Hi there!

I have been sent here from the Microsoft Office 365 Community, so I'll ask my question again. I still do not know very much about all this Federation stuff, but I'd like to learn.

So, we have two Windows Server 2008 R2 domain controllers allong with federation proxies on AWS, each pair behind a load balancer. In March, our certificates were about to expire, so we looked into this. Not sure any more whether we actually had to do something, or whether automatic rollover was active already. Some days before expiration, new certificates were created automatically, on both primary and secondary servers. We verify this withGet-ADFSCertificate -CertificateType token-signing. Those new certificates were not in use, the old ones still were the primary ones. So far, so good.

Then, on our primary domain controller, the secondary certificate became the primary one  - automatically I believe, but I am not entirely sure any more. Just as expected.

But this did not happen on the secondary domain controller. There, I still see both certificates, the old and the new one, and the old, expired one is the primary one. How can this be changed, and why did it not change automatically?

In the ADFS 2.0 Manager on this host I only have the information that 'This computer is not the primary federation server in the farm'. And that 'Changes to AD FS configuration settings can be made only at the primary federation server computer'.

Is there some way to make the secondary certificate the primary? Or to import the new certificate as primary one? But I would not even know how to export it. I looked for it with MMC on the primary server, and atCertificates (Local Computer) -> Personal -> Certificates I expected it to be, like described in one document I found on the net (and which I cannot link to until my account is verified - no idea how this works). There are some, but not the one Get-ADFSCertificate -CertificateType token-signing shows.

When I open the ADFS 2.0 Management on the first server, I see it as token-signing certificate. But I cannot export from there, and the ADFS 2.0 Management on the second server does not allow me to do anything. There, I also see that the last sync with the primary server was on 2014-04-15 - why did that stop? The new certificates were created more than one month earlier already, so this is probably not the cause of the primary/secondary certificates not switching. The Active Directory is still being synced.

Both servers are being restarted regularly due to updates. We removed the secondary domain controller and the secondary ADFS proxy from the load balancers, so for the moment we are fine. But we ned to eventually solve this.

One idea would be to remove the ADFS stuff completely from the secondary server, and set it up again, hoping that it will somehow fetch the certificate from the primary DC then. But I would prefer to actuallyfix this instead of finding a workaround, without ever knowing what the problem was.

Any help with this is greatly appreciated.

        Alex

Hello,

I am having difficulty displaying RDWeb to Internet users. I am using Web Application Proxy server (all servers are Windows Server 2012 R2) in the DMZ; ADFS server internally; RDWeb/RDGaetway/RDConnectionBroker/RDSessionHost (you guessed it all in two servers load balanced behind a hardware load balancer). When I setup pass-through authentication from the WAP - so not using ADFS, I am able to login to the RDWeb server (but not able to launch applications as I am continuously prompted for credentials). When using ADFS, we have setup a non-claims aware Relying Third party trust. We can login to ADFS page, but then receive a Website Cannot Display the Pager - Internal 500 error.

To me ADFS is not passing credentials through to the RDWeb server.

Any ideas or suggestions?

I've have this environment: WAP (WorkGroup) + ADFS + SharePoint. I have this doubts

1) is it posible use Windows Authentication on internal users and ADFS on external users ?

2) When I configure WAP to use ADFS preauthentication, it doesn't work for external users. Pass-thought preauthentication works well...

Regards

Hi

I am connecting to an internal server - which returns me  with a SamlRequest to an adfs3 server

The adfs3 is set up with integrated logon for internal users.

An error

MSIS7102: Requested Authentication Method is not supported on the STS.

is logged on the adfs3 server

What is the reason for this error?

Regards & thanx

Peter Buus

Hi,

We have ADFS 3.0 with Windows Server 2012 R2 federated identity with Office 365. I want to ask is it possible to make the sign in page and other pages (error pages etc.) on Macedonian Language. You can change some things with powershell commands but you cannot change buttons language and some other things. There is no Macedonian Localization support in ADFS 3.0. Is there any way to make this possible. 

