Quantcast
Channel: Claims based access platform (CBA), code-named Geneva forum
Viewing all 2535 articles
Browse latest View live

ADFS 2012 R2 - Event ID 364 with MFA

April 29, 2014, 9:53 am
$
0
0

I've got a SAML RP configured with a POST binding.

This endpoint is using MFA which works internally, but when hitting the WAP from the outside network, I get a an event id 364 that says:

Exception details: 
Microsoft.IdentityServer.RequestFailedException: No strong authentication method found for the request from https://XXXXXX.[redacted]
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.CheckAuthenticationOptionsForMethods(ProtocolContext context, List`1 authMethods)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Does anyone have any insight into this?

Regards

G. Samuel Hays, MCT, MCSE 2012, MCITP: Enterprise Admin

Blog:gsamuelhays.blogspot.com

twitter:twitter.com/gsamuelhays

Search

Problem Configuring ADFS 3.0 For Device Registration Service

May 8, 2014, 7:44 am
$
0
0

I receive the error 'Could not determine the SSL port over which the AD FS service is listening on' while trying to set up for Workplace Join.  It recommends I check the configuration of AD FS, but I cannot determine from searching the web what setting it is referring to.  Can someone please point me to an article that details how to resolve this error, or any other insight?

Thank you for any assistance you can offer.

ADFS 3.0 errors: 511 and 364

April 2, 2014, 1:26 pm
$
0
0

I've got a WAP and an ADFS farm with a single server using WID.

Users can log into Office 365 successfully, but SSO is not working so they need to login to the adfs login page as well as the Office365 page.

Errors are 364 and 511 as per below.  I've read some articles but no concrete solutions for 3.0

How can I troubleshoot this.  I did find one mistake in my setup (the host file on the ADFS server was pointing adfs.mydomain.com to the WAP).   Could this be the cause - I am unable to test this right now as I can't bring down production.  Any other solutions?  I need to stop these errors occurring and ensure SSO works.

364:

Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:

Microsoft.IdentityServer.Web.InvalidScopeException: 06a7aa66-3aad-e311-80c1-005056983900

   at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)

   at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)

   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)

   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

---------------------

511 :

The incoming sign-in request is not allowed due to an invalid Federation Service configuration. 

Request url:

/adfs/ls?version=1.0&action=signin&realm=urn'%'3AAppProxy'%'3Acom&appRealm=06a7aa66-3aad-e311-80c1-005056983900&returnUrl=https'%'3A'%'2F'%'2Fadfs.mydomain.net'%'2Ffavicon.ico&client-request-id=DEC78966-4DEB-0000-918A-C7DEEB4DCF01

User Action:

Examine the Federation Service configuration and take the following actions:

  Verify that the sign-in request has all the required parameters and is formatted correctly.

  Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters.

  Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.

Windows authentication in WIF application

May 9, 2014, 10:18 am
$
0
0

Hi All,

We have a claim aware application created using Windows Identity foundation and working with ADFS.

Now we want to use windows integrated login(Windows authentication) in this application. We tried to set authentication type to windows in web.config, but application is not using it(ignoring the tag). I believe that is because WSFederationModule bypasses WindowsAuthentication Module.

If i am correct ,Is there some way by which i can enable windows authentication in a WIF application, so that the Enterprise user can seemlessly login using Windows Integrated authentication without any further prompt.

Kindly advise.

TicArch

WSFederation and HTTPContext.Current.User

May 9, 2014, 6:21 pm
$
0
0

Hi,

I have couple of question regarding WIF:-

1) I tried to insert a customHTTPmodule before WSFederationModule to get the Windows integrated user from HttpContext but got it as blank. Can you please guide why it happened. What should be the correct way to get the integrated User in WIF application

2) What all major modules run before WSFederationmodule where I can get the user in HTTPContext . Or will the user will come in picture only after WSFederation module.

3) Can we override WSFederationModule. If yes, in the overridden method, would i get current user in HTTPContext when i enter the overridden method or not.

Kindly help me in above queries

Cheers
TicArch

ADFS 3.0 WAP Trust to ADFS Farm

May 10, 2014, 7:38 am
$
0
0

I had a working trust relationship between a WAP and an ADFS farm. Nothing in the environment changed but all of a sudden the trust relationship is broken. Numerous 276 errors on the ADFS server and 422 errors on the WAP.

