Quantcast
Channel: Claims based access platform (CBA), code-named Geneva forum
Viewing all 2535 articles
Browse latest View live

how to force the signin language to a specific language?

October 21, 2014, 1:55 pm
$
0
0

Hi,

can I force the usage of a specific language to display the signin page?

I have an home page where the user selects its preferred language, and then redirected to my WAP protected application.

so the signin page is displayed in the browser preferred language and not the one the user selects in the home page...

can we force the language through the URL?

Search

ADFS to SAML 2.0 static attribute in response

October 21, 2014, 2:16 pm
$
0
0

Hopefully this has a simple solution.

Have my ADFS server setup and sso working with my SAML 2.0 enabled site.

I would like to pass a non active directory attribute back in the response for every user.
EX:
<Attribute Name="UserRole"><AttributeValue>Viewer</AttributeValue></Attribute>

It would be the same for every user (basically hard coded into the response).

How can I go about doing this?  Use a Custom Rule?

Thanks very much in advance!


Azure AD SSO and adding custom SAML 2.0 relying parties

October 21, 2014, 1:35 am
$
0
0

Hi all,

I was looking at the SSO options of Azure AD and they provide a catalog with a bunch of preconfigured "relying parties": http://azure.microsoft.com/en-us/gallery/active-directory/#all

What if I want to connect a SAML 2.0 application which is not listed in their catalog?

According to this article you could create your own WS-FED relying parties with powershell, but what about SAML 2.0? http://azure.microsoft.com/en-us/documentation/articles/active-directory-php-web-single-sign-on/

Robin



ADFS not redirecting back to CRM

October 23, 2014, 11:48 am
$
0
0

Hello All,

Scenario: CRM2013 UR2, ADFS 3

when I try to logon from "the outside" ADFS authenticates the account, but it doesn't redirect back to CRM. I know ADFS is authenticating, because it gives me a message if I type a wrong password.
There are no error messages/log entries anywhere (ADFS or CRM).

Internally everything works. This was working before, all I did was replace the certificate (same wildcard for ADFS and CRM).

I traced the connection in Fiddler and I can see the 302 response from ADFS after authentication, but the target (in Fiddler: Target -> Location) points at ADFS (sts.mydomain.com/....) not at the CRM server.
When tracing the connection internally, the 302 response contains the correct target (crminternal.domain.com/....).

I'm fairly certain I already tried all the "simple stuff" (rerunning Claims and IFD config in CRM, recreating the IFD relying party trust etc.)

Anyone seen this before or have an idea?

Thx in advance!

Microsoft ADFS / IIS : How to change the path of MSISAuth/MSISAuth1/MSISAuthentcation Cookies?

October 24, 2014, 3:57 am
$
0
0

Hi,

I need to have the MSISAuth/MSISAuth1/MSISAuthentcation Cookies sent from a Browser to a Proxy upfront.

But there are two issues:

1) Cookies are set from MS ADFS to the host - not domain

I solved that issue by editing the C:\inetpub\adfs\ls\web.CONFIG by including this setting:

    <httpCookies domain="mydomain.com" httpOnlyCookies="false" requireSSL="false"/>

So the cookies got sent by the browser to all servers included in this domain - solved.

2) Cookies are set to path /adfs/ls

To have the browser sent the cookies the pattern https://<host>/adfs/ls
need to be fullfilled - but now I need to change this path to "/" so that those cookies are also sent to other context roots.
I have not found any documentation or property file to change this

Anyone able to help me here by pointing me to the correct place to edit this setting?

Thanks,
Sascha

ADFS 3.0 Form Based Authentication is not working properly from internet

August 27, 2014, 3:17 pm
$
0
0

Hi,

We have 2 ADFS 3.0 servers load balanced by F5. F5 is behaving as a proxy as we don't have WAP for our ADFS farm. CurrentlyWindows Integrated Authentication is being set for intranet and Forms based Authentication is being set for extranet users in ADFS. Forms based authentication works fine when you access ADFS URL from Mozilla or FireFox but when you use IE you get a Windows Integrated Authentication prompt from internet. We are unable to understand and troubleshoot why user's are getting Windows Integrated Authentication from internet although we have FBA when traffic is coming through internet.Is there something i am missing in my configuration?

