Re: MOSS and ADFS (it works now. Thanks!)
- From: Monika <Monika@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 29 Dec 2006 13:39:00 -0800
I have followed the steps outlined in your blog and have the following
questions:
First, I continue to receive Error: Access Denied in MOSS after I have
configured Central Admin/Policy for Web/Add Users. Is MOSS expecting user’s
credentials in a format that is different to what is provided in the
federation token?
Second, could you explain how you have configured MOSS site to accept ADFS
Claims? In an inbound scenario the users come from external data source and
their claim contains credentials that map to the MOSS Role. There really is
no UI that allows me to map that relationship. The section under “Central
Admin/Policy for Web/Add Users” only allows me to add users in company’s
domain but not the external users. The only logical place that comes to mind
is the site’s People & Group section but the UI again is not designed for it.
Thanks in advance!
"Mike@OneNeck" wrote:
Eric,.
You probably have it right. I had the same issue when I first tired to come
in via ADFS. It said access denied, but correctly listed the UPN I was
coming in with.
I found out that to allow access from auth sources other than NTLM you have
to go to central admin, select the web app, then select "Policy for Web
Application", click "Add Users" then select the zone you bound ADFS, type the
UPN of the account and grant full access. You should be able to get to the
site. Let me know.
"Eric" wrote:
Mike, can you send me you web.config for your central admin. I have not
gotten this to work yet. I think I have mucked something else up in my
infinite tinkering and I want to make sure I am place these edits in the
correct places, as I do not have section labeled Authenication in my
web.config file for central admin.
It appears that MOSS does not know what to do once it gets the auth token
back and returns me a 401 unauthorized error. my email address is
evader12@xxxxxxxxxxxx
Thanks,
Eric
"Mike@OneNeck" wrote:
Here's a slightly modifiied version that references both SSO Providers and
removes the color coding (hard to see in black and white ;-).
Note: This procedure assumes you have already installed the W2K3 R2 ADFS
Web agents on the server and applied W2K3 SP2 which installs the
SingleSignOnMembershipProvider2 provider. If you want to use the original
SingleSignOnMembershipProvider that ships with R2 go to
http://technet2.microsoft.com/Office/en-us/library/23b837d1-15d9-4621-aa0b-9ce3f1c7153e1033.mspx?mfr=true
and change the provider based on the examples there.
--------------
These came from an MS support person who has ADFS running with MOSS'07.
* Central Admin Page:
o Click application management -> authentication providers
o Click "Windows" for the selected web application.
o Select Web Single Sign On radio button.
o Enter "SingleSignOnMembershipProvider2" in the membership provider
section.
o Enter "SingleSignOnRoleProvide2" in the role provider section.
* Change the web.config file for the central admin site:
- register the membership provider and the role manager in the
web.config file for the central admin (so that the people picker on the
central admin pages can correctly resolve the users). Add the following entry
after the <authentication> section in the web.config file for the central
admin. (change fs-server to be your server name)
<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx"; />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" /> <add
name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral,
PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx"; />
</providers>
</roleManager>
NOTE: You may not need the "fs=https://fs-..."; in the membership and role
sections when the <websso> section follows. The providers will use the
<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> setting from
<websso> (but I haven't tried it yet. You may want to try and confirm it)
- Add this section the web.config file for the central admin after
the <PeoplePickerWildcards> node.
<add key="SingleSignOnMembershipProvider2" value="" />
* Change the web.config file for the wss site to include the following.
- Add this section to the <configSections> section
<sectionGroup name="system.web">
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
</sectionGroup>
- Add this section to the <httpModules> node
<add name="Identity Federation Services Application Authentication Module"
type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />
- Add this section after the <authentication mode>, change "fs-server" to
your server name. Change "your_application" to be your application URL
<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx"; />
</providers>
</membership>
<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
<providers>
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral,
PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx"; />
</providers>
</roleManager>
<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://your_application</returnurl>
</urls>
<cookies Persistent="True">
<path>/</path>
</cookies>
<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
<!-- usettp / -->
<isSharePoint />
</websso>
- Add this section to the <PeoplePickerWildcards>node.
<add key="SingleSignOnMembershipProvider2" value="" />
* Modify machine.config file (in the folder of ASP.NET V2.0). Add the
section between the ------ lines. The top and bottom parts are already in
the file.
<sectionGroup name="system.web"
type="System.Web.Configuration.SystemWebSectionGroup, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
----------
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
----------
</sectionGroup>
- References:
- Re: MOSS and ADFS
- From: Eric
- Re: MOSS and ADFS
- From: Joe Kaplan
- Re: MOSS and ADFS (it works now. Thanks!)
- From: Joe Kaplan
- Re: MOSS and ADFS (it works now. Thanks!)
- From: Mike@OneNeck
- Re: MOSS and ADFS (it works now. Thanks!)
- From: Eric
- Re: MOSS and ADFS (it works now. Thanks!)
- From: Mike@OneNeck
- Re: MOSS and ADFS
- Prev by Date: Re: STUMPER: File and print sharing in AD???
- Next by Date: Re: Question on backups and Active Directory
- Previous by thread: Re: MOSS and ADFS (it works now. Thanks!)
- Next by thread: Logon Traffic
- Index(es):
Loading