I attempted to rerun the proxy setup again but it keeps failing:

$cred=Get-Credential
Install-WebApplicationProxy -FederationServiceTrustCredential $cred -CertificateThumbprint 'XXXXXXXXXXXXXXXXXXXX' -FederationServiceName 'fs.xxx.com'

Install-WebApplicationProxy : An error occurred when attempting to save the proxy configuration.
At line:1 char:1
+ Install-WebApplicationProxy -FederationServiceTrustCredential $cred -Certificate ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Install-WebApplicationProxy], ProxyConfigurationException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand

Can anyone please provide some insight? Thanks.

Update: It does not seem to work through the F5 load balancer. It just hangs at "Waiting for a proxy trust configuration to be synchronized across farm ........"

“Key not valid for use in specified state” after IIS Reset?

April 30, 2014, 4:14 pm
$
0
0

I have had a ton of issues with the System.Security.Cryptography.CryptographicException: Key not valid for use in specified state. error. This seems to only occur now when IIS is reset and I try to resume my browsing session. So I am logged into the application, I reset IIS on the server, refresh the page and see the error.

I am building an application in .NET 4.0 MVC with a Secure Token Service that is using WIF 4.0. Everything works as expected, except this case. I even tried to use a custom error page, but the error is happening there as well. Because of that, I can't get the custom page to show either. One thing I noticed is that if I switch my IIS APP Pool user back to Network Service account it doesn't throw the error any more. We have some restrictions (mostly network related) in the application that we need to use an account in our AD for the app pool sections

Anybody have any experience with this issue?

2 Factor Auth (2FA) using cert based auth (CBA) in Office365?

May 12, 2014, 7:42 pm
$
0
0

Team,

Looking for second level of auth. besides SSO by ADFS 2.0 or 3.0 as Primary auth.

BING gave me option of MFA by Office 365, but we dont want to go with it.

Looking at technet article : http://technet.microsoft.com/en-us/library/dn554247.aspx

Primary Auth can be achieved using:

  • Windows Integrated Authentication using Negotiate for Kerberos & NTLM
    OR 
  • Forms Authentication using username/passwords

Secondary Auth can that be achieved using Certificate Authentication:

  • The certificate must map to the user account in AD DS by either of the following methods:

    • The certificate subject name corresponds to the LDAP distinguished name of a user account in AD DS.
    • The certificate subject altname extension has the user principal name (UPN) of a user account in AD DS

      I guess the article, doesnt clearly states that cert authentication can act as second level of auth.

      Team, if it can than the question is what is the procedure to configure and any architecture level overview that clarifies the ports and connectivity mechanism?

Regards, Dematri

Search

Response Issuer and Assertion Issuer

May 13, 2014, 8:12 am
$
0
0
Will the values of <Issuer> in Response and <Issuer> in Assertion always be same and equal to unique identifier of the issuing identity provider (entity ID)? Or can the two values be different sometimes.

I would like to know if they will be different in any specific scenarios like when using IDP/ADFS Proxy or when the Response passes through some intermediate IDP before reaching the Service Provider.


Login to ADFS without redirect from external app

May 12, 2014, 10:11 am
$
0
0

Is there a way to authenticate with ADFS without being redirected to the ADFS login page? Here is our situation.

We have an AngularJS app that uses ADFS for SSO. The app is a relying party to our AD that is also linked to O365 resources. Currently, it is working to where the user is redirected to the login.windows.net "authorize" endpoint, which redirects to the ADFS login page if not authenticated then redirects back to our app with the proper authorization code, which we then use to access the O365 resources.

We would like to remove the redirection step to ADFS so that the user stays on our app and has a seamless login experience. The ADFS page looks to be using form-based auth. I was wondering if there is a way to perform auth over http requests or some other method.

error 393 WAP configuration fails on 2012R2 / ADFS on Server 2012 R2

May 13, 2014, 10:21 am
$
0
0

I have a non-domain joined 2012 R2 update server in the DMZ and a domain joined ADFS server (same OS) in the LAN

I can sign in to the fs.mydomain.com/adfs/ls/idpinitiatedsignon.aspx (no certificate errors) with any domain account from the WAP server

However the ADFS proxy wizard will not complete : An error occurred when attempting to establish a trust relationship... Verify that the service account has administrative access on the target Federation Server.

At each attempt I see an error in the fs security log: event 393 username or password is incorrect

The fs service is running under a group managed service account (svc-adfs$). The credentials I am trying to use to create the trust are a domain admin which is a local admin on the fs server. I am running the wizard as a local admin on the WAP server which is in a WORKGROUP.

