Dear All,

We want to install roll up pack 3.0 on ADFS 2.0.

Can you please let me know what precaution we would need to keep in mind.

What could be pros and cons for this ?

If anyone have done practically please let me know the steps as well

We have integration with 0365 only.

Many Thanks in advance.

Hi All,

I have bee ntrying to setup an ADFS 2.0 server for way too long now and I keep hitting the same 2 errors. PLease see them posted below. Any help would be much appreciated, my employer needs this up and running ASAPas it is urgent but just wont behave. Thank ahead of time for any help you can offer. It really is appreciated big time!

IT Professional

When a service in .net 4.5 has WIF enabled, via the use identity configuration attribute, we are not able to use the nettcpbinding for this service due to the following issue.

The service via WCF returns the WIF encryption certificate name as the dns identity, and thus, net tcp gets a message security exception because it was expecting the identity to match the ssl certificate use on the site.

We have tried specifically setting the identity element on the service for the net tcp endpoint to return a value, but this not only doesn't work, I wouldn't imagine it would.

__

In dot net 4.0, there was a hack that allowed you to wrap all of the configure service host code and after initialized, you could re-set the service certificate.  This is a poor hack, and it doesn't work anymore anyway. 

Without having the client code be aware of the encryption certificate, which they shouldn't have to be, are there any other tricks to making net tcp work within a federated (WIF enabled) service? 

I have setup RSA as multi factor authentication in ADFS 3.0 (windows server 2012 R2). I have 2 "Claims Provider Trust":

1. Active Directory (so I can log in using windows credentials)

2. Thinktecture Identity Server (so users from outside of my domain can log in with provided username/passwords)

When I login to the ADFS using Active Directory as identity provider I am prompted for Security Code (which is the expected behavior). However when I log in using a third party identity provider, I am authenticated and redirected to relying party application. I was expecting that multi-factor authentication would work for all Claims Provider Trusts.

In Multi-Factor authentication global settings specified that MFA is required for both extranet and intranet. Any idea why it does not work for identity provider other than Active Directory.

Hi,

I have Windows 2012 R2 -- ADFS 3.0 installed.  I was wondering if there are any documentation concerning configuring for IDP intitiated SSO. 

The ADFS 2.0 discuss changing webconfig file, after applying ADFS Rollup 2.  According to the link below:

http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx

But ADFS 3.0 no longer install IIS.  So do I just need to make the changes at the login page ?

Thanks,

Mark

We are receiving errors from SCOM that state.

Alert: SAML Request Processing Error

Source: Authentication

Path: 

Last modified by: System

Last modified time: 10/10/2014 8:33:47 AM Alert description: The Federation Service encountered an error while processing the SAML authentication request.

When I log onto the server I am seeing Event 303 errors that I can't seem to figure out why or where they are coming from.

The Federation Service encountered an error while processing the SAML authentication request. 

Additional Data 
Exception details: 
System.InvalidOperationException: MSIS3063: The RSA key used to encrypt the RSA cookie was not found in the given decryption keys.
   at Microsoft.IdentityServer.Service.Tokens.MSISRsaEncryptionCookieTransform.Decode(Byte[] encoded)
   at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound)
   at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.CreateSubject(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.GetEffectivePrincipal(SecurityTokenElement securityTokenElement)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

Any assistance you can offer would be grateful.  All of the products that are tied into our ADFS are functioning properly from the end users perspective.  I am to the point of just suppressing the SCOM alerts as this one is puzzling me.

Hi,

I've got working ADFS 3.0 server which I already configured to support O365 and CRM 2013 server. All is working fine and without any problems. We recently decided to add workplace join feature to our domain. After configuring and ADFS server and WAP I can join to workplace, all certificates are issued (I can see certificate issued by MS-Organization-Access in my personal store) and a new device is visible in Active Directory. Device registration log on ADFS server confirms successful enrollment:

Successfully enrolled device for user marcin@contoso.com.