Best Regards

Hi All,

I am in process of migrating from ADFS 2.1 to 3.0 & already have setup a new server with same certs. I am facing challenges on migrating the esisting trusts & setting that are there, have anyone tried or have done a successful migration. The scenario that i have is I have setup a new lab with similar domain & certs etc. my old/prod setup is running on ADFS 2.1 with RU3 and SQL 2008 R2 as database.

SO the question to the community is :

1. Can we migrate just database i.e backup prod database running with ADFS 2.1 Update 3 & transfer it to another server running with ADFS 3.0 & restore, which is giving me errors.

2. any other way to transfer settings.

-Arvind Sindhu Enterprise Arch (Microsoft Technologies) Sapient.

I'm setting up ADFS in my lab, so I suspect the symptoms are a result of the non-standard setup, but I'm hoping someone can point me in the right direction. My understanding is that what I'm trying to do should work, you'd just never do it in production.

New Windows Server 2012 R2 domain, DC1 has ADFS role installed and working, metadata and sign-in sites look fine, DC2 I'm trying to install the web application proxy on. Both servers have the same wildcard cert installed. Internal A record points adfs.fqdn... to the IP of DC1. External DNS record will point to external IP nat'd to IP of DC2, but I haven't gotten that far yet.

Where I'm getting stuck is configuration the WAP role, I specify the federation service friendly name, put in the domain admin user name and password, select the wildcard cert and click configure:

"ADFS Proxy could not be configured"

"An error occurred when attempting to save the proxy configuration."

Are there any logs I can check for more meaningful information?

Any help much appreciated!

Hi All,

I am currently needing to set-up an ADFS server but I am unclear which technet guide I should be following. I have previously gone through setting this up with Office 365 so understand the ideas and processes somewhat but in this case it is very different.

From my reading I am the relaying partner now. Basically we host a web app that my client wants SSO into from their AD. They have a ADFS system in place as they use it for other systems to get SSO but we a re building from scratch.

Any links to the best place to get a guide to this would be AMAZING!

Thanks

EDIT - I have tried this guide which was suggested over on the technet forums but I am getting stuck with getting it to use SAML, what certs I need and if the domain can be internal (test.local) or has to be a external test.com type domain.

http://nikpatel.net/2014/06/09/step-by-step-complete-guide-to-configure-adfs-2-0-integration-with-sharepoint-2013-on-windows-server-2008-r2/

Any help would be greatly appreciated.

Thanks

IT Professional

I plugged Microsoft JwtSecurityTokenHandler into the security token handlers collection for use with the stock Microsoft SecurityTokenService.  Everything goes smooth in System.IdentityModel.SecurityTokenService.Issue until the STS invokes CreateSecurityTokenReference on the JwtSecurityTokenHandler. 

At this point the JwtSecurityTokenHandler throws 

NotSupportedException / IDX11005: Creating a SecurityKeyIdentifierClause is not supported.

Can you not use JwtSecurityTokenHandler with the stock Microsoft SecurityTokenService?

System.IdentityModel.Tokens.Jwt.4.0.0-RC2

Hi All, 

I have 2 questions that I am hoping you can help me with:-

1. Can I install the ADFS Proxy Server Role on a Server that is already a federation server?

2. When adding a manual relying party trust, this article mentions the importing of a certificate. http://technet.microsoft.com/en-us/library/dn486828.aspx. What certificate is it referring too?

kind regards

Hendy

I have a difficult situation. Our internal authentication method is set to Windows. We have shared computers. The computer is logged in as user domain\assistant each day. It never logs off, it is always logged in as domain\assistant.
The manager visits the office. The manager tries to login to OWA, but with Windows auth it automatically logs in as assistant.

What I have tried:
runas
shellrunas
start-process with -credential.
None of the above work exactly how I need them to. I would prefer to do this with a web page.

How, with ADFS 3.0 (we are on 2012 R2), can I create or point to (or something) a login page? How can I support WIA for the logged in user but present FBA for a different user on the same computer.

Can I point to a different web page? Can I somehow point to the same page, but prompt one user not the other???

