No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

ADFS 2.0 - UAG

  • 4 Followers
  • 23 Replies |
  • This post has 1 verified answer |
Answered (Verified) This question is answered

Hi All,

 

I have my ADFS 2.0 published via UAG 2010 SP1 and it seems to work fine.

 

When i access the portal.microsoftonline.com site and try to login with a federated user then portal site redirect me to my uag form-based authentication site( and thats good), the problem is when i login i get this error from ADFS:

https://sts.mydomainname.com/adfs/ls/?cbcxt=&vv=&username=laith%40mydomainname.com&mkt=&lc=1033&wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%26ct%3D1306928280%26rver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps:%252F%252Fportal.microsoftonline.com%252Flanding.aspx%253Ftarget%253D%25252fDefault.aspx%25253fwa%25253dwsignin1.0%26lc%3D1033%26id%3D271346%26bk%3D1306928281

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied.

 

I dont think the problem is UAG related, any suggestions

  • Post Points: 20
Verified Answer
All Replies
  • Hi Laith,

    It seems that you are working on an external (none On-premises AD member) computer environment. The issue about ADFS might be related with many factors, so would you please check it yourself according to the below steps first?

     

    1. Try to login MOP in your On-premises AD environment with the same federated user to see if it works.
    2. The ADFS Proxy Server needs a public trusted SSL certificate, and the federation server and federation proxy server must use the same certificate.

    3. Verify that the federation server proxy is operational.

               To verify that the federation server proxy is operational

               a. Log on to the federation server proxy as an Administrator.

               b. Click Start, point to Administrative Tools, and then click Event Viewer.

               c. In the details pane, double-click Applications and Services Logs, double-click AD FS 2.0 Eventing, and then click Admin.

               d. In the Event ID column, look for event ID 198. If the federation server proxy is configured properly, you will see a new event in the Application log of Event Viewer, with the event ID 198. This event verifies that the federation server proxy service was started successfully and now is online.

    Additionally, there are resources for your reference:

     Steps of ADFS Proxy Server configuration: http://onlinehelp.microsoft.com/en-us/Office365-enterprises/ff652539.aspx#bk_configureFSP

    Publish ADFS 2.0 through Forefront UAG: http://technet.microsoft.com/en-us/library/hh237617.aspx

     

    Best Regards,

    Reken Liu

    • Top 100 Contributor
    • Male
    • Post Points: 0
  • Ok Thanks for the response,

    Now when i uncheck '"Require SSL"" setting from my adfs site in IIS 7, i get the same error on both sides Internal and External the error is the following:

    Error

    sts.mydomain.com

    There was a problem accessing the site. Try to browse to the site again.

    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

    Reference number: 602e514b-b067-42d0-82c4-46eac12f5fa4

    As mentiond the same error on the both network sides "internal" and external"

    Actually i wasn't aware of the that the ADFS certificates need to be public trusted,are you sure 100% about that!!? (please confirm)

    • Not Ranked
    • Post Points: 0
  • Hello Laith,

    Since federation service using Security Assertion Markup Lanuage (SAML) exchange authentication and authorization data between On-premises ADFS and MFG, and SAML is an XML-based standard transported via HTTPS. It can't work without SSL.

    You can use a self-signed certificate in a test lab environment. However, for a production environment, it is highly recommended to obtain a third party sertificate from a public CA, and this will prevent loss of functionality such as POP, IMAP, and Activesync authencation. Also, a public certificate is more security enhanced than one obtained from an enterprise CA or self-creating.

    Additionally, a self-signed certificate should be added as a root trusted certificate for each client.

    Thanks,

    Reken Liu

    • Top 100 Contributor
    • Male
    • Post Points: 0
  • Yes of course  i'm  aware of the that.

    But i'm still getting the error above, even with a public certificate....

    • Not Ranked
    • Post Points: 0
  • Hi Laith,

     

    I would like to double confirm that you don’t have a separate ADFS proxy server. Is it true?

    Meanwhile, I will appreciate if you can help verify that the ADFS issue only occurs from external side. To test ADFS service in the internal environment, you may access the address from intranet:

    https://federation/ server's DNS host name/adfs/fs/federationserverservice.asmx

     

    The expected output is a display of XML with the service description document. If it works, please use the step 3 of my first reply to verify that the federation server proxy is operational.

     

    Please feel free to let me know any errors about certificates for further troubleshooting.

     

    Best Regards,

    Reken Liu



    • Top 100 Contributor
    • Male
    • Post Points: 0
  • Hi Laith,

    How are things going? Has your problem been resloved?

    Best Regards,

    Reken Liu

    • Top 100 Contributor
    • Male
    • Post Points: 0
  • Hi,

    i'm getting the following error when i try to access  from internal network:

    https://sts,myservername.com/myservername/adfs/fs/federationserverservice.asmx

    Server Error in ‘/myapp’ Application.

    —————————————————-

    The resource cannot be found.

    Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

    Requested URL: /myservername/adfs/fs/federationserverservice.asmx

    • Not Ranked
    • Post Points: 0
  • There's a typo...the service endpoint for testing should read:

    sts.mydomain.com/.../federationserverservice.asmx

    Regards,

    Mylo

    Regards,

    Mylo,

     

    Infrastructure / PKI / Access Management (Blog)

    • Top 500 Contributor
    • Post Points: 0
  • OK.. that didn't come out as expected .. as below without the spaces :-)

    https:// sts.mydomain.com / adfs / fs / federationserverservice.asmx

    Regards,

    Mylo

    Regards,

    Mylo,

     

    Infrastructure / PKI / Access Management (Blog)

    • Top 500 Contributor
    • Post Points: 0
  • Getting:

    Service Unavailable

    _________________________________________________________________

    HTTP Error 503. The service is unavailable.

    • Not Ranked
    • Post Points: 0
  • Hello,

    Can you confirm the following:

    You have created an A Record that points to your ADFS Service

    Verified that the certificate created is the same record as the A Record you created in Active Directory?

    This URL is quite helpful when making sure you have completely deployed ADFS in your environment: technet.microsoft.com/.../dd807086%28WS.10%29.aspx

    Thanks,

    David Rummelhart MSFT Moderator
    • Top 150 Contributor
    • Male
    • Post Points: 0
  • Yes i have.

    • Not Ranked
    • Post Points: 0
  • Hi Laith,

    If your ADFS server name is sts, please try to run the cmd "ping sts.yourdomain.com" in the internal environment. The issue might be specified by your local DNS settings.

    Best Regards,

    Reken Liu

    • Top 100 Contributor
    • Male
    • Post Points: 0
  • Got fine reply from the adfs server and nslookup worked as well.......

    • Not Ranked
    • Post Points: 0
Page 1 of 2 (24 items) 1|2|