Any suggestion will be highly appreciated. Thanks.

Regards, Riaz Javed Butt | Consultant Microsoft Professional Services MCITP, MCITP (Exchange), MCSE: Messaging, MCITP Office 365 | msexchgeek.wordpress.com

The key needed to verify the signature could not be resolved

February 7, 2011, 12:56 pm
$
0
0

I keep getting this error when I try to read the token I created

ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0xC2ACC11F435B8F0EA14EAF3C2D8EFC9CA71CF678)
    )
'. Ensure that the SecurityTokenResolver is populated with the required key.

   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
   at System.Xml.XmlReader.ReadEndElement()
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at Client.Program.Main(String[] args) in C:\test\RequestPageToken\Client\Program.cs:line 53
   at System.AppDomain._nExecuteAssembly(Assembly assembly, String[] args)
   at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
   at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
   at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.ThreadHelper.ThreadStart()

 

code CreateToken

SecurityTokenDescriptor descriptor = new SecurityTokenDescriptor();

descriptor.TokenType = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";

DateTime issueInstant = DateTime.UtcNow;

descriptor.Lifetime = new Lifetime(issueInstant, issueInstant + new TimeSpan(0, 5, 0));

descriptor.AppliesToAddress = "http://localhost/Service";

descriptor.TokenIssuerName = "TEST";

X509SecurityToken token = new X509SecurityToken(new X509Certificate2("testsite.pfx"));

SecurityKeyIdentifier ski = GetSecurityKeyIdentifier(token);

descriptor.SigningCredentials = new X509SigningCredentials(token.Certificate, ski);

Saml2SecurityTokenHandler handler = new Saml2SecurityTokenHandler();



Saml2SecurityToken samlToken = handler.CreateToken(descriptor) as Saml2SecurityToken;

Read Token

 SecurityTokenHandlerConfiguration config = new SecurityTokenHandlerConfiguration();

config.AudienceRestriction.AudienceMode = AudienceUriMode.Never;

config.CertificateValidator = X509CertificateValidator.None;

config.IssuerNameRegistry = new SimpleIssuerNameRegistry();

var handler = new SecurityTokenHandlerCollection(config);

 handler.Add(new Saml2SecurityTokenHandler());

handler.Add(new EncryptedSecurityTokenHandler());



MemoryStream st = new MemoryStream(signedToken);

XmlTextReader reader = new XmlTextReader(st);

Saml2SecurityToken securityToken;

   try

   {

    securityToken = handler.ReadToken(reader) as Saml2SecurityToken;

   }

ReadToken thows this error

Thanks

ADFS Proxy on Server 2012 SSL Problem

August 19, 2013, 7:26 am
$
0
0

I am attempting to do an ADFS Proxy install on Server 2012. I am installing ADFS via the Add Roles/Features.

I have installed the main ADFS server and am attempting to install the ADFS Proxy. I have mapped the 443 bindings on the Default Web Site. When I attempt to run the ADFS Proxy Configuration I get an error stating that the SSL bindings need to be configured on the Default Website. I have ensured that the bindings are set and in fact working properly.

I have installed multiple test servers in my lab and my colleague has done the same, with the same results. We have uninstalled/reinstall ADFS and IIS, changed the IIS bindings to a multitude of configurations, ensured that Everyone/Anonymous has access to the certificate private keys, disabled the firewall, basically done everything we could think of to get past this error.

I am not able to find a single thing on the internet with anyone with the same problem, which I find hard to believe considering I can so easily reproduce and a few of our clients are having the same problem.

I have an incident open with MS Support but so far they haven't came up with anything either.

Anyone have any ideas?

