFGQWezLfYgqVZTl7YD10m8CU5hy0Y3yMjsG/Lskea5O9bNMNZnLbRlx4m9sUMTfFjopj6vcqbDUs3WQB9d295DPlyLhROKsM7olP0KzamqyTbiGj54Q2dgzDjC2UYyAGoA5jiY8cMb8JYxLrW0UvbXUCAfWnbxfcfp2ANYq87a1animn9HFnbladgq4jXI47EqjVeGoEsY67fWe0e4KT3x/PelLtupqtnmdXi94Zu1DglkM1T0V2BYco5KJJG6i2UdzqDy2+gfkp4uCGdNA8MeQjv0DkdIbwEW9Z1gbzo5aq3dX+FqsFRxMmaNjY44OGlcTKeIfPbgrjE90suA==
</ds:SignatureValue>
</ds:Signature>
<saml2p:NameIDPolicy
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
</saml2p:AuthnRequest>

ADFS Rules:
----------------
Rule 1: Transform an incoming claim
Incoming Claim Type: Email Address
OutGoing claim Type: Name ID
Outgoing name ID format: Email

Rule 2: Send LDAP Attributes as Claims
Attribute Store: LDAP
LDAP Attr: E-Mail-Addresses; Outgoing Claim: E-Mail Address
LDAP Attr: First-Name; Outgoing Claim: Given Name
LDAP Attr: Last-Name; Outgoing Claim: Surname

Rule 3: Send Group Membership as a claim
User's group: Domain Users
Outgoing Claim type: Role
Outgoing Claim Value: Administrator