Hi,
I'm working through an "urgent" issue where ADFS is being used to authenticate users to a externally hosted intranet.
I've been introduced to it without much of a back story and have been unraveling the beast, but have gotten to the point where a point in the right direction could save me a ton of time/effort.
The form based authentication (FBA) works fine, however when users click "Log in with my operating system account" they're prompted to authenticate both using the https://[ADFS server]/adfs/ls/IdpInitiatedSignon.aspx and the website login button. To me, that means that I can concentrate on getting it going internally, before worrying about the external site.
My main lead so far is that the issue is repeatable internally and that SSO seems to work directly on the ADFS server.
I suspect its a certificate issue or the claim rule has been set up incorrectly, but am still learning so don't know how to confirm if so.
- Admin users on the ADFS server a user can click "Log in with my operating system account" to log in, but they need to click it twice
- Admin users on the ADFS server can sign into the local or external site using single sign on from the following address: https://[ADFS server]/adfs/ls/IdpInitiatedSignon.aspx
- End users can log in using the form or by clicking "Log in with my operating system account" and manually entering in their credentials.
- I've set up a SPN for HTTP/[ADFS FQDN] and HTTP/[ADFS hostname], some people have said that having HOST/[ADFS
hostname] stopped their implementation from working, there area bunch of SPNs for this host and i'm not sure of the reasoning
behind them all:
HTTP/[adfs_host]
TERMSRV/[adfs_host]
TERMSRV/[adfs_host].[domain]
WSMAN/[adfs_host]
WSMAN/[adfs_host].[domain]
RestrictedKrbHost/[adfs_host]
HOST/[adfs_host]
RestrictedKrbHost/[adfs_host].[domain]
HOST/[adfs_host].[domain]
- Users IE browser are configured with "Enable Integrated Windows Authentication", "Automatic login on in Intranet zone" and have the ADFS and external webserver addresses specified in the Intranet zone
- Users have several certificates installed
- Since we can test using the /adfs/ls endpoint, i'm assuming that its the only endpoint I needed to confirm is enabled?
- Windows Authentication is enabled for "intranet"s
- I can see information in "/FederationMetadata/2007-06/FederationMetadata.xml" and "/adfs/fs/federationserverservice.asmx" including the certificates used with the /adfs/ls endpoint. But unfortunately am not quite sure how to use the information to progress troubleshooting.
- If it helps, the "test url" button on the properties of the relay trust for http://[externally hosted intranet]//saml/metadata works fine.
- People have mentioned that DNS issues have caused pain in this area, which could explain why the issue only exists on client workstations and not on the ADFS server directly, however since its internal and resolves the correct name/ip I don't think this is the case?
- The three claim rules set up are below and the metadata suggested that all of the entries are "optional". But i suspect this needs to be set to something specifically?
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname","http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), query = ";mail,givenName,sn,objectGuid;{0}", param = c.Value);
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]
= "urn:oasis:names:tc:SAML:2.0:nameid-format:transient");c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,userPrincipalName;{0}",
param = c.Value);
I'd appreciate if someone could give me a few pointers to help me pull together all the strands of information I have into something a bit more tangible and guide me on the next step to check so i can work through this issue.
Kind regards,
S