As soon as I'm trying to open CRM or login to O365 I'm receiving an error on ADFS login page:

• Activity ID: 00000000-0000-0000-ae01-0080000000c9
• Relying party: Microsoft Office 365 Identity Platform
• Error time: Tue, 24 Jun 2014 16:04:45 GMT
• Cookie: enabled
• User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)

Admin log on ADFS server is registering error 364:

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: MSIS5000: Authentication of the device certificate failed. ---> Microsoft.IdentityServer.Service.SecurityTokenService.DeviceAuthenticationException: MSIS5000: Authentication of the device certificate failed.
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.AuthenticateDevice(RequestSecurityToken request, IClaimsPrincipal principal, Boolean isSSORequest)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)

Can somebody help me resolving problem?

Regards,

Marcin

Hi,

I have a sample assertion and want to convert or extract claim rules out of it, is it possible?

also i am a new to custom rules , how to learn creating custom rules for passing email,employeeID,NameID,UPN..etc..

Thanks

Ragav

I have a number of RP which connect to ADFS 3.0 where ADFS is a broker i.e. RP-STS and hands off to an IP-STS.

The IP-STS needs to know which RP initiated the flow.

ADFS uses the wctx parameter to store this. By default it creates a cookie and passes a reference to the cookie in the wctx field.

In ADFS 2.x, there is a parameter in the web.config called:

 context hidden="true"

If set to false, it would pass the context directly in the query string instead of using the cookie.

This parameter is missing in ADFS 3.0.

Is there any way that the IP-STS can work out which RP initiated the flow?

Hi All,

I've seen all the threads relating to extended protection and also the KB about the repeated prompts, I have tried disabling extended protection.

What I'm experiencing is quite strange, ADFS 2012 R2 all set up fine and working happily with Intune and a variety of services. I have been able to enrol iPads fine using the exact same process I'm trying to use now, although now I'm getting the repeated prompt behaviour but only in Safari, IE is still fine. The only think I can think of that has changed is that I've enabled the user account for AD premium features.

Any clues?

Thanks.

Hi,

I've got an AD FS 2.0 farm / proxies and a primary AD FS server with a 3rd party token-signing and token-decrypting certificate. Would people recommend renewing the certificates with self-signed certs which can then take advantage of auto-renewal or is the wiser choice to stay with 3rd party certificates?

If I change to self-signed will Office 365 consume this new certificate or will I need to configure something like the following?

https://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc 

-----

Edit: 

Found the answer to the above and whether that script is required:

http://searchexchange.techtarget.com/tip/Proper-care-of-your-new-ADFS-server

-----

Edit 2:

-----

Suggests self signed certs aren't ideal:

http://blogs.technet.com/b/adfs/archive/2007/07/23/adfs-certificates-ssl-token-signing-and-client-authentication-certs.aspx

Self Signed Certificates are OK for a lab – but should not be used in production deployments.

-----

Suggests self signed are preferred:

http://blog.kloud.com.au/2013/07/17/ad-fs-and-self-signed-token-signing-certificates-3/

To reduce operational overheads and the potential for service failure, the use of self-signed Token-Signing certificates should be considered a highly effective option – outweighing the perceived security benefits of using of a certificate authority issued Token-Signing certificate.

http://searchexchange.techtarget.com/tip/Proper-care-of-your-new-ADFS-server

By default, ADFS uses a self-signed certificate. The general recommendation is to continue using self-signed certificates for the token-signing process.

-----

Suggests they're recommended:

http://technet.microsoft.com/en-us/library/hh852419.aspx

Recommendation: We recommend that you use the self-signed token-signing certificate that is generated by AD FS 2.0. By doing so, it manages this certificate for you by default. For example, when this certificate is about to expire, AD FS 2.0 will generate a new self-signed certificate.

Hello,

I have a Windows 2012 R2 environment with ADFS 3.0 in the internal lan with a couple of claims aware applications been published using Web Application Proxy in the DMZ to external users.

I need to apply multi-factor authentication using RSA SecurID for a certain group of users, they will be in a specific group, when they are accessing the application externally.  With ADFS 3.0 you can apply MFA for certain groups when the user is coming from an extranet network location.  Is it possible to apply MFA using RSA SecurID as I have seen documents for ADFS 2.0 and the ADFS proxy but the installation for ADFS 3.0 has changed and no longer has a reliance on IIS.  Can you still integrate RSA SecurID with Web Application Proxy?

Thanks,

B

I am not sure if this is the right group to post the question but I hope this is the right, if not, please let me know to move it to the right one.