Can someone confirm if I need another domain, not a workgroup, or if I should domain join my WAP. (Though that seems a bad idea)

CarolChi

Windows 2012 R2 + ADFS + High Availability

May 12, 2014, 3:43 pm
$
0
0

Hello,

    Currently working on an ADFS high availability roll-out and I'm looking for some additional information.  In short:

1. We're using Windows 2012 R2 servers on a Hyper-V host. 

2. We have two Hyper-V hosts.

3. Neither Hyper-V is connected to a SAN (independent) however we'd like to have the ADFS implementation use the same SQL database/infrastructure.  (I know in 2008 you could setup a virtual cluster.)

Any information would be greatly appreciated.

Thank you.

Enabling Secure SSL on IIS for ADFS causes Citrix VIP and two Server svc Accounts on Citirx Netscaler to fail

May 14, 2014, 5:25 am
$
0
0

I'm hoping that I can provide all the details to the issue I am having with regard to getting AD FS, SSL Certificates to work with our Citrix Netscaler 5500 device. However, before I delve into that I would like to state that I was able to use Windows NLB successfully. NetScaler has proven to be most difficult and I'm not certain why.

I've read a ton of information on setting up AD FS Server, AD FS Proxy and using SSL and feel I have a pretty good handle on it, but, I may be missing some relevant information or just may not know how to troubleshoot it thoroughly enough. In addition, for the sake of keeping this post more brief, I'm only concerned with getting the AD FS Servers, SSL working in the On-Premise environment and not really concerned with the AD FS Proxy setup portion here. Baby steps, right!?

Our environment:

An AD FS Farm with two (2) AD FS Servers installed on Server 2012 Standard w/ Service Pack updates. AD FS Server names are fs1.myco.com and fs2.myco.com. They each have a static IP address or Host (A) Record in our DNS Server. Also, I've setup an 3rd static IP for the DNS Service name of sso.myco.com. It also has a Static IP Address. It will be the DNS name we will use as our AD FS Service name, the Subject Name in our SSL Certificate and will Serve as the Virtual IP Address I've setup on the NetScaler device for Load Balancing between the two Servers fs1 and fs2.

I setup two test files called test.html. One that says "You've connected to Server fs1 successfully" and the other "You've connected to Server fs2 successfully". When I had Windows NLB installed I was using one NIC with Unicast configured on it. I could successfully connect to the two servers using https://fs1.myco.com/test.html, https://fs2.myco.com/test.html, and when I hithttps://sso.myco.com/test.html it would balance out between the two servers nicely. I tried this from a number of workstations successfully.

When I go to set it up in NetScaler, the VIP and the two Server Services, i.e. svc_FS1 AND svc_FS2, are both down. The main culprit here seems to be when I enable the "SSL Settings" option called "Enable SSL" and if I use any of the "Ignore", "Accept" or "Require" options. I've binded the IP Address on each IIS Server to https and have set it to use the SSL Certificate w/ Subject Name of sso.myco.com. I also import the SSL Certicate and it's correlating Private Key onto the NetScaler device successfully and added it to the Service Server accounts during setup. If I choose uncheck "require" SSL and re-configure the IP / Port bindings to Port 80, then the NetScaler VIP and Server Service accounts come up right away.

So, w/o making this an entire novel on this post, has anyone been down this "endless road" of issues and come across this type of issue that might lead me to some sort of epiphany?

Thank you for taking the time to read this and a little bit of patience to go with it. :)

Wally

Wallace Davis

How to configure ADFS 3.0 for oAuth

December 8, 2013, 9:36 pm
$
0
0

Hi Everyone,

I have insatlled Windows 2012 R2 and ADFS from Role and Feature. My active directory is also insatlled in the same machine. Now I want to develop a web applicaiotn which will communciate with ADFS to authneticate users for Single Sing On. I need following information.

