Team,

I am working on a project wherein need Claim Based authentication to work at Citrix Netscaler level.

Scenario:

User authenticates to office 365 using ADFS 2.0 place in our datacenter. Post authentication user is trying to connect to our environment through Office 365 to fetch files.

Therefore we have allowed inbound traffic from Office 365.

What we want is there should be cert based auth or claim based auth to be performed at our firewall level before the user coming through Office 365 is allowed.

Thus need more info on how cert based auth work in such a scenario.

Please help

Regards, Dematri

I have installed AD FS 3.0 (part of Windows Server 2012 R2) is installed.

Form authentication is working fine with URL https://FQDN of ADFS Machine//adfs/ls/idpInitiatedSignon.aspx but When I enable the windows authentication it gives me error HTTP 400 Bad request. This error (HTTP 400 Bad Request) means that this program was able to connect to the web server, but the webpage could not be found because of a problem with the address."

I have also added the SPN but not sure why it is not working and there is no way to identify this related to IIS or AD FS or active directory?

Please help me on this

Regards,

Imtiaz

I am doing ADFS 2.0 integration with SharePoint 2010. I followed couple of blogs and links from Tech-net and MSDN for the same.

I have two domains Domain abc.com and xyz.com. ABC.com is the resource domain where my SharePoint 2010 is hosted and xyz.com is partner domain from were user needs to access some of the SharePoint web-applications in ABC.com

users from xyz.com tries to access the website from his local domain joined machine he is successfully redirected to the ADFS login page after selecting the site it asks for the user name and password, after providing the credentials the user is redirected to the resource domain ADFS Server and gets the following error :-

--------------------------------------------------------------------------------------------------------------

logon.abc.com 

There was a problem accessing the site. Try to browse the site again.

If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

Reference number : fd89d950-c85b-95af-63f4816f79f3

----------------------------------------------------------------------------------------------------------------

Every time i try to login from the domain joined client system of resource-partner domain i get the same error and 3 events are generated in the ADFS logs of the Resource Domain ADFS Server .

Event ID 364 | Event ID 111 | Event ID 315

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks in advance :) 

Your reply will be a great help, also if any one has step by step document of Integration with SharePoint in mixed forest scenario please share.  

On a new ADFS 3.0 farm, is there a way to make some RP's use forms based authentication and others RP's use Windows Integrated?  I have a requirement for some RP's that we have to manually enter a network username/password but other RP's can use SSO (Windows Int). 

Also, we have a root/multi child domain model.  In ADFS 2.0, users using forms based didn't have to enter their FQN, just their username would suffice.  But in ADFS 3.0, I'm seeing that I have to enterxxx@company.com or domain\username or ADFS won't let me in.  Is that a setting a can change somewhere? 

Thanks!

I built a Dynamics CRM 2013 system last November and unfortunately it was just a bit too early to use Server 2012 R2. I setup claims-based auth and internet-facing deployment with adfs 2.0.  We use the same dns name for both internal and external. 

I immediately had a problem where ADFS was prompting for credentials even though I was using IE on a domain joined machine, with a user who had access to dynamics.  My vendor gave me a work around for the prompt, which was to install url re-write on the adfs machine and then configure the web.config to not prompt for any internal ip addresses.

Well, here we are 6 months later and I need to use ADFS 3.0 for Dynamics 2013 in order to use the Windows 8 metro apps.  The problem I have now is ADFS no longer has IIS, which means no url re-write solution.

I have configured claims based auth for dynamics according to all documentation I've been able to find, but ADFS is still not pulling the workstation credentials.  I have to authenticate withuser@domain.com every time I try launch dynmics. 

Does anyone have a suggestion on what I could try to eliminate the ADFS prompt for domain joined, authenticated users?

Thanks

I am trying to change the credentials check message that comes by default in ADFS 3.0 "Incorrect user name or password..." to something more descriptive, since the message is the same when the user's password has expired. I tried to do this using the onLoad.js, but it seems that the changes done reflects only on the first load of the page. Since the error comes after a post back on clicking the submit button, the changes are not persisted.

Would appreciate any pointers in this regard.

Sorry if this has been asked before, but I'm having trouble locating the answer.

We have ADFS configured and working great in our test environment.  At this point we would like to have MFA being used for External Users, and Integrated Windows being used.

The issue at hand is even though I have that configured, unless the user is on the same subnet as the ADFS Server, it thinks it's external because it's on one of our other VLANS.

How can I tell ADFS which subnets or ip ranges should be considered internal?

Hi,

I want to create a system of ID federation to Office365.
In that system, ID that you enter in the login screen is one, but the user to log in to Office365 is multiple.
Depending on the conditions of login, user is switched.
(For example, type of browser you use or login time)
I think that it can not achieve this in the ADFS-SDK. (Because I was not able to find the appropriate API.)
I think that it is necessary to create a custom STS and use of WIF.

