ADFS 2.0 Claims rule prompting

October 15, 2014, 2:00 am

≪ Previous: Force a Relying Party to always use Forms Based Authentication in ADFS 3.0

Hi All

I have a question on Claims rules and promoting on the login page of ADFS.

Basically I have claims rule setup that deny users in an AD group access to Office365 when they are not on the corp network. This rule work well no problems there.

Currently what happens is if a user is in the Deny group, when they try and login from outside the corp network on the ADFS login page it blanks the username and password with no prompt. So the user just keeps retrying. If the user enters the wrong password or username then the ADFS page prompts them saying wrong username and or password.

I need ADFS to prompt the user when they are in the deny group rather than just blank the username and password fields.

Thanks in advance

Seaspud

↧

ADFS with other LDAP

July 4, 2010, 10:26 pm

≫ Next: Integrating ADFS with ACS

≪ Previous: ADFS 2.0 Claims rule prompting

Can I use ADFS with Open LDAP or any other LDAP than Active Directory?

In the Add Cliams wizard under the relying party, can I choose any other attrribute store than Active Directory?

If its not availabel currently is there any possiblitiy that it will be available in future? If yes by when?

If its not available, is there any SDK/API layer which will enable someone to add this support?

Cheers,
Saurabh | GS Lab

↧

Integrating ADFS with ACS

September 5, 2013, 10:35 am

≫ Next: ADFS 3.0 WAP Cluster

≪ Previous: ADFS with other LDAP

Hi,

I'm using Windows Server 2012 R2, to host my ADFS platform. I have configured Azure ACS to interact w/ ADFS, and am in the process of working the SSO Windows Integrated Authentication in the mix.

I read at http://technet.microsoft.com/en-us/library/dn280949.aspx

"Windows authentication is not supported on all browsers. The authentication mechanism detects the user's browser user agent and uses a customizable setting to determine whether the user agent supports Windows Authentication".

It says you can use the powershell command "Set-AdfsProperties -WIASupportedUserAgents" to set the strings.

When I execute "Get-AdfsProperties", I get back a list, which contains:

WIASupportedUserAgents => {MSIE 6.0, MSIE 7.0, MSIE 8.0, MSIE 9.0...}

How can I retrieve the full list? I'd like to see what is behind the "..."

I tried to execute "Get-AdfsProperties -WIASupportedUserAgents", but that does not work.

Any ideas?

↧

ADFS 3.0 WAP Cluster

October 15, 2014, 2:49 pm

≫ Next: Sql Server Reporting Services / Windows Identity Foundation?

≪ Previous: Integrating ADFS with ACS

We had a single ADFS Server and ADFS WAP (both 2012 R2 servers) in a production environment, both working as expected for SSO to Office 365.

We've successfully added a second ADFS Server and ADFS WAP server to the environment but are having some issues with the second WAP. We are able to configure it as far as the Publishing Application phase, at which point we see the two ADFS WAP servers in a Cluster...all good so far.

I'd have expected to be able to see the existing Published Application from the original WAP but there's nothing available. The only option that lets us progress is the "Publish Application" but I'm not sure if this is the correct thing to do, in case it overwrites the original configuration on the first WAP server?

Any pointers from anyone who's already done something similar?

Cheers for now

Russell

↧

Sql Server Reporting Services / Windows Identity Foundation?

August 14, 2014, 3:18 pm

≫ Next: MSIS7015 error for a SAML 2.0 request with AD FS 2.0

≪ Previous: ADFS 3.0 WAP Cluster

Can Sql Server Reporting Services be secured using Microsoft WIF (FAM/SAM HttpModules)? Thought I should first ask in this forum instead of SSRS.

scott

↧

MSIS7015 error for a SAML 2.0 request with AD FS 2.0

January 19, 2011, 3:06 pm

≫ Next: ADFS V3.0 SSO and form based authentication

≪ Previous: Sql Server Reporting Services / Windows Identity Foundation?