Search

ADFS or DirSync w/ Password Write-back? OneLogin?

October 24, 2014, 2:20 pm
$
0
0
Hi all,

I've been doing some research on this and just wanted to clarify on my findings...

My company is trying to figure out which syncing solution would be the best fit for our special cases that we have.  
Environment:
O365 fully deployed, users have two passwords, one for their machines and one for O365.
PCs - All joined to the domain
Macs - Not connected to the domain - has local user account w/ full admin rights

Original Goal: Have both passwords synced so there's one less pw to remember and give users the ability to change pw on portal and have it sync to on-prem AD.

I had thought that DirSync would have been the perfect fit since it has low overhead and doesn't require more than one dedicated server, but the more I read about it, the more I realize that to fulfill the goal of having users change their own passwords on O365 portal and to have it sync, I would either need to pay for AzureAD Premium to get the Password-writeback function or deploy ADFS instead.

DirSync also mentions that once the users are synced, the cloud password is set to "NeverExpires" and that's definitely not what we want for the mac users since they never login to the domain aside from using the VPN.  I know there's a way to set the "NeverExpires" flag to $false for certain users, but in doing that, there doesn't seem to be a way to specify it to expire at the same time as my on-prem AD. It's also not very easy/ideal for my mac users to find a windows PC to change their domain password every 6 months.

Ultimately, my question is given our situation and our end goal, would deploying ADFS or paying for AzureAD premium be our only options?

ADFS 2.0 Claims rule prompting

October 15, 2014, 2:00 am
$
0
0

Hi All

I have a question on Claims rules and promoting on the login page of ADFS.

Basically I have claims rule setup that deny users in an AD group access to Office365 when they are not on the corp network.  This rule work well no problems there.

Currently what happens is if a user is in the Deny group, when they try and login from outside the corp network on the ADFS login page it blanks the username and password with no prompt.  So the user just keeps retrying.  If the user enters the wrong password or username then the ADFS page prompts them saying wrong username and or password.

I need ADFS to prompt the user when they are in the deny group rather than just blank the username and password fields.

Thanks in advance

Seaspud


ADFS 3.0 WAP Cluster

October 15, 2014, 2:49 pm
$
0
0

We had a single ADFS Server and ADFS WAP (both 2012 R2 servers) in a production environment, both working as expected for SSO to Office 365.

We've successfully added a second ADFS Server and ADFS WAP server to the environment but are having some issues with the second WAP. We are able to configure it as far as the Publishing Application phase, at which point we see the two ADFS WAP servers in a Cluster...all good so far.

I'd have expected to be able to see the existing Published Application from the original WAP but there's nothing available. The only option that lets us progress is the "Publish Application" but I'm not sure if this is the correct thing to do, in case it overwrites the original configuration on the first WAP server?

Any pointers from anyone who's already done something similar?

Cheers for now

Russell

ADFS V3.0 SSO and form based authentication

October 16, 2014, 6:02 am
$
0
0

Hi folks, 

We recently have a new ADFS farm built up, planning to replace our old ADFS 2.0 systems. The new farm is purely on Win2012 R2 so it is ADFS v3.0. 

On the Authentication policy portion, we enabled both Windows authentication and form based authentication as global settings. No per relying party settings for this. We would like to have users to login the relying party directly (SSO) without prompt when they are in the internal corporate LAN on a domain joined workstations. However, right now, regardless what we do, when user sessions hit our ADFS, they are presented the ADFS form for user name and password. No other pop up or direct login.  Once they login with their NT ID, everything is fine. 

We have been trying all kinds of different settings on both server side and client side (like add the ADFS site into trusted sites, lower security level, etc.) and nothing makes difference. 

Please help. Thanks a lot...

ADFS Saml single sign on page giving 404 error

October 23, 2014, 11:48 am
$
0
0

I have a local ADFS server (instead firewall, same domain) for SAML SSO testing purposes. Set up everything correctly for the claims rule. When I attempt to go to the identity provider endpoint https://...../adfs/ls/IdpInitiatedSignOn.aspx url on the ADFS server I always get a 404 error.