Is my assumption right?
And which APIs should I investigate?

When I create an STS, I saw the following pages.
http://msdn.microsoft.com/en-us/library/ee748478.aspx

Best Regards.

P.S.
Previously, I have posted the same question in other forums. I have removed it because it is wrong. sorry.

Hi,

 We have recently set up ADFS 3.0 and we are having a weird issue , where certain users are unable to authenticate with the following error

"

The latest invocation of ADFS and the proxy no longers runs under IIS - no more aspx pages etc.

Any thoughts on customising screens?

Seems somewhat of a regression because most of our customers require branding if nothing else.

Hi All,

I need to know whether we can have different ADFS login pages for different websites(SPs) connected to same ADFS.

We are using ADFS 3.0 on Windows server 2012 R2.

Thanks in advance

TicArch

Hi!

I'm working on an implementation of WIF + ADFS 3.0, am however somewhat surprised by the lack of documentation & customization options. 

What I would need to do is:

1) Disable Home Realm Discovery announcement (the display of "Choose your identity provider"), and only enable whr parameters (in short - transfer the HRD responsibility completely to the application). 

2) Find a way to protect ADFS from brute-force attacks to disclose known home realms. 

I know it's a funky set of requirements, but for this specific situation I would really need to not disclose known federation partners, both directly and indirectly. 

I know ADFS 2.x has more customization options, however I also need to support OAuth 2 at the same time.. 

Any ideas?

Thanks,

Sig

Hi,

I've a Windows 2012 R2 DC virtual machine with ADFS configured using the Windows Internal DB (WID). It has been working for a while allowing us to federate our AD with Office 365. 

Now the service is unable to start. The logon box resulting a manual start is a sad "Windows could not start the Active Directory Federation Services service on Local Computer. Error 1064: An exception occurred in the service when handling the control request."

In Event Viewer, AD FS/Admin, I see

error id 102

"There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data
Exception details:
System.ServiceModel.FaultException`1[Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault]: ADMIN0012: OperationFault (Fault Detail is equal to Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault).

error id 220

The Federation Service configuration could not be loaded correctly from the AD FS configuration database.

Additional Data
Error:  
ADMIN0012: OperationFault

I checked the "Windows Internal Database" service was running and it's OK, the net.tcp sharing is disabled, I've no port conflict as in 2012 R2 the adfs is IIS-less

"C:\Windows\ADFS>netstat -ano | find "1500" shows no result.

Th VM has a private address an so I've tried to disable code signing CRL validation with the instruction"generatePublisherEvidence enabled="false" in Microsoft.IdentityServer.Servicehost.exe.config with no success.

Thanks in advance for any hints,

regards

Giosuè Pacifico

Hi,

I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then federate user credentials to 3rd party trust for single-sign-on.

I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.

The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?

Thanks!

-Chinmaya Karve

I have just installed ADFS 3.0 on a new 2012 R2 Server.

I see the most weird behaviour.....

https://localhost/adfs/ls/ldpInitiatedSignon.aspx - Give me a page with an SSL error (not unexpected).

https://<ServerIP>/adfs/ls/ldpInitiatedSignon.aspx - Page cannot be displayed

https://Proper ADFS FQDN/adfs/ls/ldpInitiatedSignon.aspx - Page Cannot be displayed

After reading many forum posts, I have used the nets http commands and the SSL certs seem fine, I have checked SPNs and I have checked that I can telnet to my domain controller and GC.

I have removed and re-installed ADFS, I still have the same issue.

Would anybody have any ideas what my issue may be?!!? I'm going mental over here!!

We're having an intermittent issue where the ADFS 2.0 proxy servers top responding.  CPU spikes to 100% and we have to do a hard reboot on the servers.  We have a cluster of 2 proxy servers.  Typically, one of the servers goes down and the other follows shortly after.  Typically, there is nothing in the logs that point to the actual issue.  Our monitoring software checks CPU, memory, AuthN request time, etc. ever 5 minutes.  In a matter of 5 minutes the servers stop responding.  Everything works fine, monitors look fine, and 5 minutes later it's not responding and CPU is maxed out.  The error that starts showing up is

Event 364.

Encountered error during federation passive request.

Additional Data

Exception details:
System.Management.ManagementException: Provider load failure
   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
   at System.Management.ManagementObject.Initialize(Boolean getObject)
   at System.Management.ManagementBaseObject.get_Properties()
   at System.Management.ManagementBaseObject.GetPropertyValue(String propertyName)
   at Microsoft.IdentityServer.Web.PassiveWmiUtility.GetServerHostNameForProxy()
   at Microsoft.IdentityServer.Web.PassivePolicyManager..ctor()
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveEndpointAbsolutePath()

But this happens after the server stops responding.  Last night we finally saw a relevant error message.