Thanks,
Paul

Okay, I know the answer is going to be NO already, but there is no harm in asking just in case...

We have SharePoint 2013, which is now (by default) using Claims Authentication. We want to implement ADFS 3.0 and WAP, but really would like to avoid having to remap all claims accounts to the ADFS trusted provider. Is there any way we can get ADFS to pre-authenticate the user with the AD Claim account?

Hope this makes sense...

Thanks

Phil

Hi All,

We are having an issue federating with a new partner. In the past we have no issues with the federation partners we have setup, but this one seems a bit different. We have an ADFS 2.0 Farm, but instead of an ADFS proxy we are using TMG.

This is an SP initiated Federation (WS-Federation) so we are first browsing to the external application URL, the request is then redirected to our ADFS environment as it should be. This is where the issue occurs, the user is asked to login when the request hits the TMG Server (forms based), that is normal behaviour. Once the user enters their credentials and logs in at the TMG level I would then expect these creds to be passed to ADFS and authenticate the user. The issue is that the user is then prompted to authenticate for a 2nd time when the request reaches our ADFS. Once the user enters the creds (the same creds as the TMG login), they are then redirected to the external application and logged straight in. My issue is that I cannot work out why TMG does not seem to be passing the creds to the ADFS Servers to authenticate the user automatically.

We have Office 365 setup which has the same kind of config, e.g. you go to the external site, redirect to login at TMG, but the difference is you only need to login once, this appears to authenticate the user automatically in ADFS and build the token.

I'm not sure if it is a TMG rule I am missing, but can't really play around with this as it may break Office 365. Apart from this, all our other federations are IdP so they work in a different way without issue.

Let me know if you need me to provide any more information.

Thanks

Working on a new adfs implementation (2x 2012r2 w/ lb + sql db + 2 prox w/lb) and after a number of runs through the adfs endpoints we're looking for don't seem to be enabled or even to be an option to enable. SSO endpoints for Post and redirect are there, one artifact endpoint is present though not for SSO

Would like to enable SOAP and artifact SSO endpoints though even after importing xml requesting them they're not active. The SP would like to ask the IDP(adfs) direct to validate artifacts presented. 

Suggestions? We'd been told that this was supported with adfs 3...

Thanks so much

I had a working trust relationship between a WAP and an ADFS farm. Nothing in the environment changed but all of a sudden the trust relationship is broken. Numerous 276 errors on the ADFS server and 422 errors on the WAP.

I attempted to rerun the proxy setup again but it keeps failing:

$cred=Get-Credential
Install-WebApplicationProxy -FederationServiceTrustCredential $cred -CertificateThumbprint 'XXXXXXXXXXXXXXXXXXXX' -FederationServiceName 'fs.xxx.com'

Install-WebApplicationProxy : An error occurred when attempting to save the proxy configuration.
At line:1 char:1
+ Install-WebApplicationProxy -FederationServiceTrustCredential $cred -Certificate ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Install-WebApplicationProxy], ProxyConfigurationException
    + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Management.Proxy.Commands.InstallProxyCommand

Can anyone please provide some insight? Thanks.

Update: It does not seem to work through the F5 load balancer. It just hangs at "Waiting for a proxy trust configuration to be synchronized across farm ........"

I am struggling for a few days with Dynamics CRM on premises. I think I boiled it down to ADFS so I am reaching out here for help. Here is a link to the CRM forum in case you want to get more info: http://social.microsoft.com/Forums/en-US/3dd2c9af-7680-4829-8b35-9152cc9a859a/plugin-registration-tool-failing?forum=crmdevelopment

Basically, using the system admin account I can log into CRM from any computer without any issues. Using that same account, on the CRM server and the server hosting ADFS I can log into CRM to retrieve information like name of the organization (like the Plugin Registration Tool from MS does). However, when I do the same from another remote computer then it breaks. The same behavior happens with a custom console program that tries to connect to CRM.

It's somewhat puzzling why I can log into CRM with the admin account but then on the same computer using the same account I cannot log in to retrieve information. The difference between the two scenarios is that in the first case I am presented with a login screen in Internet Explorer but in the second scenario I obviously don't get a login screen (I use System.ServiceModel.Description.ClientCredentials to pass in the credentials).

