Re: ADFS
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Mar 2007 11:48:14 -0500
I think I see your problem. You are missing a trailing slash "/" somewhere
in one of your configurations. Wherever you have configured your logon
server directory, it should look like
https://<hostname>/adfs/ls/
if you have
https://<hostname>/adfs/ls
(note the missing "/" at the end of the URL), that will cause the problem
you are seeing to happen, as the redirect to the federation server will end
up one level too high in the directory structure. My guess is that you have
this defined incorrectly in the account partner configuration in the
resource partner policy (treyresearch), so you should be able to change it
from the GUI there. It may also be the case that you have it wrong in the
IIS configuration for the resource application, but it sounds like the trust
policy in this case.
I appreciate the offer to upload your VMs, but I'd really like to avoid
doing that if at all possible. :)
Also remember that your app must use https, not http, so make sure you have
the resource application properly configured in IIS for SSL. Sometimes it
is helpful to configure the app with a simple test page like a "default.htm"
that just says "hell world!" or something and configure it initially so that
you aren't using ADFS so that you can ensure that everything is working fine
at the IIS level first.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"John M" <sdkfj@xxxxxxxxxxxxx> wrote in message
news:uouyXfWbHHA.4716@xxxxxxxxxxxxxxxxxxxxxxx
Joe,
I added the file I downloaded from your web site, default.aspx, to a new
folder, and changed the Sharepoint - 80 virtual directory in IIS to point
to the file .
From the adfsclient computer, I go to https://adfsweb
I choose my realm, A. Datum
summit
I still get the same error.
server error in /adfs application
the resource cannot be found
description " http 404
requested url : /adfs/clientlogon.aspx
The 4 computers are all running in MS virtual machine, I could put the
.vhd files somewhere for you to look at? It's about 11.2 gig.
thanks
John
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23$ExE9$aHHA.208@xxxxxxxxxxxxxxxxxxxxxxx
One of my problems with the step by step guide is that is doesn't really
"teach you how to fish". It is kind of a cookbook, but it is often hard
to apply to the concepts they demonstrate to other areas. MS is aware of
this issue and is trying to figure out how to address it. One thing you
might consider doing is just skipping over to the ADFS Deployment Guide
document. It is more general.
What I'd suggest you do now is just create another website in IIS and
configure it as a token app by configuring the ADFS agent in IIS manager.
If you get a very simple web form that dumps out the Windows security
context of the authenticated user such as the one I describe in this blog
post:
http://www.joekaplan.net/DiscoveringTheUsersNameAndGroupsInTheirWindowsToken.aspx
Then you can easily see what the agent is actually doing. Once you get
that to behave in a predictable way, you can try to move over to
sharepoint.
To set up the web site, you just need a site in IIS with an appropriate
IP address, port, SSL certificate and DNS entry (or a host file entry;
however you are making the names resolve). Configure it to use .NET 2.0
if you want to use my test page and configure it to use ADFS. In your
ADFS resource server, add an existing trusting application and configure
the URL of the app to match the URL you will use.
You can also do this for claims-based applications. I usually start with
those as they don't take any dependencies on Windows security and allow
you to see which claims are flowing across the federation trust into your
app.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John M" <sdkfj@xxxxxxxxxxxxx> wrote in message
news:e7nbpg$aHHA.4140@xxxxxxxxxxxxxxxxxxxxxxx
how can I remove sharepoint from the mix then?
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23LO%23gN$aHHA.4140@xxxxxxxxxxxxxxxxxxxxxxx
I don't actually see the error in the logs like I would expect to
(something in the server that generated the log should say ERROR in big
letters), but I think I may know what the problem is.
It looks like your trusting application is trying to use a NetBIOS
style name, https://adfsweb/, when ADFS thinks the URL is
https://adfsweb.treyresearch.net. You can't have this. The URLs must
match up for the trust policy to think the app is one of its own apps
and for the cookies to actually get replayed properly.
I think you might be having a problem with SharePoint itself, as I seem
to remember that there is something in SharePoint that may be doing
this by default. You might want to poke around in central admin to see
if you can figure it out. Unfortunately, I know very little about it
or I'd just tell you what to fix.
The other thing I generally recommend is starting off with plain claims
and token apps and moving to SharePoint after you have already
confirmed that the basic stuff works. SharePoint adds a lot of layers
and makes things hard to troubleshoot, especially if you don't know for
sure that all of your other components are working first.
I hope that helps!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
.
- Follow-Ups:
- Re: ADFS
- From: John M
- Re: ADFS
- References:
- Prev by Date: Re: Windows 2000 to 2003 replacement/upgrade
- Next by Date: Re: Copy GPO's?
- Previous by thread: Re: ADFS
- Next by thread: Re: ADFS
- Index(es):
Relevant Pages
|
