Team,

Looking for second level of auth. besides SSO by ADFS 2.0 or 3.0 as Primary auth.

BING gave me option of MFA by Office 365, but we dont want to go with it.

Looking at technet article : http://technet.microsoft.com/en-us/library/dn554247.aspx

Primary Auth can be achieved using:

• Windows Integrated Authentication using Negotiate for Kerberos & NTLM
  OR 
• Forms Authentication using username/passwords

Secondary Auth can that be achieved using Certificate Authentication:

• The certificate must map to the user account in AD DS by either of the following methods:
  
  
  • The certificate subject name corresponds to the LDAP distinguished name of a user account in AD DS.
  • The certificate subject altname extension has the user principal name (UPN) of a user account in AD DS

    I guess the article, doesnt clearly states that cert authentication can act as second level of auth.

    Team, if it can than the question is what is the procedure to configure and any architecture level overview that clarifies the ports and connectivity mechanism?

Regards, Dematri

Team,

Looking for the possible additional authentication options under Office 365.

Wherein primary set of Authentication will be Single Sign On (SSO) using ADFS.

Additional Authentication options

a) Multi Factor Authentication (MFA) from Office 365

b) Certificate Based Authentication under ADFS - Windows Server 2012

c) Device Registration Service under ADFS - Windows Server 2012 (not sure if it supports all kinds of smartphones, Windows OS)

d) Available Third Party authentication

Kindly correct me if any other options, any pointer will be of great help.

Regards, Dematri

On a new ADFS 3.0 farm, is there a way to make some RP's use forms based authentication and others RP's use Windows Integrated?  I have a requirement for some RP's that we have to manually enter a network username/password but other RP's can use SSO (Windows Int). 

Also, we have a root/multi child domain model.  In ADFS 2.0, users using forms based didn't have to enter their FQN, just their username would suffice.  But in ADFS 3.0, I'm seeing that I have to enterxxx@company.com or domain\username or ADFS won't let me in.  Is that a setting a can change somewhere? 

Thanks!

I have installed AD FS 3.0 (part of Windows Server 2012 R2) is installed.

Form authentication is working fine with URL https://FQDN of ADFS Machine//adfs/ls/idpInitiatedSignon.aspx but When I enable the windows authentication it gives me error HTTP 400 Bad request. This error (HTTP 400 Bad Request) means that this program was able to connect to the web server, but the webpage could not be found because of a problem with the address."

I have also added the SPN but not sure why it is not working and there is no way to identify this related to IIS or AD FS or active directory?

Please help me on this

Regards,

Imtiaz

Hello Guys

Has anyone here customized their ADFS 2.0 Proxy Sign In page to make it more responsive/form factor suitable for smaller devices such as Smart Phones, Tablets etc?

Hey All,

I am testing a setup with 2 ADFS 2.2 Server 2012 R2.

ADFS1

ADFS2

named adfs.myCompany.com

I have the servers published via a reverse proxy/load balancer (hardware) and the endpoint

https://adfs.myCompany.com/adfs/ls/IdpInitiatedSignon.aspx , is reachable. There is an external DNS entry NAT'd via a firewall rule.

Now, this is strange, when i am outside the network, as in non domain joined, and I use chrome or firefox, I get a form to authenticate on. That is great, but internet explorer pops up a login dialog box.

This is not an expected behaviour. Is this becuase I am not using the web proxy role on seperate boxes, or have i missed something in my configuration.regards,

Rob

Rob

Hi we have a bunch of relying parties set up in ADFS, internal users are able to SSO into any of them.

Now I have just created an ADFS Proxy, with the goal that I want users that are not on internal network to be able to remotely log in to one of the relying party applications using the ADFS proxy login form. This is working fine, the issue is that users are able to log in to any of the relying parties using ADFS proxy.

I need to restrict it so only one of the relying party apps works when hit via ADFS proxy.  Can this be done with custom claim rules? ie. make a rule that says if the request came from ADFS proxy then deny it and stick that in all but the one relying party trust that I want accessable externally?  I have no experience with these though, if anyone can help I would appreciate it.