I see the 2 virtual directories under the default website and all those setting seem to be correct.  I attempted to re-install aspnet using the aspnet_regiis -ir as suggested by other sites.  Still no go.

Any thoughts as to why I am getting the 404 error?

Thanks!

Second WAP not establishing trust with secondary ADFS 3.0 Farm node

September 22, 2014, 12:58 am
$
0
0

Hi,

I've been working on setting up our corporate ADFS environment with a mostly successful outcome however I am having an issue with one of our ADFS WAP servers not establishing a trust with a secondary ADFS server in our internal farm.

I believe this relates to the ADFSTrustedDevices certificate store not replicating between the two internal farm nodes.

THE SETUP

Diagram


Internal

  • 2 Windows 2012 R2 ADFS 3.0 Servers in one farm
  • Each server is in a different site with resilient WAN connections, sites are GB1 and GB2

External

  • 2 Windows 2012 R2 ADFS 3.0 WAP Servers
  • Each server is in a different site with resilient WAN connections, sites are GB1 and GB2 (same as above)
  • Each server is independent of the other (IE, no NLB or load balancer)
  • Both servers are in the same DMZ network (multi-site is achieved via a stretch VLAN between GB1 and GB2)
  • Internet/DMZ is resilient across both sites via BGP routing

So, GB1 contains the primary ADFS server and a proxy, GB2 contains secondary ADFS server and a proxy.
Both ADFS servers are in a farm.

DNS
Externally we use DNS round robin to the two proxies. Not best practice but the infrastructure is highly resilient so it's cost effective.

From each proxy, HOSTS files are used to lock the traffic to the internal ADFS server in the same site. IE, Proxy in GB1 will only communicate with internal ADFS server in GB1. Proxy in GB2 to internal ADFS server in GB2.

The reasoning behind this is for a site failure. Half the external traffic may hit the down proxy server and timeout but the other half will hit the working proxy. We didn't want half of the working proxy requests trying to contact the downed server in the failed site, giving us only one quarter of successful requests, if that makes sense.


THE ISSUE

During the setup of the second proxy in GB2 I could not establish a trust to the internal ADFS server in GB2, the secondary server.

Spent some time investigating with no success so I changed the HOSTS file to contact the primary internal ADFS server in GB1 and the trust was established and WAP configured

At this stage I could see that the ADFSTrustedDevice certificate store on the secondary ADFS server in GB2 was empty whilst the certificate store on the primary ADFS server in GB1 was populated with both proxy servers.

I changed the HOSTS file on GB2 proxy back to GB2 ADFS server and this continued to work for a while.

I had hoped that the automatic process would populate GB2 ADFS server with the certificates but it did not.

Eventually the trust broke down and I cannot re-establish the trust without pointing the GB2 proxy back to GB1.

I also cannot sync the certificate stored from GB1 ADFS server to GB2 ADFS server using the script found in this extremely useful article from Ian Parramore:

http://blogs.technet.com/b/applicationproxyblog/archive/2014/05/28/understanding-and-fixing-proxy-trust-ctl-issues-with-ad-fs-2012-r2-and-web-application-proxy.aspx#pi148362=2


WHAT HAVE I TRIED?
Ran the script in the above blog and no issues found, including using the switch -syncproxytrustcerts

KB2964735 / KB2962409 is installed an both ADFS servers

I have not initialised Device Registration as this will require updating the AD schema to 2012 which we are not ready to perform however this may well be the root of the problem, forcing us to move the AD schema forward.


SUGGESTIONS?
If you have any suggestions or advise on how to overcome this issue I've really appreciate some assistance.

Thanks in advance

Adam Callaghan

ADFS - The metadata does not contain the signing key needed for the entity to be configured as a claims provider trust

August 8, 2014, 9:29 am
$
0
0

Our customer has provided us with federated metadata.xml file. When we go to import and create the claims provider trust we receive this error message:

I have performed considerable Google search to be able to tell the customer what is missing. Can you provide explanation as to what ADFS is expecting in the customer xml file that it is not getting?