1. How to Confiugre the ADFS for Oauth to work?

2. How I can get the oAuth client_Id and secret?

3. Which URI's I will hit to get the infromaiton?  like http://FQDN/adfs/ls

4. Any example or microsoft API's for oAuth

Please help me to sort this

Many Thanks

Configuring Highavailability for ADFS

May 14, 2014, 6:34 am
$
0
0

I need to configure highavailability for ADFS for O365. So is it possible to configure two ADFS server, one in Windows Azure cloud and second in on premise (internal network)

Search

2012 R2 ADFS WAP proxy problem

February 20, 2014, 7:10 am
$
0
0

I am trying to setup a test ADFS server environment with the goal of using federated Office 365.
My test environment has 
two domain controllers at 2008R2 functional level, 1 server 2008R2 and the other 2012 with one local (non-
routable) internal domain name and one externally routable name for mail. I have added the externally routable 
name as an alternate UPN suffix.
two exchange servers, 1 2010 and the other 2013.
one 2012R2 ADFS server and one 2012R2 WAP proxy server.
The 2 AD FS servers seem to work alright. I can login (adfsmachinename/adfs/ls/idpinitiatedsignon) and also pull 
the https://mycomp/adfs/fs/federationserverservice.asmx from any of the machines in the domain. All servers are 
joined to the domain and in the same subnet.

The problem is setting up the Web application Proxies to establish the trust. when I use the Web Application Proxy 
Configuration Wizard I put in the wildcard cert that is from comodo for the routable domain name and is on both 
the ADFS and WAP servers. I use either a domain admin or local admin of the ADFS server but it always fails with 
the same message:

"Unable to retrieve proxy configuration data from the Federation Server."

On the AD FS WAP server the event logs event 422:
Trust Certificate Thumbprint: 
6185C255555555544555555555535D06 
Status Code: 
Unauthorized 
Exception details: 
System.Net.WebException: The remote server returned an error: (401) Unauthorized.
   at System.Net.HttpWebRequest.GetResponse()
   at Microsoft.IdentityServer.Management.Proxy.StsConfigurationProvider.GetStsProxyConfiguration()

note: the process creates a new cert ADFS ProxyTrust-localservername which has the thumbprint in the error listed.

at the same time the event log on the ADFS server it is trying to trust with comes up with event id 276:
The federation server proxy was not able to authenticate to the Federation Service. 

User Action 
Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host 
name that is identified in the certificate subject name and re-establish trust between the proxy and the 
Federation Service using the Install-WebApplicationProxy cmdlet. 
Additional Data 
Certificate details: 
Subject Name: 
<null> 
Thumbprint: 
<null> 
NotBefore Time: 
<null> 
NotAfter Time: 
<null>

No matter what I seem to try with local admin account it has the same error. verified the passwords, try domain 
admin, local admin, ADFS domain service admin etc.

2012 R2 ADFS - IE Integrated Authentication Not Working

May 15, 2014, 8:44 am
$
0
0

We have an ADFS 2.0 environment based upon Server 2008 R2.  Now, we're building an ADFS 3.0 environment on Server 2012 R2.  Within ADFS 2.0, we could craft an IDP-initiated URL that would, from a user point of view, go directly to the target website.  However, with 3.0, a similarly crafted URL is always showing the user the idpinitiatedsignon.aspx page and forcing the user to select the 'Sign in' button. 

Why does ADFS 3.0 not just do passthrough authentication with the users' logged in credentials and redirect to the target, relying party's website?  Is there a setting to enable this functionality and keep the experience with which our end users are familiar?  (Sometimes training end users to a different experience can be challenging.)


AD FS 2.2 (Windows 2012 R2) Expired Passwords from non Workplace Joined devices

May 15, 2014, 4:22 pm
$
0
0

Although AD FS 2.2 will now detect a failed login due to an expired password and provide a change password page, this only works for a Workplace Joined device.

In our environment our users (students) don't workplace join their personal PCs and rely on AD FS for access to online services.  We had previously customized AD FS 2.0 to handle this scenario, but now there doesn't seem to be any customization option since ASP.NET/IIS has been removed from the picture.

Any options for providing this functionality to non-workplace joined devices on Windows 2012 R2?

How credentials of AD auth user through ADFS are passed?

May 19, 2014, 12:49 am
$
0
0

Team,

I am working on a project, wherein I need inputs from the community on the following scenario.

Scenario : How credentials of AD auth user through ADFS are passed?

User to log on SharePoint Online (O365 services) getting authenticated by ADFS Proxy >> ADFS >> Local Domain Controller.

Once authenticated, user credentials should be passed internally (datacenter environment) to other servers for accessing the content using the Token information.

I am not sure the procedure, data flow, protocol used to get this working.

Please help.


Regards, Dematri

Token based auth validity period

May 23, 2014, 2:02 am
$
0
0

Team,

IN ADFS 2.0 what is the validity period (time) for the Session Token when the user is authenticated by ADFS.

I guess its 60 minutes, if yes what is the procedure the reduce the timeline and minimum we can set it to.


Regards, Dematri

Viewing all 2535 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>