Hi,

is it possible to set up more than 1 adfs instance/farm on one windows server? I couldn't find out any option so far.

Hello,

I set up ADFS farm including 2 data centers. In each data center, I have one internal network and one DMZ. There are two ADFS Server Proxies in DMZ deployed with LTM (load balancer). Internal network has two ADFS servers also deployed with LTM in between them. Two data centers are connected with NeuStar Load balancing service.

My question is, how do I test load balancers. I tried with localhost, but it looks like IIS services are pointed to a different url when tring to access it. I thought I would be able to use the same path as localhost, and change the picture, so when accessing from windows 7 client PC by entering sts.domain.com I would get IIS page modified from server it comes from. Apparently my method is not working. Any good ideas on how to test load balancers.

Thanks a million

NerkoIT

I have a number of RP which connect to ADFS 3.0 where ADFS is a broker i.e. RP-STS and hands off to an IP-STS.

The IP-STS needs to know which RP initiated the flow.

ADFS uses the wctx parameter to store this. By default it creates a cookie and passes a reference to the cookie in the wctx field.

In ADFS 2.x, there is a parameter in the web.config called:

 context hidden="true"

If set to false, it would pass the context directly in the query string instead of using the cookie.

This parameter is missing in ADFS 3.0.

Is there any way that the IP-STS can work out which RP initiated the flow?

Hi,

ADFS 3.0 used for Sales Force integration. I need to use MFA (Multi Factor Authentication), firstly UserName/Password and secondly Devices with certificates. I have some devices in domain and some with non-domain. What values should I use in SDN and SAN for certificates that It should work for Domain and non- domain. I am all right with the 2 certificates for domain and non-domain respectively. Could anyone clarify that certificate to be used for domain and non-domain devices for second level of authentication.

Hi All,

I've seen all the threads relating to extended protection and also the KB about the repeated prompts, I have tried disabling extended protection.

What I'm experiencing is quite strange, ADFS 2012 R2 all set up fine and working happily with Intune and a variety of services. I have been able to enrol iPads fine using the exact same process I'm trying to use now, although now I'm getting the repeated prompt behaviour but only in Safari, IE is still fine. The only think I can think of that has changed is that I've enabled the user account for AD premium features.

Any clues?

Thanks.

Thanks for your time in advance.

We're trying to set up ADFS 2.0 (deployed on Server 2008 R2, so still dependent on IIS for the time being) to support SAML 2.0 Service Provider-initiated requests. We have an internal ADFS deployed (and DNS'd) behind the firewall, and an external ADFS proxy deployed (and DNS'd) on the perimeter DMZ, relaying requests to/from the perimeter network. I've been digging through http://msdn.microsoft.com/en-us/library/ee895356.aspx and its child pages, but I'm not sure how to do this -

Basically, how can we set this up such that when we hit the forms-based login page:

https://DOMAIN/adfs/ls/?SAMLRequest=FOOBARFOOBAR123123123123

I can use a simple username like "johnchoe" or "jchoe" instead of a fully qualified username like the one it prompts for (Domain\username)?

I assume it's a simple config in the Web.config file somewhere...just not sure where.

Thanks for your time.

Hi,

I am seeing the following errors when I attempt to navigate to the /adfs/ls/adfs/services/trust/mex endpoint on my ADFS 3.0 server farm.

Level Date and Time Source Event ID Task Category
Error 01/10/2014 15:36:10 AD FS 364 None "Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/adfs/services/trust/mex to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

"

This error is not causing any noticeable issues, the ADFS server farm is only being used for O365 Authentication (currently in pilot phase).

Prior to noticing this issue, I had previously disabled the /adfs/services/trust/2005/windowstransport endpoint according to the issue reported here (OneDrive Pro & SharePoint Online local edit of files not working):http://community.office365.com/en-us/f/172/t/205721.aspx. This resolved the issues I was seeing with OneDrive and SPOL.

Since seeing the mex endpoint issue, I have used the Microsoft Remote Connectivity Analyser to verify the health of the ADFS service. While windowstransport was disabled, the analyser reported that the mex endpoint was not available and that the metadata could not be found. After re-enabling the windowstransport endpoint, the analyser reported that all was OK.

However, browsing locally to the mex endpoint still results in the following error in the browser and the above error in the ADFS event log.

"An error occurred. Contact your administrator for more information."

I'd appreciate any assistance/ pointers in resolving this issue.

Regards,

Jon.

