No one has responded to this discussion for at least a year, so this information may be out of date. If you're looking for information about this topic, please search for a more recent discussion or post a new question.

ADFS 2.0 - UAG

This question is answered This question is answered

Hi All,

 

I have my ADFS 2.0 published via UAG 2010 SP1 and it seems to work fine.

 

When i access the portal.microsoftonline.com site and try to login with a federated user then portal site redirect me to my uag form-based authentication site( and thats good), the problem is when i login i get this error from ADFS:

https://sts.mydomainname.com/adfs/ls/?cbcxt=&vv=&username=laith%40mydomainname.com&mkt=&lc=1033&wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=MEST%3D0%26LoginOptions%3D2%26wa%3Dwsignin1.0%26rpsnv%3D2%26ct%3D1306928280%26rver%3D6.1.6206.0%26wp%3DMCMBI%26wreply%3Dhttps:%252F%252Fportal.microsoftonline.com%252Flanding.aspx%253Ftarget%253D%25252fDefault.aspx%25253fwa%25253dwsignin1.0%26lc%3D1033%26id%3D271346%26bk%3D1306928281

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied.

 

I dont think the problem is UAG related, any suggestions

Verified Answer
  • Hi Laith,

    If your ADFS server name is sts, please try to run the cmd "ping sts.yourdomain.com" in the internal environment. The issue might be specified by your local DNS settings.

    Best Regards,

    Reken Liu

  • Ok, Believe or not :S i just disabled all authentication methods in iis7 (ADFS Server) then set everythings back to default and guess what now it's working :S :S

    For the adfs site: authentication -> Anonymous Authentication

    For the ls site: Anonymous Authentication + Windows authentication

    But still having problem via UAG SP1 (ADFS Publishing), i think the problem is with the way i'm authenticate the users with any good suggestions

All Replies
  • Hi Laith,

    Please login MOP with your admin account, do the following steps to verify your SSO domain has been configured properly.

    1. Enter MOP, Click Admin, and choose Management > Domains.
    2. In the domain list page, click the domain which has been configured in your ADFS server.

    3. You should be able to see this property page. Please verify the Domain Type has been changed to Single sing-on.

    If your domain hasn't been changed to Single sign-on, please use the information in the article below to convert it to a Single sign-on domain:

    http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx

     

    Thanks,

    Reken Liu


     

  • The domain is set to Single sign-on and i have done the steps in above link from onlinehelp.microsoft.com

  • Ok, Believe or not :S i just disabled all authentication methods in iis7 (ADFS Server) then set everythings back to default and guess what now it's working :S :S

    For the adfs site: authentication -> Anonymous Authentication

    For the ls site: Anonymous Authentication + Windows authentication

    But still having problem via UAG SP1 (ADFS Publishing), i think the problem is with the way i'm authenticate the users with any good suggestions

  • Hi All,

    I got everything to work now through UAG 2010 SP1 i will post an article on my blog (http://thelaith.net soon. thank you very much for your time and help :)

  • Hi Laith,

    Can you run through how you've setup the UAG for AD FS?

    Regards,

    Mylo

  • Sorry.. mistakenly responsing to an earlier post.. Glad to see you've got it fixed.

  • Hi Laith,

    It's good to hear this. You did great job! Aslo thanks for sharing your experience in the forum.

    Best Regards,

    Reken Liu

  • Laith,

    I've blogged some UAG configuration scenarios here:

    http://blog.auth360.net

    Maybe these can help on any outstanding UAG points.

    Regards,

    Mylo