Hi Experts,

We have SharePoint servers deployed in our company and we have just acquire another company where sharepoint is not deployed and they have separate active directory with which we do not have any trust as well as we do not have any vpn connection between these companies, our management requires that we need to provide them access to our sharepoint with their AD users and password, we found a way that this could be done through ADFS but we do not know what kind of setup for ADFS will be deployed.

My Question is

Do I have to deploy ADFS in both environments or I should only deploy ADFS in the environment where sharepoint is deployed

in the above environment should I deploy 4 adfs servers in one company where SharePoint is deployed, two as ADFS server and two as ADFS proxy server

in the above environment should I have to deploy 4 adfs servers in a company where sharepoint is not deployed, two as ADFS server and two as ADFS proxy server

how do I let both of them communicate with each other do I have to create exernal DNS records or some thing to allow users to access

do I require any 3rd party certificate in order to allow users to access or internal PKI certificate will do the neefull.

Thanks

If answer is helpful, please hit the green arrow on the left, or mark as answer. Salahuddin | Blogs:http://salahuddinkhatri.wordpress.com | MCITP Microsoft Lync

I continue to get the following error when testing AFDS via http://servername/adfs/ls/idpinitiatedsignon.aspx

Encountered error during federation passive request.

Additional Data

Exception details:
System.ServiceModel.FaultException: The server was unable to process the request due to an internal error.  For more information about the error, either turn on IncludeExceptionDetailInFaults (either from ServiceBehaviorAttribute or from the <serviceDebug> configuration behavior) on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message      request)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.SignMessage(HttpSamlMessage httpSamlMessage, PrincipalType principalType, String principalIdentifier)
   at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.BuildSignedSamlRequestMessage(HttpRedirectSamlBindingSerializer httpRedirectSamlBindingSerializer, AuthenticationRequest authenticationRequest)
   at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.SignOn(AuthenticationRequest authenticationRequest)
   at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.LocalIdentityProviderSignOn(Uri returnUrl, SignOnRequestParameters parameters)

I have ADFS 2.0 installed on a single 2008 R2 Enterprise SP1

Any help is greatly appreciated.

Hi,

I have following setup.

Relying parties (applications) --->(trust)---->Internal ADFS (RP-STS)--->(trust)--->External ADFS (IDP)

We have two types of applications (Relying parties)

1) Java based SAML enabled application
2) .Net based WIF enabled application (WS-Fed)

1) When I login to both Java and .Net applications (within same session using single signon) and then try to logout,
I get properly logout from both the applications. The logout request properly get propagated from Internal ADFS (RP-STS) to External ADFS (IDP)
and at the end of logout process I land on External ADFS (IDP) logout page.

2) When I login only to .Net application and try to logout, then also I get properly logout and I can see External ADFS (IDP) logout page.

3) But when I login ONLY to Java application (SAML) and try to logout, the Internal ADFS (RP-STS) does not propagate logout request to External ADFS (IDP)
and I end up landing on Internal ADFS (RP-STS) logout page. So without closing my browser if I again try to access Java application I do not get prompted to enter
user name and password, instead I directly get access to application because on External ADFS (IDP) session never got deleted. So token gets reissued.

Is this some kind of ADFS bug or am I missing some configuration somewhere?

Hello All,

I am testing an infrastructure with an AD FS Proxy in a DMZ, and an internal AD FS Server:

AD--A--FW--AP--FW--I--C

(AD=Active Directory, A=AD FS, FW= Firewall, AP=AD FS Proxy, I=Internet, C=Client)

• The AD FS Proxy is currently not a member of the domain.
• All Certificates and DNS are correctly set up.
• I can, therefore, correctly authenticate to the AD FS proxy and retrieve a Token to send to a relying party on the Internet.

All Fine.

However, authentication to the AD FS Proxy at the moment is done using Forms-based Authentication (FBA).
I want to change this to allow Client Certificate-based Authentication. (CBA)

Is this possible?

More detail (for those that are still reading):

Certificates are mapped to user accounts, and present on the client machine. They should, therefore, be able to be mapped to the correct account by AD FS. However, when I enable CBA on the proxy, I just get a HTTP 403 error.

My current assumption is that this is because AD FS uses the IIS context to perform Client Certificate authentication. IIS requires the server to be part of the domain in order to perform the mapping of cert to account, and so is unable to do this mapping. Is this correct?