Hi,

Hi,

Hi, I'm trying to troubleshoot an error with using a claims aware web application with AD FS 2.0.

Here is an outline of the infrastructure with regards to servers, certs, and traffic. Each server is running Windows Server 2012

1.      Web server (WS1) sits in DMZ hosting a relying party, claims aware ASP.net web application using HTTPS, port 443.
2.      Traffic from WS1 is routed to an ADFS Proxy (PRX1) server which is located in the DMZ .
3.      Traffic from PRX1 is routed to the ADFS Server (ADFS1) which resides in the client’s domain.

Certificates are installed in the following manner:

1.      The relying party app (on WS1) is using a self signed cert for SSL- I will refer to it as certRP.client.com.
2.      The ADFS server’s Certificate Store has the public key SSL cert (certRP.client.com ). There is also a certificate from a trusted authority (certADFS.client.com), where the subject name matches that of the Federation Service Name. 
3.      The proxy server has certADFS.client.com in its Certificate Store.

Does the proxy server also need the SSL cert used by the relying party web application (certRP.client.com)?

ADFS Certificates are configured as such:

1.      Service Certificates: The certADFS.client.com is being used for Service Communications, Token-decrypting, and Token-signing in AD FS.
2.      Relying party trust:
   1.     Encryption certificate is configured to use certRP.client.com
   2.      The cert used for the Signature tab is configured to use certADFS.client.com

Additional Relying Party Trust Configuration:

1.      Monitoring:  The URI for the FederationMetadata file residing with the relying party is resolving without issue
2.      Identifiers:  This is set as www.theDomain.com/RP/default.aspx (this is the relying party)
3.      Endpoints: Currently just have WS-Federation Passive Endpoint as www.theDomain.com/RP/default.aspx (this is the relying party)
4.      Advanced: Secure hash algorithm is set as SHA-1

Via Home Realm Discovery, I’m currently using the AD FS hosted login page to authenticate against Active Directory. After submitting credentials, I receive a ‘the user name or password is incorrect’ message. However, I have confirmed that the authentication is successful, as I viewed the Security log from the Active Directory box for the account I’m testing against

Here are the errors that are being reported on the ADFS server:

The Federation Service encountered an error while processing the WS-Trust request.

Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Additional Data

Exception details:

Microsoft.IdentityServer.Framework.SecurityTokenService.FailedAuthenticationException: MSIS3055: The requested relying party trust 'https://org.client.com/adfs/ls/' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://org.client.com/adfs/ls/' could not be located.

   --- End of inner exception stack trace ---

   at System.IdentityModel.AsyncResult.End(IAsyncResult result)

   at System.ServiceModel.Security.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)

   at System.ServiceModel.Security.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)

Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'https://org.client.com/adfs/ls/' could not be located.

--------------------------------------------------------------------------------------------------------------------------

Encountered error during federation passive request.

Additional Data

Exception details:

Microsoft.IdentityServer.Web.AuthenticationFailedException: MSIS8108: Authentication failed.

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SubmitRequest(MSISRequestSecurityToken request)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, String desiredTokenType, Uri& replyTo)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSingleSignOnToken(SecurityToken securityToken, String issuer)

   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RedirectAdfsLsForRpTokenInSsoCase(SecurityToken securityToken, WSFederationMessage wsFederationPassiveRequestMessage, HttpRequest request, HttpResponse response)

Any assistance resolving this would be greatly appreciated!

Hi All,

I have bee ntrying to setup an ADFS 2.0 server for way too long now and I keep hitting the same 2 errors. PLease see them posted below. Any help would be much appreciated, my employer needs this up and running ASAPas it is urgent but just wont behave. Thank ahead of time for any help you can offer. It really is appreciated big time!

IT Professional

We have set up an AD FS Farm (1 server) on our internal network behind our internal F5 appliance. Additionaly we have set up a Web Proxy (1 server) in our DMZ network and load balanced it behind our DMZ.

Internally we can authenticate devices based on Forms Based Authentication (FBA), Windows Integrated Authentication (WIA), Certificate Authentication (CA), FBA + CA and WIA and CA.

Externally we can authenticate devices based on Forms Based Authentication (FBA), Certificate Authentication (CA), and FBA + CA as long as the request is coming from a company laptop.

If we use a iOS device we are only able to authenticate using FBA. If we choose CA as the only option for external devices it fails. It will get as far as the sign-on screen, show a message (see below) and spin attempting to load it for ~2minutes before failing. The iOS device has a valid certificate and is in fact using the same certificate that was used on an external company laptop to validate that it worked there. The installed certificate contains the private key and was delievered to the device via email.