Thanks,

Paul

Paul

Search

Additional identity claims of Facebook are not passed into MVC default application from OWIN middleware sample.

October 28, 2014, 8:07 am
$
0
0

Hi, I understand my question is Identity Framework related. So I repost https://katanaproject.codeplex.com/discussions/570678

I have setup Facebook like next:
For some reason I cannot add any claim next to the 4 of the ASP.NET identity (LOCAL AUTHORITY). I see various posts on how to fix this. One of them is in the code snippet above.

Can anybody guide me how to add additional claims?

J.

           FacebookAuthenticationOptions faceBookAccountOptions = new FacebookAuthenticationOptions();
            faceBookAccountOptions.AppId = "*";
            faceBookAccountOptions.AppSecret = "*";
            faceBookAccountOptions.Provider = new FacebookAuthenticationProvider()
            {
                OnAuthenticated = (context) =>
                    {
                        context.Identity.AddClaim(new System.Security.Claims.Claim("urn:facebook:access_token", context.AccessToken));
                        return Task.FromResult(0);
                    }
            };
            //faceBookAccountOptions.Scope.Add("urn:facebook:access_token");
            //faceBookAccountOptions.Scope.Add("access_token");
            app.UseFacebookAuthentication(faceBookAccountOptions);

I have next code from a default ASP.NET MVC. In A there are claims, but in B they are not passed/ used. And what about C. on next authentications? What is wrong that I do not get the claims usable?

//
        // POST: /Account/ExternalLoginConfirmation
        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public async Task<ActionResult> ExternalLoginConfirmation(ExternalLoginConfirmationViewModel model, string returnUrl)
        {
            if (User.Identity.IsAuthenticated)
            {
                return RedirectToAction("Index", "Manage");
            }

            if (ModelState.IsValid)
            {
                // Get the information about the user from the external login provider
[*** A ***]                var info = await AuthenticationManager.GetExternalLoginInfoAsync();
                if (info == null)
                {
                    return View("ExternalLoginFailure");
                }
                // Sign in this external identity if its already linked
                var externUser = await UserManager.FindAsync(info.Login);
                if (externUser != null)
                {
[*** C ***] await SignInManager.SignInAsync(externUser, isPersistent: false, rememberBrowser: false);
                    return RedirectToLocal(returnUrl);
                }

                var user = new ApplicationUser { UserName = model.Email, Email = model.Email };
                var result = await UserManager.CreateAsync(user);
                if (result.Succeeded)
                {
                    result = await UserManager.AddLoginAsync(user.Id, info.Login);
                    if (result.Succeeded)
                    {
[*** B ***]                        await SignInManager.SignInAsync(user, isPersistent: false, rememberBrowser: false);
                        return RedirectToLocal(returnUrl);
                    }
                }
                AddErrors(result);
            }

            ViewBag.ReturnUrl = returnUrl;
            return View(model);
        }
Similar setup descibed in the past here: https://katanaproject.codeplex.com/workitem/82. Seems to work there, but why not for me? Any help appreciated. J.

Replacing the ADFS 2012 R2 certificate and relying party trusts

October 28, 2014, 8:26 am
$
0
0

If I change out the Service Communications certificate on my ADFS 2012R2 servers and proxy servers, do the relying parties need to do anything?  For instance, do I need to re-send them my metadata?

Thanks

ADFS 3.0 / 2012 R2 - Web Application Proxy Installation/configuration problem

April 13, 2014, 6:01 am
$
0
0

Hi All,

We are in the process of implementing ADFS 3.0 published to the internet for o365 Federation purposes.

The setup consists of the following

- 2 x windows 2012 R2 running ADFS 3.0 ( only one server presently installed and configured though)

- 2 x Windows 2012 R2 Running Web Application Proxy (  only one server presently installed and configured though ).