I have an ADFS setup for Office 365 and currently restricting all access except ActiveSync. Outside access has been evaluated and we now would like to allow OWA (Web based Access) as well and eventually restricting access to MAPI only (Outlook from outside)

Current claim rule that I have now is as per Scenario 2:
http://technet.microsoft.com/en-us/library/hh526961(v=ws.10).aspx

Per Scenario 3, it will allow OWA (Web Based Applications) but will block the Active Sync access I guess or not sure if it would work since the other claim rule is on top of this new rule ?

I tried to mess around with the Claim rule syntax but I am not sure if I m doing it right. So if someone could help on the syntax, that would be great.

In short, below is my requirement:
Allow access to ActiveSync and Web-based applications but restrict everything else than our DMZ IP.

I was wondering if you might be able to offer any pointers on an issue I'm facing with ADFS.

We're using ADFS 2.0 on Windows 2008r2, two app servers (load balanced) and two proxy servers(load balanced)

The installation is complete and the config is almost done, however I noticed the secondary server had not sync'd since the intial install.

I've done some digging and the error relates to a certificate store in AD.

Domain\program data\microsoft

Parent domain -
Domain\program data\microsoft\ADFS\"

Test Environment (Parent domain)
Domain\program data\microsoft\ADFS\"

When installing ADFS on a child domain it uses the root directory of the parent domain, but when I go to sync it's looking for the ADFS\"Certificate store ref" under the child domain.

How do I get the Child domain to either create the ADFS container structure in the domain or how do I get the ADFS app to replicate on the parent domain?

Sorry if this sounds like a novice question. New to ADFS

We have a two Windows 2012 R2 ADFS servers + 2 Windows 2012 R2 WAP servers federated services solution implemented in our domain. We have set up a replying party trust with an external vendor for business users to be able to use a claim-based web application provided by the vendor. 

We come across to an issue recently during the test phase. Users are able to log in to the web application via ADFS+WAP, but somehow when users in the corporate network and click on the log out button on the web application provided by the vendor it behaves different when using different web browser / different network connection.

When users are In the corporate network,"log out" does not work in IE8 & 9 properly, when user click on the "Log out", it seems user is redirected to the same web page as it was, but it works for Google Chrome, the "log out" return user to the default ADFS Logon web page.

The issue above does not appear when user connect to the non-corporate network, like at home / 3G devices.

Thanks

BC

Hi,

I am trying to create claims rule in ADFS.  I was wondering do I need a transformation rule to map NameID to email ?

Currently, this is what it sent as claims ticket

<Subject>

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

               <SubjectConfirmationData

                   NotOnOrAfter="2014-10-13T13:42:25.666Z" Recipient="https://sasga-stage.selectica.com/login.jsp"/>

           </SubjectConfirmation>

        </Subject>

This is what the Relying party expects:

Expected

        <Subject>

            <NameID>username@domain.com</NameID>

            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

               <SubjectConfirmationData

                   NotOnOrAfter="2014-10-13T13:42:25.666Z" Recipient="https://sasga-stage.selectica.com/login.jsp"/>

           </SubjectConfirmation>

        </Subject>

 Thanks for your Help!

I'm migrating my custom STS (based on StarterSTS) from Beta2 to RTM WIF.

When an RP requests a token from the STS, the STS prepares and returns the token, but the client throws a MessageSecurityException whose inner exception states "An error occurred when verifying security for the message."

I've enabled all the tracing on the server side I can think of, and none of the server traces show an error (which makes sense since the STS produced and returned the token without issue).  There's nothing too useful in the client side trace logs other than the exception tree showing the above exception and message.

All of the apps (clients, services, STS) are running from the same machine.  This was working under the BETA2 of WIF and an earlier version of StarterSTS.  All of the certs involved here are self-issued, and installed in the Trusted Authority Root and MY certificate stores of the local machine.  The IIS worker process has access to the private keys of the certificates, and I'm running the client as an admin user.

This message is so generic, I'm not sure how I go about troubleshooting it.

Any thoughts on how I can begin to dig into this exception?

Hi,

I've been working on setting up our corporate ADFS environment with a mostly successful outcome however I am having an issue with one of our ADFS WAP servers not establishing a trust with a secondary ADFS server in our internal farm.

I believe this relates to the ADFSTrustedDevices certificate store not replicating between the two internal farm nodes.

