We are currently developing a 8.1 WINDOWS WinRT app using CRM's sdk (blogs.msdn.com/b/crm/archive/2012/11/02/building-clients-for-windows-phone-and-windows-8-rt.aspx)

To authenticate the user using the CRM's service, we must first create a security token request to our AD FS and obtain a SAML token. When send the request with user and pasword based authentication to get the saml with the following code it works fine:

 WSTrustBinding binding;

 IRequestCredentials credentials;

 credentials = new IssuedTokenCredentials(securityTokenResponse);
 binding = new WSTrustBindingUsernameMixed();

 RequestSecurityToken rst = WSTrustFactory.CreateRST(issuerEndpoint.TrustVersion, keyType);

 WSTrustClient trustClient = WSTrustFactory.CreateWSTrustClient(issuerEndpoint.TrustVersion, binding, issuerEndpoint.IssuerAddress, credentials);

 trustClient.IssueCompleted += new EventHandler<IssueCompletedEventArgs>(IssueCompleted);
 trustClient.IssueAsync(rst, callback);

The problem comes when we try to make a request using kerberos based authentication to get the security token,because I can not create a binding using the KerberosWSTrustBinding class in WinRT, because it's not available. It's only available in the framework 4.5.

Is there any option to create a request security token with kerberos authentication in AD FS in WinRT?

Best regards

Hi,

I've been working on setting up our corporate ADFS environment with a mostly successful outcome however I am having an issue with one of our ADFS WAP servers not establishing a trust with a secondary ADFS server in our internal farm.

I believe this relates to the ADFSTrustedDevices certificate store not replicating between the two internal farm nodes.

THE SETUP

Diagram

Internal

• 2 Windows 2012 R2 ADFS 3.0 Servers in one farm
• Each server is in a different site with resilient WAN connections, sites are GB1 and GB2

External

• 2 Windows 2012 R2 ADFS 3.0 WAP Servers
• Each server is in a different site with resilient WAN connections, sites are GB1 and GB2 (same as above)
• Each server is independent of the other (IE, no NLB or load balancer)
• Both servers are in the same DMZ network (multi-site is achieved via a stretch VLAN between GB1 and GB2)
• Internet/DMZ is resilient across both sites via BGP routing

So, GB1 contains the primary ADFS server and a proxy, GB2 contains secondary ADFS server and a proxy.
Both ADFS servers are in a farm.

DNS
Externally we use DNS round robin to the two proxies. Not best practice but the infrastructure is highly resilient so it's cost effective.

From each proxy, HOSTS files are used to lock the traffic to the internal ADFS server in the same site. IE, Proxy in GB1 will only communicate with internal ADFS server in GB1. Proxy in GB2 to internal ADFS server in GB2.

The reasoning behind this is for a site failure. Half the external traffic may hit the down proxy server and timeout but the other half will hit the working proxy. We didn't want half of the working proxy requests trying to contact the downed server in the failed site, giving us only one quarter of successful requests, if that makes sense.

THE ISSUE

During the setup of the second proxy in GB2 I could not establish a trust to the internal ADFS server in GB2, the secondary server.

Spent some time investigating with no success so I changed the HOSTS file to contact the primary internal ADFS server in GB1 and the trust was established and WAP configured

At this stage I could see that the ADFSTrustedDevice certificate store on the secondary ADFS server in GB2 was empty whilst the certificate store on the primary ADFS server in GB1 was populated with both proxy servers.

I changed the HOSTS file on GB2 proxy back to GB2 ADFS server and this continued to work for a while.

I had hoped that the automatic process would populate GB2 ADFS server with the certificates but it did not.

Eventually the trust broke down and I cannot re-establish the trust without pointing the GB2 proxy back to GB1.