In contrast, when performing FBA, the proxy just passes the credentials through to the AD FS server, which does the look up against the AD, and maps the credentials. Does this not work the same way with CBA?

Perhaps I have configured something incorrectly, and there is an easy solution. I certainly hope so. I can find nothing anywhere on this, so any advice would be gratefully received. Even if it's "You're right, the proxy MUST be part of the domain", or "What, are you mad? This can't be done!!"

Thanks in advance,

YoY

Regards, Dematri

Servers

ADFSSERVER
- Windows Server 2008 R2 Standard x64
- ADFS 2 RC

WEBSERVER
- Windows Server 2008 Standard x64
- Windows Identity Foundation
- Trusted for delegation
- Correct SPN configuration
- Delegates fine within ASP.Net (historically and currently)
- Claims to Windows Token Server (started and set to automatic)
- c2wtshost.exe.config: <add value="NT AUTHORITY\Network Service" />
- Local Security Policy: User Rights Assignment: Impersonate a client after auth: NETWORK SERVICE (among others)

Web Application

ClaimsBasedApplication
- Configured as a relying party in ADFS
- Recieves and presents all claims per the claim rules in ADFS (working great)
- App Pool: Integrated, 32bit=false, NetworkService
- Anonymous Auth: App pool identity
- SSL using domain cert (trusted on client but no chain verification)

Code

PublicFunction GetImpersonationText(ByVal claimsIdentity As IClaimsIdentity) AsStringDim builder AsNew StringBuilderDim result As ServiceReferences.ImpersonationTestProxy.SingleObjectResponseOfImpersonationResultBXe52vhv
Dim upn = GetClaim(claimsIdentity, System.IdentityModel.Claims.ClaimTypes.Upn)'Errors here !!!!!!!!!!!!!!!!!!!!!Using ctx = Microsoft.IdentityModel.WindowsTokenService.S4UClient.UpnLogon(upn).Impersonate()
            result = (New ServiceGateways.ImpersonationTestGateway).TestImpersonation()EndUsing

        builder.Append(GetHeaderText("IMPERSONATION RESULT"))
        builder.Append(GetObjectPropertiesText(result.TransferObject))
        builder.Append("<hr>")
        builder.Append(GetHeaderText("CALL INFORMATION"))
        builder.Append(GetObjectPropertiesText(result.CallInformation))Dim text = builder.ToStringReturn textEndFunction

 Error

[Win32Exception (0x80004005): No credentials are available in the security package]
   System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) +10259418
   System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) +539
   WebApplication1.ServiceReferences.ImpersonationTestProxy.IImpersonationTestService.TestImpersonation() +0
   WebApplication1.ServiceGateways.ImpersonationTestGateway.TestImpersonation() in C:\Source Control\Sandbox\ClaimsBasedApplication\1.0.0\ClaimsBasedApplication.UserInterface\ImpersonationTestGateway.vb:21
   WebApplication1.ObjectDisplayUtility.GetImpersonationText(IClaimsIdentity claimsIdentity) in C:\Source Control\Sandbox\ClaimsBasedApplication\1.0.0\ClaimsBasedApplication.UserInterface\ObjectDisplayUtility.vb:14
   WebApplication1._Default.Page_Load(Object sender, EventArgs e) in C:\Source Control\Sandbox\ClaimsBasedApplication\1.0.0\ClaimsBasedApplication.UserInterface\Default.aspx.vb:11
   System.Web.UI.Control.OnLoad(EventArgs e) +132
   System.Web.UI.Control.LoadRecursive() +66
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2428

Greetings,

Need your guidance in an issue where I am stuck.We have a scenario that if a user belong to an AD Group e.g. "Suppliers - Retail" then we need to pass the user who is the member of the group "Suppliers - Retail - Vice President". Once I identify the user belongs to "Suppliers - Retail" AD group, I am able to derive the AD group DN for "Suppliers - Retail - Vice President", Now if I am writing the below code, I am not able to get the desired output rather during the testing. My control loops back on the authentication form page and I don't see any error on the page. 

//Assumptions - DN for "Suppliers - Retail - Vice President" CN=Suppliers - Retail - Vice President,OU=Groups,dc=Org,dc=com is stored in "https://mytest.adfs.com/group"

c:[Type = "http://mytest.adfs.com/group"]
=> issue(store = "Active Directory", types = ("http://mytest.adfs.com/VPFullName"), query = "memberOf={0};displayName",param=c.Value);

But above code doesn't fetch the desired output rather it throws back the authentication page.

