Re: ADFS

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

thanks,
you were right about the slash, it was missing on the resource side.
something is still not correct, after I choose my realm now, it wants me to
login again. I put my login info in and it errors out again.
server error in /adfs application..
runtime error

I can get the logs together Monday if needed.

thanks
John




"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uwqQOsWbHHA.208@xxxxxxxxxxxxxxxxxxxxxxx
I think I see your problem. You are missing a trailing slash "/" somewhere
in one of your configurations. Wherever you have configured your logon
server directory, it should look like

https://<hostname>/adfs/ls/

if you have

https://<hostname>/adfs/ls

(note the missing "/" at the end of the URL), that will cause the problem
you are seeing to happen, as the redirect to the federation server will
end up one level too high in the directory structure. My guess is that
you have this defined incorrectly in the account partner configuration in
the resource partner policy (treyresearch), so you should be able to
change it from the GUI there. It may also be the case that you have it
wrong in the IIS configuration for the resource application, but it sounds
like the trust policy in this case.

I appreciate the offer to upload your VMs, but I'd really like to avoid
doing that if at all possible. :)

Also remember that your app must use https, not http, so make sure you
have the resource application properly configured in IIS for SSL.
Sometimes it is helpful to configure the app with a simple test page like
a "default.htm" that just says "hell world!" or something and configure it
initially so that you aren't using ADFS so that you can ensure that
everything is working fine at the IIS level first.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John M" <sdkfj@xxxxxxxxxxxxx> wrote in message
news:uouyXfWbHHA.4716@xxxxxxxxxxxxxxxxxxxxxxx
Joe,
I added the file I downloaded from your web site, default.aspx, to a new
folder, and changed the Sharepoint - 80 virtual directory in IIS to point
to the file .
From the adfsclient computer, I go to https://adfsweb
I choose my realm, A. Datum
summit
I still get the same error.
server error in /adfs application
the resource cannot be found
description " http 404
requested url : /adfs/clientlogon.aspx

The 4 computers are all running in MS virtual machine, I could put the
.vhd files somewhere for you to look at? It's about 11.2 gig.


thanks
John


"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23$ExE9$aHHA.208@xxxxxxxxxxxxxxxxxxxxxxx
One of my problems with the step by step guide is that is doesn't really
"teach you how to fish". It is kind of a cookbook, but it is often hard
to apply to the concepts they demonstrate to other areas. MS is aware
of this issue and is trying to figure out how to address it. One thing
you might consider doing is just skipping over to the ADFS Deployment
Guide document. It is more general.

What I'd suggest you do now is just create another website in IIS and
configure it as a token app by configuring the ADFS agent in IIS
manager. If you get a very simple web form that dumps out the Windows
security context of the authenticated user such as the one I describe in
this blog post:

http://www.joekaplan.net/DiscoveringTheUsersNameAndGroupsInTheirWindowsToken.aspx

Then you can easily see what the agent is actually doing. Once you get
that to behave in a predictable way, you can try to move over to
sharepoint.

To set up the web site, you just need a site in IIS with an appropriate
IP address, port, SSL certificate and DNS entry (or a host file entry;
however you are making the names resolve). Configure it to use .NET 2.0
if you want to use my test page and configure it to use ADFS. In your
ADFS resource server, add an existing trusting application and configure
the URL of the app to match the URL you will use.

You can also do this for claims-based applications. I usually start
with those as they don't take any dependencies on Windows security and
allow you to see which claims are flowing across the federation trust
into your app.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"John M" <sdkfj@xxxxxxxxxxxxx> wrote in message
news:e7nbpg$aHHA.4140@xxxxxxxxxxxxxxxxxxxxxxx
how can I remove sharepoint from the mix then?

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23LO%23gN$aHHA.4140@xxxxxxxxxxxxxxxxxxxxxxx
I don't actually see the error in the logs like I would expect to
(something in the server that generated the log should say ERROR in big
letters), but I think I may know what the problem is.

It looks like your trusting application is trying to use a NetBIOS
style name, https://adfsweb/, when ADFS thinks the URL is
https://adfsweb.treyresearch.net. You can't have this. The URLs must
match up for the trust policy to think the app is one of its own apps
and for the cookies to actually get replayed properly.

I think you might be having a problem with SharePoint itself, as I
seem to remember that there is something in SharePoint that may be
doing this by default. You might want to poke around in central admin
to see if you can figure it out. Unfortunately, I know very little
about it or I'd just tell you what to fix.

The other thing I generally recommend is starting off with plain
claims and token apps and moving to SharePoint after you have already
confirmed that the basic stuff works. SharePoint adds a lot of layers
and makes things hard to troubleshoot, especially if you don't know
for sure that all of your other components are working first.

I hope that helps!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--












.

Relevant Pages

  • Re: ADFS
    ... With a token app, you need to have a shadow account mapping strategy in ... I always start with a claims app and use the sample page ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... have the resource application properly configured in IIS for SSL. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS June 2006 Step-by-step guide
    ... One of those tabs is called "resource accounts". ... the incoming user's UPN must map to a UPN in ... UPN will be used create the windows token. ... claims mappings showing up in the UI of the claims app. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain registration requirement in federated web sso with fore
    ... Joe Kaplan-MS MVP Directory Services Programming ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... significant impacts in the existing applications, ... Do you know any useful resource on ADFS-MOSS coding? ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS June 2006 Step-by-step guide
    ... I am trying to work with the step-by-step guide. ... I went back to seeing how a claims-based app can work and I have abandoned ... Infact, on the resource server's fs settings, I went to where I ... this DOESN'T actually make ADFS work on your machine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS - Not Authorized To View Message
    ... For your token app, are you trying to map the ADFS token to a user in the ... store of the resource partner itself, you can't map based on groups. ... shadow accounts, do both but try shadow accounts first, do both but try ...
    (microsoft.public.windows.server.active_directory)