Sign up for Office 365
Learn more about Office 365
Hi All,
I have my ADFS 2.0 published via UAG 2010 SP1 and it seems to work fine.
When i access the portal.microsoftonline.com site and try to login with a federated user then portal site redirect me to my uag form-based authentication site( and thats good), the problem is when i login i get this error from ADFS:
https://sts.mydomainname.com/adfs/ls/?cbcxt=&vv=&username=laith%40mydomainname.com&mkt=&lc=1033&wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%26ct%3D1306928280%26rver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps:%252F%252Fportal.microsoftonline.com%252Flanding.aspx%253Ftarget%253D%25252fDefault.aspx%25253fwa%25253dwsignin1.0%26lc%3D1033%26id%3D271346%26bk%3D1306928281
I dont think the problem is UAG related, any suggestions
Hi Laith,
If your ADFS server name is sts, please try to run the cmd "ping sts.yourdomain.com" in the internal environment. The issue might be specified by your local DNS settings.
Best Regards,
Reken Liu
It seems that you are working on an external (none On-premises AD member) computer environment. The issue about ADFS might be related with many factors, so would you please check it yourself according to the below steps first?
The ADFS Proxy Server needs a public trusted SSL certificate, and the federation server and federation proxy server must use the same certificate.
Verify that the federation server proxy is operational.
To verify that the federation server proxy is operational
a. Log on to the federation server proxy as an Administrator.
b. Click Start, point to Administrative Tools, and then click Event Viewer.
c. In the details pane, double-click Applications and Services Logs, double-click AD FS 2.0 Eventing, and then click Admin.
d. In the Event ID column, look for event ID 198. If the federation server proxy is configured properly, you will see a new event in the Application log of Event Viewer, with the event ID 198. This event verifies that the federation server proxy service was started successfully and now is online.
Additionally, there are resources for your reference:
Steps of ADFS Proxy Server configuration: http://onlinehelp.microsoft.com/en-us/Office365-enterprises/ff652539.aspx#bk_configureFSP
Publish ADFS 2.0 through Forefront UAG: http://technet.microsoft.com/en-us/library/hh237617.aspx
Ok Thanks for the response,
Now when i uncheck '"Require SSL"" setting from my adfs site in IIS 7, i get the same error on both sides Internal and External the error is the following:
Error
sts.mydomain.com
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: 602e514b-b067-42d0-82c4-46eac12f5fa4
As mentiond the same error on the both network sides "internal" and external"
Actually i wasn't aware of the that the ADFS certificates need to be public trusted,are you sure 100% about that!!? (please confirm)
Hello Laith,
Since federation service using Security Assertion Markup Lanuage (SAML) exchange authentication and authorization data between On-premises ADFS and MFG, and SAML is an XML-based standard transported via HTTPS. It can't work without SSL.
You can use a self-signed certificate in a test lab environment. However, for a production environment, it is highly recommended to obtain a third party sertificate from a public CA, and this will prevent loss of functionality such as POP, IMAP, and Activesync authencation. Also, a public certificate is more security enhanced than one obtained from an enterprise CA or self-creating.
Additionally, a self-signed certificate should be added as a root trusted certificate for each client.
Thanks,
Yes of course i'm aware of the that.
But i'm still getting the error above, even with a public certificate....
I would like to double confirm that you don’t have a separate ADFS proxy server. Is it true?
Meanwhile, I will appreciate if you can help verify that the ADFS issue only occurs from external side. To test ADFS service in the internal environment, you may access the address from intranet:
https://federation/ server's DNS host name/adfs/fs/federationserverservice.asmx
The expected output is a display of XML with the service description document. If it works, please use the step 3 of my first reply to verify that the federation server proxy is operational.
Please feel free to let me know any errors about certificates for further troubleshooting.
How are things going? Has your problem been resloved?
Hi,
i'm getting the following error when i try to access from internal network:
https://sts,myservername.com/myservername/adfs/fs/federationserverservice.asmx
Server Error in ‘/myapp’ Application.
—————————————————-
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.
Requested URL: /myservername/adfs/fs/federationserverservice.asmx
There's a typo...the service endpoint for testing should read:
sts.mydomain.com/.../federationserverservice.asmx
Regards,
Mylo
Mylo,
Infrastructure / PKI / Access Management (Blog)
OK.. that didn't come out as expected .. as below without the spaces :-)
https:// sts.mydomain.com / adfs / fs / federationserverservice.asmx
Getting:
Service Unavailable
_________________________________________________________________
HTTP Error 503. The service is unavailable.
Hello,
Can you confirm the following:
You have created an A Record that points to your ADFS Service
Verified that the certificate created is the same record as the A Record you created in Active Directory?
This URL is quite helpful when making sure you have completely deployed ADFS in your environment: technet.microsoft.com/.../dd807086%28WS.10%29.aspx
Yes i have.
Got fine reply from the adfs server and nslookup worked as well.......