error from federation server proxy
- From: Anindya_TCS <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 6 Aug 2007 15:06:01 -0700
Hi Joe,
I have installed a Token based application in coldfusion and add it to web
agent for single sign-on.But when ever i am trying to login the application
the following Warnings are coming from the federation server proxy and
ASP.NET 2.0 .The proxy login page is coming but after giving the user id and
password , the application is not opening and going to federation server
error page directly.
Please see the below Warnings:
WARNING1:Coming from federation server proxy
The Federation Service rejected a token request because it appeared to
duplicate a successful request that was granted to the same client browser
session within the last 20 seconds.
Target: https://login.icao.dev/CFTest/ExampleApp/
Duplication period (seconds): 20
This failure generally indicates that the target is not receiving cookies
that it writes. If this condition is caused by a server-side configuration
error, it may indicate that all requests to the target are failing.
User Action
Ensure that the client browser is configured to accept cookies from the
target site.
Ensure that the cookie path and cookie domain are correctly configured at
the target Federation Service or web agent.
For more information, see Help and Support Center at
Warning 2:coming from ASP.NET 2.0:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 8/6/2007 11:44:27 AM
Event time (UTC): 8/6/2007 3:44:27 PM
Event ID: a640bec8350444b9bb6326a89b67a056
Event sequence: 35
Event occurrence: 6
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/Root/adfs-1-128308882501569336
Trust level: Full
Application Virtual Path: /adfs
Application Path: C:\ADFS\sts\
Machine name: D-SHAREP2
Process information:
Process ID: 4364
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: InvalidOperationException
Exception message: The request has been rejected because it appears to
be a duplicate of a request from this same client browser session within the
last 20 seconds.
Request information:
Request URL:
https://login.icao.dev/adfs/ls/?wa=wsignin1.0&wreply=https://login.icao.dev/CFTest/ExampleApp/&wct=2007-08-06T15:44:27Z&wctx=https://d-sharep2.icao.dev/cftest/ExampleApp/
Request path: /adfs/ls/
User host address: 192.206.28.62
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
Thread ID: 1
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at
System.Web.Security.SingleSignOn.LSAuthenticationObject.RejectBadMessagesPhase2()
at
System.Web.Security.SingleSignOn.LSAuthenticationObject.EnsureCurrent(HttpContext context)
at System.Web.Security.SingleSignOn.LSAuthenticationModule.OnEnter(Object
o, EventArgs args)
at
System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously)
Custom event details:
For more information, see Help and Support Center at
Please help and tell how to proceed.
"Joe Kaplan" wrote:
I think you should post this question in a SharePoint or IIS newsgroup..
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Devdutta" <Devdutta@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3A539566-36FF-4A2F-8C37-BBB0E8F7AD51@xxxxxxxxxxxxxxxx
Hi,
I don't know if this is the right place to post this question. If anybody
knows the right group , please refer me .
We have 2 servers in production running existing applications and those
servers are in NLB. What would be the strategy for the installation? As
per
my knowledge, if we set-up a sharepoint webfarm with 2 or more web
servers,
the servers are automatically load balanced. But in our case, those
servers
are already using NLB. I am not an infrastucture guy, so don't have much
idea
about NLB either.Could anybody help me out?
Regards,
Dev
"Joe Kaplan" wrote:
I answered that question in my other message which was a reply to your
previous message in the thread. Did you miss it? I can dig it out of
the
group somewhere if you didn't see it.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C4D0C51B-A21A-41A8-949F-0D1908730C81@xxxxxxxxxxxxxxxx
Thanks a lot Joe for this useful information. I would like to ask you
one
more question, which is in a different topic.
We have some applications, written in non microsoft languages like
Java,
Perl, Cold fusion. Those applications use active directory to
authenticate
their users. Those applications are accessing AD through the AD LDAP
interface. Could this applications be called as windows NT token based
applications in terms of ADFS? Is it possible to make these
applications
SSO
enabled using ADFS? Apologize for my ignorance, but we really need this
information.
"Joe Kaplan" wrote:
That isn't a bad scenario for the forest trust option. I generally
like
to
establish the federation trust with certificates rather than via a
forest
trust as I think it is more "pure", but since you are already have the
forest trust in place, it isn't so bad. What I don't like about it is
that
it requires more connectivity between the two forests than you really
need
in federation and it can make certain things more complicated in
Windows/token auth situations since the foreign domain SIDs can be
used
as
well.
I wouldn't worry about it to much though.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A6A28D23-33B4-4979-8801-168B8B6DF26F@xxxxxxxxxxxxxxxx
Thanks for your reply Joe.
We have chosen Federated SSO with Forest trust, because we have some
token
based applications written in ASP an we need to give access to both
internet
users and intranet users.The applications(Resources) are deployed in
external
domain located at DMZ . We have 2 active directory domains in same
organization . The external domain contains the external user
credentials
and
the internal AD contains the employees credentials. Our scenario
suits
exactly with the diagram for Federated SSO with Forest
trust(published
on
technet site as well as in the ADFS help file). Could you please let
us
know
if we are choosing the wrong scenario?
"Joe Kaplan" wrote:
Why are you doing web sso with forest trust out of curiosity?
Regarding the DNS requirements, it all depends on where the web
browsers
that will access those resources are. If the browsers are on the
public
internet, then the DNS entries for the resources will need to be
external/public and the web sites will need to be public facing as
well.
However, it is possible that some browsers may only access certain
components from within their own organization on their private
network,
so
the DNS registration for those resources could be internal.
The key thing to understand is that the browser will need access
to:
- The web app being federated
- The resource FS that protects the above mentioned app
- The account FS that they log in to if they do not log in via an
account
store on the resource FS
So, drawing a picture of those components and the potential
locations
of
the
browser clients will make the DNS requirements more obvious.
In some cases when using the proxy, you want the proxy and the FS
to
have
the same DNS name, but the proxy is registered externally and the
FS
is
registered internally. This way, clients on the public internet
will
get
the proxy when directed to the FS host name, but clients inside the
firewall
will get the FS directly.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Anindya_TCS" <AnindyaTCS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:EE6D5109-D8CB-468B-A85E-E2F10CBFA626@xxxxxxxxxxxxxxxx
Hello,
I am going to configure Federated web sso with forest trust for
one
of
my
Web resource.
I have two ADFS server and two ADFS server proxy.
Can any one please tell me what is the requirement for domain
name
registration?
Both account and resouce domain name should be published to
internet?
- Prev by Date: Re: Synchronize only attributes you want ADAMSync
- Next by Date: SBS2003 R2 Transition Pack - removes the design constraints of having SBS2003 R2 as root server
- Previous by thread: Re: "Guest mode" in WiFi RADIUS?
- Next by thread: SBS2003 R2 Transition Pack - removes the design constraints of having SBS2003 R2 as root server
- Index(es):
Relevant Pages
|