Does anyone have any experience with this type of issue or configuration?

Hello,

I have a Windows 2012 R2 environment with ADFS 3.0 in the internal lan with a couple of claims aware applications been published using Web Application Proxy in the DMZ to external users.

I need to apply multi-factor authentication using RSA SecurID for a certain group of users, they will be in a specific group, when they are accessing the application externally.  With ADFS 3.0 you can apply MFA for certain groups when the user is coming from an extranet network location.  Is it possible to apply MFA using RSA SecurID as I have seen documents for ADFS 2.0 and the ADFS proxy but the installation for ADFS 3.0 has changed and no longer has a reliance on IIS.  Can you still integrate RSA SecurID with Web Application Proxy?

Thanks,

B

Hi,

I have situation where I have a set of application in the perimeter network.

I have an internal AD in corporate network for our internal users.

I have to maintain a separate AD in perimeter network for external users /customer who need access to the perimeter applications.

How many ADFS instances I need?

Can I configure ADFS instance in corporate network and a ADFS proxy in perimeter network.

Is it possible to add internal AD and perimeter AD in the internal ADFS instance to serve both internal and external user to access the perimeter applications. without a trust between internal AD & perimeter AD.

Or I need to setup 2 different ADFS instances one for perimeter and one for internal? and in this case how to configure the application redirect to multiple ADFS instances to get STS for internal users from internal ADFS and for external users from perimeter ADFS?

Also, what should be the proxy server placement?

Thanks,

Soumen Ghosh

Hi,

Certificate on ADFS server for service federation name getting expired.

token decryption and encryption certificate showing having more validity, i believe this not to be touched which is already set as primary.

Now but service communication certificate getting expired , i have the new certificate in place.

please let me know how to replace/renew expired certificate.

And what needs to be done after replacing/renewing certificate for O365

Thanks

Ragav

I am trying to understand how to calculate the SignatureValue of the 'correct' XML below (this is not my xml, it's from a previous post, but I have the same exact issue). Any guidance would be appreciated. For the record, this is for CRM 2011 using ADFS. As I do not have access to the nice .NET classes from the environment I will be working in (mobile) I am trying to figure out the logic to generate the value, with little success getting a matching hash.

I can successfully calculate the matching DigestValue in the XML (straight SHA1 hash of the canonical _0 reference). I /think/ the missing link for me is how to apply the HMAC-SHA1 hash to the SignedInfo node, and what key should be used. Since the keyInfo contains the SAML token id, I'm not sure what that means as far as what key to use with the hash. I'm sure I am missing something ...

Thanks in advance for any pointers!

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://schemas.microsoft.com/xrm/2011/Contracts/Discovery/IDiscoveryService/Execute</a:Action>
    <a:MessageID>urn:uuid:7b96791d-9c6e-4980-8444-1f51bdc00023</a:MessageID>
    <a:ReplyTo>
      <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
    </a:ReplyTo>
    <a:To s:mustUnderstand="1">https://organization.domain.it/XRMServices/2011/Discovery.svc</a:To>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <u:Timestamp u:Id="_0">
        <u:Created>2011-09-09T14:30:50.724Z</u:Created>
        <u:Expires>2011-09-09T14:35:50.724Z</u:Expires>
      </u:Timestamp>
      <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
            <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
              <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            </e:EncryptionMethod>
            <KeyInfo>
              <o:SecurityTokenReference>
                <X509Data>
                  <X509IssuerSerial>
                    <X509IssuerName>CN=Org Enterprise Root CA, DC=organization, DC=local</X509IssuerName>
                    <X509SerialNumber>25XXXXXXXXXXXXXX40863677</X509SerialNumber>
                  </X509IssuerSerial>
                </X509Data>
              </o:SecurityTokenReference>
            </KeyInfo>
            <e:CipherData>
              <e:CipherValue>CVjfOFx/.......hS6GpZRB1U9hz7HPQ6c6TYjs=</e:CipherValue>
            </e:CipherData>
          </e:EncryptedKey>
        </KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>LGefKxg.........6wC9l79o=</xenc:CipherValue>
        </xenc:CipherData>
      </xenc:EncryptedData>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
          <Reference URI="#_0">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue>Y2zNKG9CsoAMKZgHiP1s7L9TZV4=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>1gSJwVWNfqU34VzSk3Z0+Ams1Gw=</SignatureValue>
        <KeyInfo>
          <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
            <o:KeyIdentifier ValueType="_d639d615-b45e-4c56-814e-86dc43914c2b</o:KeyIdentifier" rel="nofollow">http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_d639d615-b45e-4c56-814e-86dc43914c2b</o:KeyIdentifier>
          </o:SecurityTokenReference>
        </KeyInfo>
      </Signature>
    </o:Security>
  </s:Header>
  <s:Body>
    <Execute xmlns="http://schemas.microsoft.com/xrm/2011/Contracts/Discovery">
      <request i:type="RetrieveOrganizationsRequest" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
        <AccessType>Default</AccessType>
        <Release>Current</Release>
      </request>
    </Execute>
  </s:Body>
</s:Envelope>