I also cannot sync the certificate stored from GB1 ADFS server to GB2 ADFS server using the script found in this extremely useful article from Ian Parramore:

http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx#pi148362=2

WHAT HAVE I TRIED?
Ran the script in the above blog and no issues found, including using the switch -syncproxytrustcerts

KB2964735 / KB2962409 is installed an both ADFS servers

I have not initialised Device Registration as this will require updating the AD schema to 2012 which we are not ready to perform however this may well be the root of the problem, forcing us to move the AD schema forward.

SUGGESTIONS?
If you have any suggestions or advise on how to overcome this issue I've really appreciate some assistance.

Thanks in advance

Adam Callaghan

I am struggling for a few days with Dynamics CRM on premises. I think I
boiled it down to ADFS so I am reaching out here for help. Here is a link to the
CRM forum in case you want to get more info: http://social.microsoft.com/Forums/en-US/3dd2c9af-7680-4829-8b35-9152cc9a859a/plugin-registration-tool-failing?forum=crmdevelopment

Basically, using the system admin account I can log into CRM from any
computer without any issues. Using that same account, on the CRM server and the
server hosting ADFS I can log into CRM to retrieve information like name of the
organization (like the Plugin Registration Tool from MS does). However, when I
do the same from another remote computer then it breaks. The same behavior
happens with a custom console program that tries to connect to CRM.

It's somewhat puzzling why I can log into CRM with the admin account but then
on the same computer using the same account I cannot log in to retrieve
information. The difference between the two scenarios is that in the first case
I am presented with a login screen in Internet Explorer but in the second
scenario I obviously don't get a login screen (I use
System.ServiceModel.Description.ClientCredentials to pass in the credentials).

Looking at fiddler, it turns out that the response I am getting is actually
exactly that HTML page to log into the account. Once that is passed back the
program throws an exception. Now the question is why this is happening and how I
can fix it. Here is what I see in Fiddler:

a) 200 HTTPS sts.[domain].com:444 /adfs/services/trust/mex?xsd=xsd0
b) 302
HTTP  sts.[domain].com /adfs/services/trust/13/username
c) 200 HTTP Tunnel to
sts.[domain].com:443
d) 302 HTTPS sts.[domain].com
/adfs/serices/trust/13/username/default.aspx
e) 200 HTTP Tunnel to
sts.[domain].com:444
f) 200 HTTPS sts.[domain].com:444
/adfs/ls/?wa-wsignin1.0&wtrealm=https%3a%2f...

a) and all the previous "/adfs/services/trust/mex..." start with 3 digit hex
characters before the <... and end with a 0. I am not sure if this is
normal.  

That last step f breaks. Below is the request and response for that
transaction.

Request:
GET https://sts.[domain].com:444/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fsts.[domain].com%2f&wctx=rm%3d1%26id%3de4aebd76-c068-48fb-a9d0-a789fdf9856d%26ru%3dhttps%253a%252f%252fsts.[domain].com%252fadfs%252fservices%252ftrust%252f13%252fusername%252fdefault.aspx&wct=2014-09-18T17%3a28%3a55Z&wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword
HTTP/1.1
Content-Type: application/soap+xml;
charset=utf-8
Accept-Encoding: gzip, deflate
Host:
sts.[domain].com:444

Respone:
< !DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<
html xmlns="http://www.w3.org/1999/xhtml"
dir="ltr">
< head><meta http-equiv="X-UA-Compatible"
content="IE=8" /><title>
 Sign In
< /title><link
rel="stylesheet" type="text/css" href="MasterPages/StyleSheet.css" /><meta
name="robots" content="noindex, nofollow" /></head>