There is an F5 Big-IP loadbalancer for both iinternal and external interfaces and it has been configured after a lot of issues with the SNI part on the F5.

Now the issue is that i cannot complete the installation/configuration of the Web Application Proxy server. There is  a firewall in between our DMZ and the internal network. I can reach the internal services via the following url and telnet on port 443 to the federation service as well. (ports for 443 and 80) are opened to internal network on the load balancer ip.

https://fs.domain.com/adfs/ls/idpinitiatedsignon.aspx and federationmetadata/2007-06/federationmetadata.xml location as well from the Web APplication proxy server without any issues or certificate prompts at all.

When i do the configration for WAP, i use the same account which was used as a service account for the ADFS service internally. The certificate on the internal server along with its private key was exported and has been imported on the WAP server . This is not internal CA, instead we are using DIGICERT SSL with SAN Names for enterprise registration and work folders. Hence the CA Chain issue is ruled out and also this is not a wild card certificate.

When the wizard starts configuring, it does establish the trust with the federation service which is shown up in the event viewer with  EventID 391 within 15 seconds i get another event id 422 which states that it cannot retrieve the proxy configuration and eventid 276 on the Federation server which states the authentication failure. this continues until the servers stops to try configuring the wizard

I have read all the available threads on the 3.0 WAP installation /configuraiton problem and tried all the steps possible but i am still stuck with this issue.

There is one more part that i noticed on the ADFS server, that the self signed services for the token-encrypting and token decrypting are self-signed certificates. Also, in the certificates it was showing up as not trusted. and i installed them to the TRUSTED ROOT CERTIFICATION STORE after wich i cannot see any private key showing up when viewing the certificate which means i cannot get the MANAGE PRIVATE keys option when right clicking on the cert to assign read permissions for the ADFS service account.

Should i assign the same external SSL sertificate to these services as well or should i leave them as self signed ?

I am not sure what I am missing in the configuration that is causing this issue. The WAP servers are not part of the domain and have also ensured the time synch between the domain machine as well.

the service name is fs.domain.com on both the internal and external DNS ( we have domain.com as a zone in DNS internally as well ). I am able to Authenticate inside and from the WAP server when accessing the link.

Could it be a Load Balancer Configuration ? [i will try eliminating this from the configuration]

Let me know if there are any options that i can try to resolve this and get the configuration working.

Cheers,

Prashant D

ADFS login failes intermittent (page could not be displayed)

October 29, 2014, 1:57 am
$
0
0

I have setup two hardware loadbalanced ADFs 2.0 (6.2.9200.16384) with login against office 365.

But the login fails intermittent for users and they get the error:

"There was a problem accessing the site. Try to browse to the site again.If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

Reference number: 33974b0f-17c9-4aba-8dba-59d0a89b8942"

I have enabled the tracing log on the ADFs-machine. But I cant find the reference number in ADFs admin log or the tracing log. I can see the login made by the user with another reference number. But no errors that could be connected to the failed login.

I can force the error by reloading the ADFs-loginpage a couple of times. But sometimes I the users gets the error the first time they try to login on a new computer.

It does not matter what browser they use.

ADFS 3.0 error 111 and 364

August 20, 2014, 1:59 am
$
0
0

we have a windows azure server (2012 R2) with active directory and adfs (icw Office 365)

this has worked in the past

since yesterday the services stoped working

i checked and saw it wasn't pointing to itself for dns (instead a other dc) and in the eventlog there was a meesage the password for the managed service account wasn't reset

i point the dns to 127.0.0.1 and verified it could resolve local and remote hostnames 
after this i reset the managed service account password and restarted the server

i replaced the company and domain name in the logs bellow

Log Name:      AD FS/Admin
Source:        AD FS
Date:          8/19/2014 11:48:22
Event ID:      111
Task Category: None
Level:         Error
Keywords:      AD FS
User:          domain\ADFS$
Computer:      company-dc01.company.com
Description:
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue

