Re: ADFS issues
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 28 Sep 2006 09:33:55 -0500
I see. I would definitely suggest opening an official bug inquiry with MS.
I'm not actually using the FSP in my setup (using the FS directly on the
internet), so I haven't seen those issues. BTW, congrats on getting the FSP
working. That isn't that easy to do. :)
Regarding SSRS, it is going to be a while before all of the various
Microsoft web applications support ADFS. Many of them have still never
heard about it. If you can wait, that's fine, but if you need federation,
you might consider trying to move forward. I'm also not sure why Kerberos
delegation compromises your security. Delegation can be configured to be
quite secure. You would need to use constrained delegation with ADFS anyway
since it uses S4U for logon and S4U delegation requires using the
constrained delegation feature.
This is all up to you obviously, but I think you can make this work without
any serious compromises.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Francois Kreutz" <nospam> wrote in message
news:OdkXSQu4GHA.3404@xxxxxxxxxxxxxxxxxxxxxxx
Thanks for your input Joe, I'm feeling quite lonely on these ADFS issues
:)
Some more info on the UPN issue:
When I logon with User Name (DOMAIN\user) and an incorrect password the
federation proxy returns the following error:
There was an error processing your credentials:
1326 - Logon failure: unknown user name or bad password
When I logon with the UPN and an incorrect password the federation proxy
returns the following error:
There was an error processing your credentials:
1168 - Element not found
The code or the framework is not handling the error in the same way.
Regarding SSRS, I'm also quite sure we can get it to work by messing
around with Kerberos delegation. The problem is that this will be an
internet facing report server and I don't want to compromise it's
security. So we'll just wait for MS to solve this problem (after all, ADFS
support for Sharepoint was introduced in WSS SP2).
Meanwhile ADFS stays in a drawer.
Regards,
--
Frank
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> a écrit dans le
message de news: O4uTvon4GHA.292@xxxxxxxxxxxxxxxxxxxxxxx
I'm not sure why account lockout policy would not work the exact same way
with different user name syntaxes. I have to admit that I've never
tested that, but I am surprised. You might want to consider filing a bug
with MS if this is easy to reproduce. There might be something wrong in
there.
Regarding SSRS and ADFS, I'm not surprised that you have these issues.
The report server is pretty much designed to be accessed via IWA only,
with the report manager proxying calls to it programmatically. I think
you might be able to get this working exactly they way you want by
messing around with Kerberos delegation, but I have yet to play with
delegation in the context of ADFS. It is an interesting problem though
to be sure. :)
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Francois Kreutz" <nospam> wrote in message
news:OOvoyBj4GHA.3964@xxxxxxxxxxxxxxxxxxxxxxx
Hi,
Any help, or even better, forwarding these issues to the product team
would be greatly appreciated.
We would like to use ADFS for Web single sign-on for our extranet users.
We have succesfully set up the following test environment:
- One forest, one domain, 2003 forest functional level
- 4 domain controllers
- 1 Federation server
- 1 Federation server proxy
- multiple claims-aware and NT token-based applications
Everything works fine except the following two issues.
Issue 1: Account lockout policy is not applied when the UPN is used to
log on
When entering credentials on the clientlogon.aspx (Federation proxy),
both User Name (DOMAIN\username) and UPN (username@domain) can be used
to log on.
However, the account lockout policy (defined in Group Policy, domain
level) is correctly applied only when using User Name. When using the
UPN, the account is never locked out.
Note: account lockout policy is correctly applied if I remove the
Federation Proxy and use basic authentication for the application.
Issue 2: the Report Server of SQL Server Reporting Services 2005 does
not work
On a Reporting Services server, if we enable the ADFS Agent for the
Report Server:
- the client is not redirected to the ADFS proxy (the Report Server is
apparently ignoring the ADFS Agent)
- the browser displays the following error: The permissions granted to
user 'FMRS2\IUSR_RS' are insufficient for performing this operation.
(rsAccessDenied)
Note: the Report Manager works correctly if you enable the ADFS Agent on
it and leave integrated Windows authentication on the Report Server.
Regards,
--
Frank
.
- References:
- ADFS issues
- From: Francois Kreutz
- Re: ADFS issues
- From: Joe Kaplan
- Re: ADFS issues
- From: Francois Kreutz
- ADFS issues
- Prev by Date: Re: authentication between trusted domains
- Next by Date: Re: Big Trouble- Demoting a W2K DC from a Domain with 3 W2K3 DC's
- Previous by thread: Re: ADFS issues
- Next by thread: Re: NTFS Permissions
- Index(es):
Relevant Pages
|