<body>
    <form name="aspnetForm" method="post"
action="/adfs/ls/?wa=wsignin1.0&amp;wtrealm=https%3a%2f%2fsts.[domain].com%2f&amp;wctx=rm%3d1%26id%3de4aebd76-c068-48fb-a9d0-a789fdf9856d%26ru%3dhttps%253a%252f%252fsts.[domain].com%252fadfs%252fservices%252ftrust%252f13%252fusername%252fdefault.aspx&amp;wct=2014-09-18T17%3a28%3a55Z&amp;wauth=urn%3aoasis%3anames%3atc%3aSAML%3a1.0%3aam%3apassword"
id="aspnetForm">
< input type="hidden" name="__VIEWSTATE"
id="__VIEWSTATE" value="/wEPDwUKMTY2MTc3NjUzM2RkjjIW9UHu5Y9twnRBWg+xeuICC2E="
/>

<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERATOR"
value="0EE29E36" />
< input type="hidden" name="__EVENTVALIDATION"
id="__EVENTVALIDATION"
value="/wEWBQL99cGTDALnmcnFAQKzpa6MBwKo77JuAunYybIMxkiOVtoW9jbNbvbjpHhO9DCwW3I="
/><input type="hidden" name="__db" value="16" />
    <div
class="MainArea">
        <div class="Header">
           
<span id="ctl00_PageTitleLabel">Sign In</span>
       
</div>
       
        <div
class="GroupLargeMargin">
            <div
class="TextSizeXLarge">
                <span
id="ctl00_STSLabel">sts.[domain].com</span>
           
</div>
        </div>
        <div
class="MainActionContainer">
           
    <div
class="GroupXLargeMargin"><span>Type your user name and
password.</span></div>

Hello,

I'm creating an ADFS infrastructure on Azure, the azure will infra will serve an AD Tree domain called xyz.com which is located under forest abc.com.

I have two DCs for xyz.com on azure, yet when i'm testing the ADFS website, i get error 364, below full error, where you can see it actually tries to connect to abc.com via ldap, which is not accessible, is this normal?

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
Saml 

Relying Party: 
http://sts.xyz.com/adfs/services/trust 

Exception details: 
System.TypeInitializationException: The type initializer for 'Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService' threw an exception. ---> System.ComponentModel.Win32Exception: Failed to open ldap conection to abc.com
   at Microsoft.DeviceRegistration.ADAdapter.DRDomainDnsNameContext..ctor(String domainDnsName, NetworkCredential credentials, Boolean performPdcSync)
   at Microsoft.DeviceRegistration.ADAdapter.DRServerContext..ctor(String serverContext, Boolean isServerName, NetworkCredential credentials, Boolean performPdcSync)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark)
   at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at System.Activator.CreateInstance(Type type, Object[] args)
   at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService()
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.ComponentModel.Win32Exception (0x80004005): Failed to open ldap conection to abc.com
   at Microsoft.DeviceRegistration.ADAdapter.DRDomainDnsNameContext..ctor(String domainDnsName, NetworkCredential credentials, Boolean performPdcSync)
   at Microsoft.DeviceRegistration.ADAdapter.DRServerContext..ctor(String serverContext, Boolean isServerName, NetworkCredential credentials, Boolean performPdcSync)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()

Is is possible to change disable localization for login page?

I would like to keep #loginMessage text or #submitButtontext to static culture e.g. en-UK?    

I am running the powershell below to add another relying party trust to my claim provider. After running once without success, now I cannot run the poweshell again.

Add-PSSnapin Microsoft.SharePoint.PowerShell -errorAction SilentlyContinue
$ad = Get-SPTrustedIdentityTokenIssuer "LOGIN"
$uri = New-Object System.Uri(https://mysites)
 
$ad.ProviderRealms.remove($uri, "urn:sharepoint:portal")
$ap.Update()

Error

Exception calling "Add" with "2" argument(s): "An item with the same key has already been added. How do I remove the item and re-ran the script?

What I need is a concise document that lists what sorts of certificates I need for ADFS 2012R2 and ADFS proxy, I can find one or the other but not both.