Event 230

The federation server proxy has detected congestion, caused by high latency response times, on the Federation Service. The load might be above the Federation Service operating capacity, or there might be network connectivity issues. Request throttling has been enforced to limit the number of concurrent requests to the following size: 16.

User Action
Verify that the Federation Service is operating within its operating capacity.
Verify that the Federation Service is not experiencing network outages.

About 10 minutes after this message things went south.  What's perplexing is this is the 1st time we've seen this error message correlated close to the proxy server going down.  I don't think it's a coincidence but you never know.

Does anyone have experience with this error?  If so, how did you prevent it from happening?  I'm in the process of following these steps but wanted feedback from the community.

http://social.technet.microsoft.com/wiki/contents/articles/19057.ad-fs-2-x-troubleshooting-proxy-server-event-id-230-congestion-avoidance-algorithm.aspx

I have a .NET 4.0 WCF service integrated with WIF.  It works great for the most part. The thread identity is set properly in my WCF service operations.  The one place things get wonky is in my WCF custom error handler.  In my WCF error handler I would like to capture the thread identity to reflect which user experience the error.  Unfortunately, the WIF thread identity is not set in the WCF ErrorHandler.  How do you get at the WIF thread identity from a custom WCF error handler?

Hello, I have a fresh Internet accessible lab 2012 R2 ADFS / WAP setup using the best practices (other than HA) as defined on the TechNet pages and such.   I am having some errors and workplace join failures.  This is being setup to emulate a prod deployment with internet workplace join.

I am using alternative UPN addresses as my local domain is not internet unique/accessible.

I have a 3rd party UCC cert issued on the ADFS and WAP hosts that include fs.<internetdomain>.com and enterpriseregistration.<internetdomain>.com SANs. And the proper internet DNS entries to direct those domains to my WAP server.  The WAP Server and the ADFS have local HOST file entries pointing to the ADFS servers internal IP.

Everything seems to be working correctly for ADFS Pass through, And configuration of the DRS services was successful on the WAP. But when I try workplace join with a Windows 8.1 device I end up getting  the following errors:

On the WAP server (in the ADFS Event Log): (domain name edited)

And

Only Error I see in the ADFS Admin Event Log is below and it happens at boot of the server only:

Which is expected because my SSL cert has the UPN for the alternative UPN I issued in the directory, but not my local UPN.

I am really not sure what to check next... everything else seems to be working right!  Any help would be greatly appreciated! :)

We are facing a problem during ADFS 3.0 (Windows Server 2012 R2), because we do not find a suitable URL for hardware Load Balancer probe to test ADFS nodes.

When tried with IE browser, the URL https://sts.adfs1.ad/adfs/ls/IdpInitiatedSignon.aspx properly results in ADFS login page but, when tried the same URL with HW LB probe, the probe gets no answer from ADFS server at all.

We compared incoming traffic with network monitor in that ADFS server node (https temporary changed to http to see the traffic), a somewhat similar HTTP GET query did exist:

GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1..Accept: image/jpeg, image/gif, image/pjpeg, application/x-ms-application, application/xaml+xml, application/x-ms-xbap, */*..Accept-Language: fi-FI..User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)..Accept-Encoding: gzip, deflate..Host: sts.adfs1.ad

.PV??ìà_¹«.ç..E..ð'@.ÿ.%Ƭ..ü¬..Lî¢.PL?Ëf\Mæ?...?Ä.......f;[.4..GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.1..Connection: Close..Host: sts.adfs1.ad

How to properly monitor the ADFS 3.0 server nodes?

Br, Kari Oikkonen
MCITP/2008
Fujitsu Finland

Hi

I  built an OAuth sample based on MS documentation http://msdn.microsoft.com/en-us/library/dn633593.aspx. (Using Oauth based on ADFS 3 installed on Windows 2012 R2)

The Oauth sample works just fine, until  F5 was configured for ADFS 3. 

We did side by side comparison of  OAuth transactions with/without F5 as following

With/Without F5,

1. Client can send the Oauth Request to ADFS 3 successfully
2. ADFS can authenticate client using Windows Authentication without problem.
3. ADFS can construct Oauth Response successfully.
4. In both cases, we observed log entry "An OAuth Authorization Response with issued Authorization Code is sent to the client"

With F5, the Oauth client threw following error, and then no more transactions observed at server side.

There was an error deserializing the object of type.Microsoft.IdentityModel.Clients.ActiveDirectory.TokenResponse.Encountered unexpected character <Inner Exception:Encountered unexpected characters '<'.

Without F5, The Oauth client worked fine, and we observed addition transactions going on at server side.

We spent many hours at investigating without a clue ..... anyone observed similar behaviors?

Regards

Yanchou Han