I have setup an AD FS 2.0 along with an AD FS proxy server to provide single sign on with SAML 2.0 for a cloud based resource my organization will be using. I setup the Relying Party Trust with the metadata provide to us via a URL. Logon attempts are falling, but nothing in the logs were useful. So I enable WCF and WIF trace messages with AD FS (http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-configuring-computers%28WS.10%29.aspx) and the only errors we are receiving it the following:

Log Name: AD FS 2.0 Tracing/Debug

Source: AD FS 2.0 Tracing

Date: 1/19/2011 2:03:40 PM

Event ID: 67

Task Category: None

Level: Error

Keywords: ADFSProtocol

User: <AD FS Service Account>

Computer: <FQDN Of AD FS 2.0 Server>

Description:

Failed to process the Web request because the request is not valid. Cannot get protocol message from HTTP query. The following errors occurred when trying to parse incoming HTTP request:

Microsoft.IdentityServer.Protocols.Saml.HttpSamlMessageException: MSIS7015: This request does not contain the expected protocol message or incorrect protocol parameters were found according to the HTTP SAML protocol bindings .

at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)

at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)

Event Xml:

<Channel>AD FS 2.0 Tracing/Debug</Channel>

</System>

<EventData>Failed to process the Web request because the request is not valid. Cannot get protocol message from HTTP query. The following errors occurred when trying to parse incoming HTTP request:

at Microsoft.IdentityServer.Web.HttpSamlMessageFactory.CreateMessage(HttpContext httpContext)

at Microsoft.IdentityServer.Web.FederationPassiveContext.EnsureCurrent(HttpContext context)</EventData>

</Event>

</UserData>

</Event>

From what I can figure out, MSIS7015 simply a catchall error when AD FS 2.0 can’t handle a SAML2 message. Any suggestions on how to troubleshoot this and figure out what AD FS does like about the SAML request?

↧

ADFS V3.0 SSO and form based authentication

October 16, 2014, 6:02 am

≫ Next: Navigating to a default page before redirection to ADFS discovery page

≪ Previous: MSIS7015 error for a SAML 2.0 request with AD FS 2.0

Hi folks,

We recently have a new ADFS farm built up, planning to replace our old ADFS 2.0 systems. The new farm is purely on Win2012 R2 so it is ADFS v3.0.

On the Authentication policy portion, we enabled both Windows authentication and form based authentication as global settings. No per relying party settings for this. We would like to have users to login the relying party directly (SSO) without prompt when they are in the internal corporate LAN on a domain joined workstations. However, right now, regardless what we do, when user sessions hit our ADFS, they are presented the ADFS form for user name and password. No other pop up or direct login. Once they login with their NT ID, everything is fine.

We have been trying all kinds of different settings on both server side and client side (like add the ADFS site into trusted sites, lower security level, etc.) and nothing makes difference.

Please help. Thanks a lot...

↧

Navigating to a default page before redirection to ADFS discovery page

October 16, 2014, 9:11 am

≫ Next: ADFS 3.0 - the placeholder text change seems not working for IE8/9

≪ Previous: ADFS V3.0 SSO and form based authentication

I have a claims aware ASP.NET application which is using ADFS. On browsing to https://applicationURL/ the browser is redirected to the ADFS discovery page where one chooses the Claims Provider. What I want to achieve is to display a page before this redirection is done (e.g. https://applicationUrl/welcome.aspx). This page is set as the start page and allows anonymous access such that browsing to it directly works but browsing to https://applicationURL/ does the redirection. My question is, is it possible to show this default page?

↧

ADFS 3.0 - the placeholder text change seems not working for IE8/9

October 16, 2014, 5:46 pm

≫ Next: Missing Claims

≪ Previous: Navigating to a default page before redirection to ADFS discovery page

We are trying to do a little bit of customization of the ADFS default FORM login page.

I was following the link and try to implement it

http://jasonomar.wordpress.com/2014/05/16/customizing-the-placeholder-on-the-adfs-3-0-login-page/

It seems the placeholder text change does not work for IE8/9

Can you anyone help me please?

↧

Missing Claims

October 17, 2014, 2:50 am

≫ Next: What approach to take for first setting up ADFS SSO

≪ Previous: ADFS 3.0 - the placeholder text change seems not working for IE8/9

Hello,

At least once per day we need to restart dhe ADFS server because some of the role claims (group) are missing and that causes the failure of authentication of some of the users.

We tried different solutions found on the web, but unfortunately none of them helped us.

