Re: ADFS June 2006 Step-by-step guide
- From: Noremac <Noremac@xxxxxxxxxxxxxxxxx>
- Date: Tue, 1 Aug 2006 11:33:02 -0700
Hi Joe,
I am sure I messed something up from my conversion of the guide. That is why
I was looking for Nick's non-Sharepoint sample.
I am trying to do it through the file system as this accurately represents
old non-.NET web apps we will need to protect.
When I run your sample code from my federated partner, the Windows Identity
is NT Authority. There is no Identity and no groups. When I call the same
page right from the resource web server, I get the Windows Identity of NT
Authority and the Identity of the logged in person and its groups. So this
told me I was coming in anonymous. I checked my IIS settings and sure enough,
anon was on. So I turned it off and turned on Windows Authentication. Now it
will not allow me to login at all from either the resource web server or
partner client.
"Joe Kaplan (MVP - ADSI)" wrote:
Give me a few hours and I'll stick it on my blog (www.joekaplan.net)..
In your token app, how are you trying to restrict access? Are you using
some sort of .NET role-based mechanism like the UrlAuthorizationModule (i.e.
the <allow> and <deny> tags in web.config) or are you trying to use file
system ACLs or what?
In any event, the first step is knowing what groups are in you token and my
page can help with that, so hopefully it will give you the clue you need.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Noremac" <Noremac@xxxxxxxxxxxxxxxxx> wrote in message
news:40DDB753-C4AA-41FD-B1CC-70A390D686BF@xxxxxxxxxxxxxxxx
Hi Joe,
I think that would be very helpful. I have a simple web page too that
spits
out Windows Identity principal so I'll take anything that I can get my
hands
on to try and trouble shoot this.
I agree it was simple to setup the ADFS'd website. But I have something
wacky when anyone on the "account" domain can get to the site (without
anyone
belonging to the "account" resource group).
Thanks,
Noremac
"Joe Kaplan (MVP - ADSI)" wrote:
Do you want my test page that I use? Actually creating the
non-SharePoint
token-based app in IIS is pretty trivial. You just create a web site and
configure ADFS on it in the IIS MMC.
My test page just spits out the user name and groups of the authenticated
user. It isn't much to look at, but it is helpful for debugging, since
that's the stuff you need to know. I'll put it up on my blog or
something
if you are interested.
Also, enabling logging for token-based apps is sometimes helpful. The
troubleshooting section of the operations section of the ADFS TechNet
docs
explains all the registry flipping you have to do to turn it on.
The other important thing is whether you are accessing the token site
from
an account partner or the resource partner's own account store and how
you
are doing the token mapping (user-to-user or group-based using claims and
resource groups).
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Noremac" <Noremac@xxxxxxxxxxxxxxxxx> wrote in message
news:B1305559-AB09-493C-9C42-C4E08B48A80F@xxxxxxxxxxxxxxxx
Hi Nick,
I've been on holidays and I just got your post.
I would definately like an existing sample on a non-portal token app.
I am hoping my issue relates to configuration that your instructions on
the
Windows NT token-based app will help me find.
Thanks!
"Nick Pierson [MS]" wrote:
Noremac,
Susieber alerted me to your post. I'm the author of the ADFS
Step-by-Step
Guide.
Unfortunately, this guide has never been tested at Microsoft using a
VM
environment. At some point I would really like to try this myself and
then
update the guide accordingly. I'm in the process of writing the
deployment
guide so I'm not exactly sure when I will be able to get to this.
I can tell you that this step-by-step guide has been thoroughly tested
using
4 computers, and that in this situation it does result in setting up a
successful ADFS test lab environment.
Since I have not personally set up the step-by-step guide using VMs, I
would
recommend that you acquire 4 computers and then follow the
step-by-step
guide
from start to finish (the appendixes are not required to get a
functional
demo working). Make sure to follow the IP addressing scheme and other
naming
schemes to the letter. If you don't want to go through it again, I
understand.
Also, if you are interested in setting up a non-SharePoint app for
your
Windows NT token-based application, let me know. I can send you some
instructions for setting up a very simple token-based application that
has
been tested for use with our step-by-step guide.
Thanks,
Nick Pierson
Technical Writer - ADFS
Microsoft
http://blogs.technet.com/adfs_documentation/default.aspx
****This posting is provided "AS IS" with no warranties, and confers
no
rights.****
- Follow-Ups:
- Re: ADFS June 2006 Step-by-step guide
- From: Nick Pierson [MS]
- Re: ADFS June 2006 Step-by-step guide
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADFS June 2006 Step-by-step guide
- References:
- Re: ADFS June 2006 Step-by-step guide
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADFS June 2006 Step-by-step guide
- From: Noremac
- Re: ADFS June 2006 Step-by-step guide
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ADFS June 2006 Step-by-step guide
- Prev by Date: Re: Forest Transitive Trust
- Next by Date: Re: Forest Transitive Trust
- Previous by thread: Re: ADFS June 2006 Step-by-step guide
- Next by thread: Re: ADFS June 2006 Step-by-step guide
- Index(es):
Relevant Pages
|