THE SETUP

Diagram

Internal

• 2 Windows 2012 R2 ADFS 3.0 Servers in one farm
• Each server is in a different site with resilient WAN connections, sites are GB1 and GB2

External

• 2 Windows 2012 R2 ADFS 3.0 WAP Servers
• Each server is in a different site with resilient WAN connections, sites are GB1 and GB2 (same as above)
• Each server is independent of the other (IE, no NLB or load balancer)
• Both servers are in the same DMZ network (multi-site is achieved via a stretch VLAN between GB1 and GB2)
• Internet/DMZ is resilient across both sites via BGP routing

So, GB1 contains the primary ADFS server and a proxy, GB2 contains secondary ADFS server and a proxy.
Both ADFS servers are in a farm.

DNS
Externally we use DNS round robin to the two proxies. Not best practice but the infrastructure is highly resilient so it's cost effective.

From each proxy, HOSTS files are used to lock the traffic to the internal ADFS server in the same site. IE, Proxy in GB1 will only communicate with internal ADFS server in GB1. Proxy in GB2 to internal ADFS server in GB2.

The reasoning behind this is for a site failure. Half the external traffic may hit the down proxy server and timeout but the other half will hit the working proxy. We didn't want half of the working proxy requests trying to contact the downed server in the failed site, giving us only one quarter of successful requests, if that makes sense.

THE ISSUE

During the setup of the second proxy in GB2 I could not establish a trust to the internal ADFS server in GB2, the secondary server.

Spent some time investigating with no success so I changed the HOSTS file to contact the primary internal ADFS server in GB1 and the trust was established and WAP configured

At this stage I could see that the ADFSTrustedDevice certificate store on the secondary ADFS server in GB2 was empty whilst the certificate store on the primary ADFS server in GB1 was populated with both proxy servers.

I changed the HOSTS file on GB2 proxy back to GB2 ADFS server and this continued to work for a while.

I had hoped that the automatic process would populate GB2 ADFS server with the certificates but it did not.

Eventually the trust broke down and I cannot re-establish the trust without pointing the GB2 proxy back to GB1.

I also cannot sync the certificate stored from GB1 ADFS server to GB2 ADFS server using the script found in this extremely useful article from Ian Parramore:

http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx#pi148362=2

WHAT HAVE I TRIED?
Ran the script in the above blog and no issues found, including using the switch -syncproxytrustcerts

KB2964735 / KB2962409 is installed an both ADFS servers

I have not initialised Device Registration as this will require updating the AD schema to 2012 which we are not ready to perform however this may well be the root of the problem, forcing us to move the AD schema forward.

SUGGESTIONS?
If you have any suggestions or advise on how to overcome this issue I've really appreciate some assistance.

Thanks in advance

Adam Callaghan

Hello all, 

I'm trying to troubleshoot my new ADFS 3.0 installation and i'm having a strange issue with authentication. i've setup the farm and it works great authenticating against it, however when I configure an internal website to redirect it to my ADFS, I'm correctly redirected back there, immediately authenticated (either with integrated or forms based), then the ADFS Posts back to the website which I see in fiddler, a big authentication string is sent and then...... nothing. Like nothing at all. 

I have no idea what this could be and the website developer even built an 'adfs test' site for me as well. The sites work for ADFS 2.0 at the developer location, so I'm a little stuck for where to look. as far as I can gather, I've set everything up OK adfs wise.

Web development can't help me at all, fiddler trace just shows a hanging 'post' then 0 responses from anything at all. 

our https://auth.website.com/adfs/ls/idpinitiatedsignon

site works flawlessly, forms authentication through chrome, integrated through IE. Both methods when trying to access our web resources display the same problems.

Hello

Does anyone know if its possible to have a particular relying Party trust to only ever user forms based authentication, regardless of browser or client location. I currently have ADFS 3.0

I have an application that supports Federated logon with ADFS, but it will only work with forms based auth (https://support.zendesk.com/entries/514714-Using-SAML-for-single-sign-on-Plus-and-Enterprise).  My current workaround is to use the group policy site to zone assignment list and set the site as zone 3 (internet site). This brings up a forms based window and will get me in, but you dont see the properly formatted forms based website. 

The form i get with the workaround:

Form i want to see:

Mark Dordoy