What I think I need (after much googling);

Token-signing certificate (ADFS server)
-Any x509 cert
-Does need need any special EKU
-Should not be self-signed (this is different to ADFS 2.0)
-Can be any subject name

Secure Sockets Layer (SSL) certificate (ADFS server)
-Same as service communication certificate
-Subject is the FQDN of the ADFS service 
-Should have following SAN
--FQDN of the ADFS services
--Enterpriseregistration.domain(forwindows8)
-Should have a EKU of server authentication

Token-decryption certificate(ADFS server)
-Cant find any specific info about this certificate

Secure Sockets Layer (SSL) certificate (ADFS proxy)
-Can this be the same cert as the one we use for the ADFS server?

Client authentication certificates (ADFS proxy)
-Not required any more?

Ideally I would like to be able to get an inf file that I can use for the certreq process for each of the required certs, a lot of the documentation still points you to IIS to do the csr but IIS is no longer installed on the ADFS servers.

References

http://technet.microsoft.com/en-us/library/dd807040.aspx

http://technet.microsoft.com/en-us/library/dd807054.aspx

Thanks for your help, the key here is ADFS 2012 R2 info, not ADFS2.0

We are migrating from ADFS2 to ADFS3. I have setup ADFS3 successfully and migrated the relying parties from ADFS2 to 3. When testing all the WS-Federation sites work fine, also one to Jive which uses SAML is OK. I am having problems with Shibboleth. The error logs are reporting

On looking thru the forums it looks like previous windows updates have caused this. However I have not been able to find the updates in question on the server. This is using a fresh install of Server 2012 R2 and fully updated by windows Update. This all works with ADFS2 just not with ADFS3.

Does anybody have any ideas or pointers on how to solve this?

Hi,

We have just installed ADFS 3.0. The problem is that when we test this on the adfs server using the "testlink":

https://sts.contoso.com/federationmetadata/2007-06/federationmetadata.xml

IE says: this says page can't be displayed. (yes we replaced contoso with our own domain ;)

when we replace the sts.contoso.com with the servers ip adress, we get the same error.

However when we replace it with localhost it works like a charm.

We have checked about everything i think & normally this is all straight forward so any idea's would be appreciated.

Don't forget about Alt+Esc!

Hi All,

We have an requirement to send SamAccountName as claim for an application & that's easy, but the problem is application accepts more than 4 characters as nameID. to over come this I was planning to append SamAccountName of persons with lessthan 4 characters& add prefix some character to it like a or x, so that any username which is like abc or xyz is changed to xabc ot axyz instead of making change in AD as this will be a big impact. so I am seeking help from the experts here on how or if possible to provide a custom claim using REGEX through which I can achieve this.

Thanks in Advance.

-Arvind Sindhu Enterprise Arch (Microsoft Technologies) Sapient.

Hi All,                 

I'm setting up ADFS2.0 in my lab, over Windows 2012 R2. Added relying party and authentication and claims are working fine.

I have two questions:

1. I need to be able to programmatically authenticate a user against a remote ADFS with a username and password received on a web page created with MVC5. Is there any guide or help on how to do this?
2. One of our scenarios is sending an activation link to new users that register in our web site, and when they click the link the email is validated, the account enabled, and the user isautomatically logged on. Can we do this automatic login?

Any help would be greatly appreciated.

Thanks in advance,

Miguel

Hi all,

At this moment i'm developing a Multi-factor authentication plugin for AD FS with the help of this blog: http://blogs.technet.com/b/cloudpfe/archive/2014/02/01/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-3-0-part-2.aspx

The claim used in this blog is UPN but my plugin needs a mobilephone number. So I decided to change the claim in string[] IdentityClaims { get; } fromhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn to http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone

Now it looks like this:

publicstring[] IdentityClaims

        {           

           get {returnnewstring[] {"https://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone" }; }           

        }

When I run the plugin I see that the identityclaim I receive from ADFS is still an UPN and not mobilephone.

can anyone tell me what I am overlooking?