Additional Data
Exception details:
System.TypeInitializationException: The type initializer for 'Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService' threw an exception. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark)
   at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at System.Activator.CreateInstance(Type type, Object[] args)
   at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService()
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)

System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()
Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" /><EventID>111</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000001</Keywords><TimeCreated SystemTime="2014-08-19T09:48:22.405647300Z" /><EventRecordID>1021</EventRecordID><Correlation ActivityID="{00000000-0000-0000-1A00-0080000000C0}" /><Execution ProcessID="3676" ThreadID="4560" /><Channel>AD FS/Admin</Channel><Computer>company-dc01.company.com</Computer><Security UserID="S-1-5-21-2034257005-3014172703-327212626-1115" /></System><UserData><Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events"><EventData><Data>http://schemas.microsoft.com/idfx/requesttype/issue</Data><Data>System.TypeInitializationException: The type initializer for 'Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService' threw an exception. ---&gt; System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable&amp; attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable&amp; attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean&amp; bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark&amp; stackMark)
   at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at System.Activator.CreateInstance(Type type, Object[] args)
   at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService()
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1&amp; identityClaimSet)

System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable&amp; attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable&amp; attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean&amp; bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()</Data></EventData></Event></UserData></Event>
Log Name:      AD FS/Admin
Source:        AD FS
Date:          8/19/2014 11:48:22
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          domain\ADFS$
Computer:      company-dc01.company.com
Description:
Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
http://adfs.company.com/adfs/services/trust

Exception details:
System.TypeInitializationException: The type initializer for 'Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService' threw an exception. ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark& stackMark)
   at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at System.Activator.CreateInstance(Type type, Object[] args)
   at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService()
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable& attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean& bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()


Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" /><EventID>364</EventID><Version>0</Version><Level>2</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8000000000000001</Keywords><TimeCreated SystemTime="2014-08-19T09:48:22.549017600Z" /><EventRecordID>1022</EventRecordID><Correlation ActivityID="{00000000-0000-0000-1A00-0080000000C0}" /><Execution ProcessID="3676" ThreadID="4560" /><Channel>AD FS/Admin</Channel><Computer>company-dc01.company.com</Computer><Security UserID="S-1-5-21-2034257005-3014172703-327212626-1115" /></System><UserData><Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events"><EventData><Data>Saml</Data><Data>http://adfs.company.com/adfs/services/trust</Data><Data>System.TypeInitializationException: The type initializer for 'Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService' threw an exception. ---&gt; System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable&amp; attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable&amp; attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean&amp; bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes, StackCrawlMark&amp; stackMark)
   at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at System.Activator.CreateInstance(Type type, Object[] args)
   at Microsoft.IdentityModel.Configuration.SecurityTokenServiceConfiguration.CreateSecurityTokenService()
   at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1&amp; identityClaimSet)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1&amp; identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri&amp; replyTo, IList`1&amp; identityClaimCollection)
   at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken&amp; ssoSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

System.NullReferenceException: Object reference not set to an instance of an object.
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetDnsHostNameFromNtdsSettingDN(IDRServerContext context, String distinguishedName)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindAllGCsInDomain(IDRServerContext context)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.GetGCWithLowestGuid(IDRServerContext opContext)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.FindDRServiceObjectInDomain(DRServiceAttributesFlags flags, Hashtable&amp; attributesToGather)
   at Microsoft.DeviceRegistration.ADAdapter.ADStore.IsDRServiceObjectInEnterprise(String serviceName, DRServiceAttributesFlags flags, Hashtable&amp; attributesToGather)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerPhase2(DRServiceContext context, Boolean&amp; bServiceExists)
   at Microsoft.DeviceRegistration.Utilities.DRServiceManager.InitializeServiceManagerForSTS(Boolean forceReInitialize)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService..cctor()</Data></EventData></Event></UserData></Event>

Viewing all 2535 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>