Thanks

Murt K

I am doing ADFS 2.0 integration with SharePoint 2010. I followed couple of blogs and links from Tech-net and MSDN for the same.

I have two domains Domain abc.com and xyz.com. ABC.com is the resource domain where my SharePoint 2010 is hosted and xyz.com is partner domain from were user needs to access some of the SharePoint web-applications in ABC.com

users from xyz.com tries to access the website from his local domain joined machine he is successfully redirected to the ADFS login page after selecting the site it asks for the user name and password, after providing the credentials the user is redirected to the resource domain ADFS Server and gets the following error :-

--------------------------------------------------------------------------------------------------------------

logon.abc.com 

There was a problem accessing the site. Try to browse the site again.

If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

Reference number : fd89d950-c85b-95af-63f4816f79f3

----------------------------------------------------------------------------------------------------------------

Every time i try to login from the domain joined client system of resource-partner domain i get the same error and 3 events are generated in the ADFS logs of the Resource Domain ADFS Server .

Event ID 364 | Event ID 111 | Event ID 315

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Thanks in advance :) 

Your reply will be a great help, also if any one has step by step document of Integration with SharePoint in mixed forest scenario please share.  

Hi

ADAL is pretty new to me ...... Does ADAL have method for WPF Oauth Client to logout? I bet there should be such method, but I just can't find the API or sample code.

Thanks in advance

Yanchou Han

Hi

In our Proof of concept scenario we are trying to implement ADFS 2.0 (let's called ADFS 1) federation with Custom STS. I have implemented a simple CustomSTS. This CustomSTS is configured to sign and encrypt the claims. For signing it is configured to use"STSTestCert" and for encryption it is configured to use ADFS 1 encryption certificate (.cer). 

Here is the scenario. 

1. Application1 is configured using ADFS 1 as Identity provider. 
2. Application1 is configured as relying party in ADFS1
3. Custom STS is configured as Claims Trust Provider in ADFS1
4. A typical user tries to login to Application1. He/She will be redirected to ADFS1 homerealm page.
5. User can select ADFS1 or CustomSTS as identity providers
6. When user selects ADFS1. The whole process, i.e issuing the token, sign, encrypting works fine. At the end, user is logged in and can see the Application1 page.
7. When user select CustomSTS. He/She will be redirected to the login screen and up on the successful login CusomSTS is posting a saml token to ADFS1 at (adfs/ls).
8. In the fiddler i can see token (Signed and encrypted.)
9. On ADFS1. It cannot process the token some how. I can see this error: "System.ArgumentException: A SamlAssertion requires at least one statement.  Ensure that you have added at least one SamlStatement to the SamlAssertion you are creating.
10. Then i tried to disable the encryption on CustomSTS just see what Custom STS is posting to ADFS1. I can see the SAML token is posted to ADFS1 and seems like token is correct. i mean with proper saml assertions. When i paid some attention i can see that CustomSTS is posting a <trust:RequestSecurityTokenResponseCollection>. This collection has a SecurityTokenResponse. 

It seems like ADFS1 cannot decrypt or It can decrypt but cannot see any token as it is a collection. I dont know whats going wrong here. Can you guyz please suggest me something.

Thanks in advance.

/Rakesh

Hello,

I have successfully published a non claims aware application who use IWA (Kerberos) via KDC with the Web Application proxy 2012 r2. When a corporate user access the application, he gets the ADFS signin screen and then there is a protocol transition that allows the corporate user to get access to the IWA application.

I have now put a federation in place in ADFS with a Partner organisation and I would like people from the Partner organisation to log in to the IWA application. Currently I receive a 500 error. Is there a possibility to create a shadow account in the coporate AD and as soon as a user from the Partner organization is preauthenticated by the ADFS proxy he gets access to the IWA application with that shadow account ? Of course I plan to make my application claims aware, but for the transition phase I would like to make use of a shadow account ? Is this possible with WAP 2012 R2 ? I know this is a supported scenario for UAG 2010, but as UAG is discontinued by Microsoft I do not want to use UAG.

Regards

Pascal Simler