Re: ADAM account store in ADFS
- From: Anindya_TCS <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 28 Jun 2007 11:56:06 -0700
Hello Joe,
Can u please provide some link for configuration of web sso in firewalled
environment for windows NT token Based application?
We have followed the ADFS step by step guide for federated web sso but in
production we need to configure web sso with winnt token based app.
Could you please provide us a good link ?
"Joe Kaplan" wrote:
FSP = Federation Service Proxy. It is able to authenticate ADAM users.
because it presents the forms-based login.
If you want the forms-based login page on the FS itself, you can replace the
clientlogon.aspx in the /adfs/ls/ directory on the FS with the one from the
FSP in the same location. Note that this is not a recommended or supported
change. I just know that this works. :)
To add the app pool identity to the readers role in ADAM, you need the
federation server's machine account's SID. Or, you could just add the
"authenticated users" SID to the readers role. That's what I usually do.
With ADAM ADSI Edit, add a Windows group to the readers role in the
partition you have created and select "authenticated users".
If that doesn't work, then post some of your federation server log file with
the logging set with everything "on" and we'll see if we can fix it.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D59B919C-B735-479D-A586-C10A15B74EAA@xxxxxxxxxxxxxxxx
Hi Joe,
Thanks for the great help.
But still , i have some confusion.
1)How to customize the FS with the clientlogon.aspx page from the FSP?
2)Or how to configure FSP?
If FSP is Federation Proxy , i have already configure it to my perimeter
DNS
to resolve the Federation server name and the Web server name.
3)How to add ADFS app pool account to readers role in ADAM?
I have follow the article from Microsoft Technet:
http://technet2.microsoft.com/windowsserver/en/library/8463deb5-f96e-43d5-ad85-231ec7d94b551033.mspx?mfr=true
After that i have checked with the article if ADAM is working or not with
below article:
http://technet2.microsoft.com/windowsserver/en/library/8463deb5-f96e-43d5-ad85-231ec7d94b551033.mspx?mfr=true
it can make LDAP query.
"Joe Kaplan" wrote:
It is a bit tricky to get working, but it can be made to happen. Here
are
some high level things to keep in mind:
The FS does not have a forms-based login page out of the box, only the
FSP
does. The FS uses Windows auth (integrated auth in IIS) by default, so
that
won't work with ADAM. As such, you need to either customize the FS with
the
clientlogon.aspx page from the FSP or just configure the FSP as well.
You need to make sure the ADFS app pool identity (usually network
service)
has read access to the entire ADAM store. This can be done by adding the
ADFS app pool account to the readers role in ADAM.
You need to make sure you ADAM users are "bindable". This means that
they
have valid unique user names, passwords set and have
msds-useraccountdisabled set to FALSE. You may also wish to be careful
about the use of msds-userDontExpirePassword.
You need a good user name strategy for ADAM. I generally like to use
userPrincipalName as the logon name since it can be used for an LDAP
bind.
This would then be the user name that users type in the logon form. You
would configure the ADAM account store to use that name as the user name
for
query purposes. Be warned though that ADFS likes the UPN to use the AD
format, meaning that it should have an @ symbol in it like an email
address.
ADFS also wants you to use a specific narrow range of UPN suffixes if you
will use that as the identity claim.
It is also a good idea to configure ADAM to use SSL so the bind
authentication will be secure. ADFS accepts that.
It isn't nearly as easy to get ADAM running as an account store as it is
to
get AD, but it is definitely doable. I've done it several times already.
Best of luck!
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <Anindya_TCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:B162D5CD-2496-4D32-A213-F51219BEE772@xxxxxxxxxxxxxxxx
Hi ,
I am new in ADFS.I have configured ADFS for single sign on for
sharepoint
portal claim aware application with 2 active directory forest.One
active
directory forest is for external users and other for internal user.I
have
configured federation trust and active directory account store to
configure
the same.
Up to this point the configuration is working fine and single sign on
is
happening.
But while i am trying to configure the same by removing the external
active
directory and place a ADAM in stead of that i am facing problem.
My believe is that i am not configuring ADAM account store properly to
work
with ADFS.
Please guide how to configure ADAM account store in ADFS.
- Follow-Ups:
- Re: ADAM account store in ADFS
- From: Joe Kaplan
- Re: ADAM account store in ADFS
- Prev by Date: Re: ADMT 3.0 File server
- Next by Date: Re: KB314649 or KB325379? which to follow?
- Previous by thread: Re: ADMT 3.0 File server
- Next by thread: Re: ADAM account store in ADFS
- Index(es):
Relevant Pages
|