(here is another thread on the same issue from the CRM forums...)

http://social.microsoft.com/Forums/en-US/crmdevelopment/thread/c485d98b-6e0b-49e7-ab34-8ecf8d694d31

Can you please provide your assistance on the below issue. 

We are facing sign-in issues in chrome browser. Cookies are getting corrupted if user sign-in on xyz1 site and xyz2  and closing chrome browser without clearing cookies and does not perform sign-out and revisit the site after couple of hours. Below is the exception we have received during this process, during this exception we not able to catch any errors in global.asax file.

FYI only… http://stackoverflow.com/questions/8230297/microsoft-identitymodel-key-not-valid-for-use-in-specified-state

Please let us know if any more information is required.

Hi, we have deployed ADFS3 with a separate WAP Server. We have published the backed SharePoint 2013 sites through this.. We are using NON-CLAIMS provider as we didnt want to have to remap all the existing accounts to the new claims identifier. The WAP is Domain joined and behind a firewall allowing ONLY 443 through to it..

So, we can authenticate to the backed SharePoint 2013 (via the WAP/Internet) no problem, all working really well, then we go to create a new document or open an existing document - and we have to re-enter our domain credentials again! The 'must authenticate for each session' (I think thats what it is called) tick box in NOT checked. The wildcard Domain has been added to the the Trusted Sites in IE...

This is the behaviour when trying to interact with either IE or Chrome... Is this 'by design' or is there a way to allow the Office Applications to access the backend SharePoint without having to re-authenticate please?

Thanks very much for any help provided...

Phil

Hello all, 

I'm trying to troubleshoot my new ADFS 3.0 installation and i'm having a strange issue with authentication. i've setup the farm and it works great authenticating against it, however when I configure an internal website to redirect it to my ADFS, I'm correctly redirected back there, immediately authenticated (either with integrated or forms based), then the ADFS Posts back to the website which I see in fiddler, a big authentication string is sent and then...... nothing. Like nothing at all. 

I have no idea what this could be and the website developer even built an 'adfs test' site for me as well. The sites work for ADFS 2.0 at the developer location, so I'm a little stuck for where to look. as far as I can gather, I've set everything up OK adfs wise.

Web development can't help me at all, fiddler trace just shows a hanging 'post' then 0 responses from anything at all. 

our https://auth.website.com/adfs/ls/idpinitiatedsignon

site works flawlessly, forms authentication through chrome, integrated through IE. Both methods when trying to access our web resources display the same problems.

We have successfully connected our ADFS server (with WAP) to an IBM Domino Web server using SAML. The trust was added using the IDP.xml export from the domino server where putadfsserver/adfs/ls/?wa=wsignout1.0 for the singout URL  in Domino and it's the endpoint on ADFS.

We're still having problems with users not being completely logged out of ADFS with this call. More importantly I'm a complete newbie for this and we're using any kind SAML logout request that I'm aware. Where would one go? How do you generate the information for one?

The scenario we're seeing (it maybe more helpful than my rambling above):
User hits, our Domino site
Gets directed to ADFS login page
Signs in using AD cred. and gets sent to back Domino site
Using the logout button on our domino, logs user out of domino, but does nothing to ADFS.
Manually entering adfsserver/adfs/ls/?wa=wsignout1.0, displays 'you're signed out', but users are still singed in.

I use the adfsserver/adfs/ls/IdpInitiatedSignon.aspx page to see verify this. Also, hitting the sing out from all sites button does not end ADFS,  using the sing out from this site option does seem to end the session.

I'm sure my ignorance shows up here so please be gentle. We would like to signout of everything (SAML, Domino, ADFS). How do we take this on?