Hi,

We have ADFS and ADFS Proxy implemented.

we are facing the issue , we more that 30 relying party trust created for different customers.

once of our customer is facing problem is , when their application re-directs authentication to ADFS (externally) it landing to ADFS home realm page. i.e. its asking user to select site from the drop down and click on sign-in.

by this way our customers info getting exposed, how block this and provide user to get only ADFS username password webpage.

created relying party trust manually and we are using custom claim rules.

Hello,

I would like to narrow ADFS's search for AD users to certain OU. At the moment ADFS searches entire domain for the given credentials (UPN) when I could just point the correct OU for active users. Thanks for any reply.

Hello,

I have a Windows 2012 R2 environment with ADFS 3.0 in the internal lan with a couple of claims aware applications been published using Web Application Proxy in the DMZ to external users.

I need to apply multi-factor authentication using RSA SecurID for a certain group of users, they will be in a specific group, when they are accessing the application externally.  With ADFS 3.0 you can apply MFA for certain groups when the user is coming from an extranet network location.  Is it possible to apply MFA using RSA SecurID as I have seen documents for ADFS 2.0 and the ADFS proxy but the installation for ADFS 3.0 has changed and no longer has a reliance on IIS.  Can you still integrate RSA SecurID with Web Application Proxy?

Thanks,

B

We're following the walkthrough to create a WIF application using ADFS 2.0 here:
http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides%28WS.10%29.aspx

We have VS2010 installed on the Windows 2008 server and we're also using this as the Federation Server (i.e. no proxy). Whenever we try to add a relying party trust in ADFS, we get the following error when using the 'Import data about the relying party published online or on a local network' option:

An error occurred during an attempt to read the federation metadata...
...Verify your proxy server setting...
...Remote server returned an error (407) Proxy Authentication Required.

Any ideas how to troubleshoot / solve this? We can browse straight to the Federation Metadata XML file in Internet Explorer.

I plugged Microsoft JwtSecurityTokenHandler into the security token handlers collection for use with the stock Microsoft SecurityTokenService.  Everything goes smooth in System.IdentityModel.SecurityTokenService.Issue until the STS invokes CreateSecurityTokenReference on the JwtSecurityTokenHandler. 

At this point the JwtSecurityTokenHandler throws 

NotSupportedException / IDX11005: Creating a SecurityKeyIdentifierClause is not supported.

Can you not use JwtSecurityTokenHandler with the stock Microsoft SecurityTokenService?

System.IdentityModel.Tokens.Jwt.4.0.0-RC2

Hi,

I'm trying to create a relying party for ADFS 2.0 SAML 2.0 service. I've got it working with idpinitiatedsignon.aspx. I've managed to create similar SAMLRequest parameter for SP initiated version. I'm now missing only a valid signature parameter. What is the information that I'll have to sign? I've tried with signing the SAMLRequest=%compressed_base64%&SigAlg=http%3a%2f%2fwww.w3.org%2f2000%2f09%2fxmldsig%23rsa-sha1 as well with doing XML document signing of the whole XML message. I have installed the public version of my signing certificate into ADFS relying party.

I receive "MSIS0038: SAML Message has wrong signature" error in ADFS log.

Other thing that I tried was to disable the ADFS setting SignedSamlRequestsRequired -> then if I omit the Signature and the SigAlg parameters I receive "MSIS1015: Server required signed SAML AuthenticationRequest but no signature present" error in ADFS log even though I have disabled both the server level and the relying party level setting SignedSamlRequestsRequired.

But my question is From what does the signature url parameter consist? What do I need to Sign and at what stage?

-Jake

Hello, I am using MS CRM 2011 which uses Window Identity Foundation. I can make it connect to ADFS 2.0 which I understands supports SAML 2.0.

I also have a third-party identity provider which SAML 1.1 . Is there anyway I can get ADFS 2.0 working with my 3rd party identity provider?

Is it possible to set up rules to translate SAML 2.0 to SAML 1.1 and vice versa ?

Thanks in advance.