Looking at fiddler, it turns out that the response I am getting is actually exactly that HTML page to log into the account. Once that is passed back the program throws an exception. Now the question is why this is happening and how I can fix it. Here is what I see in Fiddler:

a) 200 HTTPS sts.[domain].com:444 /adfs/services/trust/mex?xsd=xsd0
b) 302 HTTP  sts.[domain].com /adfs/services/trust/13/username
c) 200 HTTP Tunnel to sts.[domain].com:443
d) 302 HTTPS sts.[domain].com /adfs/serices/trust/13/username/default.aspx
e) 200 HTTP Tunnel to sts.[domain].com:444
f) 200 HTTPS sts.[domain].com:444 /adfs/ls/?wa-wsignin1.0&wtrealm=https%3a%2f...

a) and all the previous "/adfs/services/trust/mex..." start with 3 digit hex characters before the <... and end with a 0. I am not sure if this is normal.  

That last step f breaks. Below is the request and response for that transaction.

Request:
GET https://sts.[domain].com:444/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fsts.[domain].com%2f&wctx=rm%3d1%26id%3de4aebd76-c068-48fb-a9d0-a789fdf9856d%26ru%3dhttps%253a%252f%252fsts.[domain].com%252fadfs%252fservices%252ftrust%252f13%252fusername%252fdefault.aspx&wct=2014-09-18T17%3a28%3a55Z&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
Accept-Encoding: gzip, deflate
Host: sts.[domain].com:444

Respone:
< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
< html xmlns="http://www.w3.org/1999/xhtml" dir="ltr">
< head><meta http-equiv="X-UA-Compatible" content="IE=8" /><title>
 Sign In
< /title><link rel="stylesheet" type="text/css" href="MasterPages/StyleSheet.css" /><meta name="robots" content="noindex, nofollow" /></head>

<body>
    <form name="aspnetForm" method="post" action="/adfs/ls/?wa=wsignin1.0&amp;wtrealm=https%3a%2f%2fsts.[domain].com%2f&amp;wctx=rm%3d1%26id%3de4aebd76-c068-48fb-a9d0-a789fdf9856d%26ru%3dhttps%253a%252f%252fsts.[domain].com%252fadfs%252fservices%252ftrust%252f13%252fusername%252fdefault.aspx&amp;wct=2014-09-18T17%3a28%3a55Z&amp;wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword" id="aspnetForm">
< input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY2MTc3NjUzM2RkjjIW9UHu5Y9twnRBWg+xeuICC2E=" />

<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR" value="0EE29E36" />
< input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBQL99cGTDALnmcnFAQKzpa6MBwKo77JuAunYybIMxkiOVtoW9jbNbvbjpHhO9DCwW3I=" /><input type="hidden" name="__db" value="16" />
    <div class="MainArea">
        <div class="Header">
            <span id="ctl00_PageTitleLabel">Sign In</span>
        </div>
       
        <div class="GroupLargeMargin">
            <div class="TextSizeXLarge">
                <span id="ctl00_STSLabel">sts.[domain].com</span>
            </div>
        </div>
        <div class="MainActionContainer">
           
    <div class="GroupXLargeMargin"><span>Type your user name and password.</span></div>

We have intermittent issues with only the Outlook clients for some users getting disconnected (not prompting for login, it says disconnected). OWA and other services works fine. We have multiple sites with ADFS servers in the farm. This happens only for one of the site. I already checked if there is a time sync issue between the ADFS servers, adfs proxies and the DC's.

Has anyone faced this problem before?

Thanks for looking in to this.

For an Office 365 environment we use a load balancer to make the ADFS 2.0 servers high available. To validate if the server is healthy I would like to monitor a url and check for a certain response. Any recommendations?

When I call https://adfs.domain.tld/adfs/fs/federationserverservice.asmx I get an XML response, but am not sure for what part to check.

Did my post help? Please use "Vote As Helpful", "Mark as answer" or "Propose as answer". Thank you!