Re: ADFS Proxy Error

From: Eric <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 29 Jan 2007 07:59:00 -0800

Thx Joe, I have it working now. Everything was set up write I just needed to
reinstall in .Net Framework now it works like a charm.

"Joe Kaplan" wrote:

Answering the second question first, it is the app that is responsible for
redirecting the client to the logon site. You don't have to do some sort of
"click-through". The flow looks like:

app -> resource FS (home realm discovery if needed) -> account FS ->
resource FS -> app

The redirect from the account FS to the resource FS is a POST redirect of
the SAML token (done with a little javascript trickery), as is the redirect
from the resource FS back to the app. The second POST redirect is basically
where the resource FS gets a chance to change the claims in the token and
issues a new token from it. This makes it such that the app only has to
trust its resource FS and doesn't have to trust anyone else. It is the
resource FS only that is responsible for trusting all of its account
partners.

On to the error...

Unfortunately, I don't know quite what the problem is. On the FS-P, the
clientlogon.aspx is different from the FS in that it shows the forms-based
logon page. If that page is the name of the page designated in the FS as
the logon page, then that will get displayed when a sign on is requested
(unless ADFS basic auth must be used instead, but that's a picky detail
here).

I'd generally hope that the error would at least have a stack trace in it
that would provide more details or you'd see a more interesting error page.

Make sure you have your ADFS file-based logging enabled and cranked all the
way up and then check to see if you get any interesting details in the log
file. Oftentimes, the important stuff that actually tells you how to
resolve an error.

I've never actually used the FS-P yet (I did steal the clientlogon.aspx to
use on the FS to enable ADAM logon), so I'm not real deep on it, but I have
debugged a myriad of other ADFS issues and am hopeful we can figure this one
out too. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Eric" <Eric@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0DEF92C5-9D08-4D78-A278-A9FCF5AC40BC@xxxxxxxxxxxxxxxx

I am trying to bring a proxy server into my ADFS test environment. I don't
really have a dmz but I am trying to create one using host records to
simulate the DNS entries required.

On my test client I have a host file entry to redirect any requests to my
FS
to my FS-Proxy. That seem to be working correctly from the log files I
have
looked at on my proxy.

My FS-Proxy is picking up the actual ip, from it's DNS server, to the FS
for
which it is proxying when I use a ping test.

The error I am getting is an ASP.Net Event ID 1309 occurring on the
FS-proxy. Below is the ierror that is shown in the event viewer.

Event code: 3005
Event message: An unhandled exception has occurred.
Exception information:
Exception type: HttpUnhandledException
Exception message: Exception of type
'System.Web.HttpUnhandledException'
was thrown.
Request information:
Request URL: https://ridev-adfs01.test.dev/adfs/ls/clientlogon.aspx
Request path: /adfs/ls/clientlogon.aspx
User host address: xxx.xxx.xxx.104
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

The error is pretty vague. I there something I missed in IIS? I certs I
believe are correct as I am using the same cert on both my FS and my
FS-Proxy
as mentioned in other discussions. Any assistance will be appreciated.

An additional question is when I have outside clients trying to access
Federated Web sites and Apps directly, will the web agents automatically
redirect the authenication requests through proxy or will all outside
clients
have to first enter the url of the FS-proxy to authenicate before try to
access any of the apps or sites protect by federated services? I am
trying
to get a good picture of the information flow for a proxy configuration as
opposed to one without.

Thanks,
Eric

Follow-Ups:
- Re: ADFS Proxy Error
  - From: Joe Kaplan

References:
- Re: ADFS Proxy Error
  - From: Joe Kaplan

Prev by Date: Re: access to a nondomain share
Next by Date: "Domain Admins", user account and privileges
Previous by thread: Re: ADFS Proxy Error
Next by thread: Re: ADFS Proxy Error
Index(es):
- Date
- Thread

Relevant Pages

Re: Calculations not making sense
... In its simplest form, Joe who works 8 hours a day is booked Monday at 100% effort on both 8-hour task A and also on 8-hour task B, both scheduled at the same time before leveling. ... But he's not scheduled for anything on Tuesday so resource leveling takes the lower priority task out of those two and moves it to Tuesday. ... Depending on your preference settings as to whether it can split up the work or not, leveling will either move the entire 16 man-hours of work on task B to Tuesday, moving both Joe and Bill's work contribution together thus preserving the task duration but changing its start and finish dates, or it will leave Bill's 8-hours of work as it was originally scheduled on Monday while moving Joe's 8 hours over to Tuesday, leaving the start date as it was before leveling but changing the duration, the duration in such cases where the resources don't work together extending from when Bill starts until when Joe finishes. ...
(microsoft.public.project)
Re: Resource Leveling
... Once any progress is posted to a task the date that the task begins is fixed in granite, as well as the date for any work that has been performed for a task marked partially complete, and leveling won't move it. ... Slack time is not input, ... The tasks will remain in parallel and the resource will remain overallocated, the only change being that the tasks now all finish together instead of starting together and the resource overallocation is occuring at the end of the week rather than at the start. ... > I've added Joe to the resource sheet and made him available for> November ...
(microsoft.public.project)
Re: One worker, two groups with two pay rates
... Joe Smith should have only ONE entry, not two, in the resource sheet otherwise Project won't be able to tell if you've double booked him on different tasks occuring at the same time. ... You'll see there are 5 rate tables there - the entrys from the regular resource sheet populate Rate Table A with his standard rate, OT rate, and cost per use. ... But you can then display your choice of either the Task Usage or Resource Usage view, double click the ID number for the assignment to display the Assignment Information form, and select the rate table to be used for that specific task. ...
(microsoft.public.project)
Re: Resource Leveling
... Thanks Steve - although perhaps I haven't articulated the question properly. ... I would then expect Resource levelling to schedule his ... showing that Joe is 200% allocated in November and 0% in December. ... change the assignment levels once you have set them. ...
(microsoft.public.project)
Re: Calling CreateProcessWithLogonW
... You might also try calling runas directly instead of calling it through cmd. ... > Hallo Joe, ... >> You will need to redirect the input and output streams of the Process ...
(microsoft.public.dotnet.framework.aspnet.security)