Thank you,

↧

What approach to take for first setting up ADFS SSO

October 19, 2014, 7:02 pm

≫ Next: Enable windows principal authentication on extranet strategy ADFS 3.0

≪ Previous: Missing Claims

I am new to ADFS and am looking for some general direction:

For implementing SSO, I am considering one of two approaches:

1. set up a claims aware web application as a landing page to link to other web applications. Draw from the authenticated user's roles, and only display the web apps that are applicable to him, then pass the specific claims aware web app that they choose from this landing page

...or...

2. set up a claims aware web service, that each web application will have to call

Any benefits to one over the other?

↧

Enable windows principal authentication on extranet strategy ADFS 3.0

October 20, 2014, 2:12 am

≫ Next: LAMP - Apache web application as Service Provider

≪ Previous: What approach to take for first setting up ADFS SSO

Hello

Is it possible to enable windows authentication on extranet strategy with ADFS 3.0.

We need it to use seamless login for Office 365 services through a WAP.

http://technet.microsoft.com/library/d1edf0c7-08fb-44bf-b831-c0a8425b4a9c says it's not available by default.

Regards

Stephane

↧

LAMP - Apache web application as Service Provider

October 20, 2014, 6:50 am

≫ Next: ADFS deployment in multi domain environment

≪ Previous: Enable windows principal authentication on extranet strategy ADFS 3.0

Hi,

I have encountered an Enterprise environment with redundant ADFS 2.0 federation servers and Federation proxies. There is an two way trust to an supplier network (the trust will get decommissioned). In the supplier network there is an basic configuration of adfs 3.0 with the regarding WAP servers. Supplier network runs several type of applications. Oracle based apps, Linux based apps running running on Apache 2.x (LAMP) and Microsoft apps.

The question is now mainly focused on the LAMP applications

I have Googled a bit and found the following results:
Spring SAML could be used to make a LAMP application act as Service Provider (SAML 2.x). This is configured within the application.
Shibboleth is used to make Apache act as an service provider
What are the best practices to make Linux Apache applications Service Provider? Communicating with ADFS 2.x/3.0
Is there any by Microsoft recommended 3rd party software to use?
Can this be accomplished without any 3rd party product?

Note: Security is a huge issue that needs to be taken into consideration.

Thank you in advance for your time and effort.

Best regards,
Reza

↧

ADFS deployment in multi domain environment

October 20, 2014, 7:05 am

≫ Next: Remote Desktop with WAP on 2012 R2

≪ Previous: LAMP - Apache web application as Service Provider

Hi All,

I have one customer problem.

They want to use ADFS for Federated SSO but their existing AD infrastructure is really wired.

They have one parent domain as parent.com and under that they have two child domain: child1.parent.com and child2.parent.com. Till now everything looks good. Look like one forest. They want to give SSO privileges to child1.parent.com users only with some privileged users of parent.com domain.

Now, they had acquired three companies and they had their different forests e.g. company1.com, company2.com and company3.com. These domains they have not brought under their main parent domain.

So, now, they have 4 independent forests. As they are starting with SSO service for their users, they want to give SSO privileges to company2.com and company3.com users also.

I have deployed ADFS and configured SSO under one forest but this is something new for me. So I have identified the below approaches:-

1. They should bring all domains under one forest. (That will make my life easy but seems to be a costly affair)

2. Deploy multiple ADFS servers for each forests. (It will create more than one IDP URL for same service e.g. GoogleApps).

3. Implement some custom solution and integrate all the Forests through that and configure ADFS with custom solution. (Need brain stroming and custom development. Increase time and cost)

4. Use forest to forest bidirectional trust and configure only one domain with ADFS. Internally they can authenticate over kerberose. (Seems good option but do not know much about feasibility)

Please provide your experienced valuable suggestions.

↧

Remote Desktop with WAP on 2012 R2

October 20, 2014, 7:57 am

≫ Next: URL rewrite for ADFS 3.0

≪ Previous: ADFS deployment in multi domain environment

I'm trying to setup RD Web with or without RD Gateway with AD FS and WAP. All on 2012 R2.

I have all the RD Roles on the same server inside the firewall and I would like to use the WAP server we are using for OWA for the same purpose for RD.

I have seen some bits of info that tells me it's possible but nothing more.

So any info would be greatly appreciated

↧

URL rewrite for ADFS 3.0

October 20, 2014, 10:16 am

≫ Next: AD FS 3.0 Certificate Authentication from mobile devices

≪ Previous: Remote Desktop with WAP on 2012 R2

Hi,

I am using ADFS 3.0 with RelayState. The vendor (RP) wants to have the ability to send email to customer with a "deep link".

In ADFS 2.0, you can use URL rewrite to make sure the pattern of the "deeplink" is form correctly since it does use the full function of IIS. I ADFS 3.0, IIS is no longer installed so is there a tool that is similar to URL rewrite to resolved the "deeplink" redirection from the vendor (RP).

Thanks,

↧

AD FS 3.0 Certificate Authentication from mobile devices

October 2, 2014, 9:39 am

≫ Next: ADFS Token validation failed.

≪ Previous: URL rewrite for ADFS 3.0

We have set up an AD FS Farm (1 server) on our internal network behind our internal F5 appliance. Additionaly we have set up a Web Proxy (1 server) in our DMZ network and load balanced it behind our DMZ.

Internally we can authenticate devices based on Forms Based Authentication (FBA), Windows Integrated Authentication (WIA), Certificate Authentication (CA), FBA + CA and WIA and CA.

Externally we can authenticate devices based on Forms Based Authentication (FBA), Certificate Authentication (CA), and FBA + CA as long as the request is coming from a company laptop.

If we use a iOS device we are only able to authenticate using FBA. If we choose CA as the only option for external devices it fails. It will get as far as the sign-on screen, show a message (see below) and spin attempting to load it for ~2minutes before failing. The iOS device has a valid certificate and is in fact using the same certificate that was used on an external company laptop to validate that it worked there. The installed certificate contains the private key and was delievered to the device via email.

Does anyone have any experience with this type of issue or configuration?

↧

ADFS Token validation failed.

October 20, 2014, 11:47 pm

≫ Next: ADFS SSO Configuration - Requiring Double Sign In

≪ Previous: AD FS 3.0 Certificate Authentication from mobile devices

Hello , <o:p></o:p>

<o:p> </o:p>

while am checking my ADFS server i see only one errors
With same ID as below :<o:p></o:p>

Token validation failed. <o:p></o:p>

Additional Data <o:p></o:p>

Token Type: <o:p></o:p>

http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
<o:p></o:p>

%Error message: <o:p></o:p>

user@domain.com-
The user name or password is incorrect <o:p></o:p>

Exception details: <o:p></o:p>

System.IdentityModel.Tokens.SecurityTokenValidationException:user@domain.com --->
System.ComponentModel.Win32Exception: The user name or password is incorrect<o:p></o:p>

--- End of inner exception stack trace ---<o:p></o:p>

at
Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken
token)<o:p></o:p>

at
Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken
token)<o:p></o:p>

System.ComponentModel.Win32Exception (0x80004005): The
user name or password is incorrect<o:p></o:p>

<o:p> </o:p>

the server is working fine and users are able to Connect
to Microsoft cloud smoothly , am just curious why this error happening and what
does it mean ?<o:p></o:p>

↧

ADFS SSO Configuration - Requiring Double Sign In

October 21, 2014, 9:02 am

≫ Next: Simple question: how to signout from WAP and a non-claim aware system?

≪ Previous: ADFS Token validation failed.

Hello Everyone,

I have configured ADFS on our lab environment to host SSO on the SCSM 2012 R2 (System Center Service Manager) Portal.

We have an ADFS server, a Web-Proxy server, a SharePoint 2010 Server, and the server hosting SCSM and its main database.

I have gotten everything configured and working properly, however it seems when I connect to the ADFS page (connect.mycompany.com) and login, I must login again once I am redirected to the portal page. How do I configure SSO to only require my credentials once?

Thanks in advance.

↧

Simple question: how to signout from WAP and a non-claim aware system?

October 21, 2014, 1:39 pm

≫ Next: how to force the signin language to a specific language?

≪ Previous: ADFS SSO Configuration - Requiring Double Sign In

Hi,

how I can signout from a web application behind web application proxy in non-claim aware mode?

I have a web application using windows authentication, and I'm using WAP to provide a forms based authentication for external users.

this works fine...

but I'm not able to signout :)

I'm using ADFS 3.0 and Win 2012 R2.

we certainly have to call an url like

https://{DNS_name_of_RP_STS}/adfs/ls/?wa=wsignout1.0

but this doesn't works, the user is still connected and can go back to the web application without being prompted for a login again.

so... thanks for your help :)

↧