Wednesday, January 27, 2010 12:17 PM
I have download the Microsoft VMs for ADFS 2.0 and MOSS2007 and have successfully got everything working as per the SBS guide. I am now trying to build a similar environment from scratch using ADFS 2.0 RC and WSS 3.0 SP2 and although everything apparently has been configured correctly I’m unable to connect to the SharePoint site. At this stage I’ve only configured Active Directory as an attribute store and I have not configured any Claim Providers. ADFS 2.0 has been configured to use an AD CA and all the certificates are valid and CRLs are available. When I try to access my SSO extended web app I am successfully redirected to the ADFS server which then returns me to the SharePoint site, however the url is truncated to just the web app, the full path to the site has been removed, and I get an error message “An unexpected error has occurred”.
What is unusual is there are no error messages in the ADFS Admin Event log or the Debug trace, and no messages in the WSS system/apps event log and 12 logs.
Has anyone seen this issue before, are there any other logs I can check to help me understand what is failing.
Also are there any plans to develop a version of the very useful ADFS Diagnostics tool for ADFS 2.0.
Any help is much appreciated.
Friday, January 29, 2010 6:38 PMModeratorI have seen this issue if no name claim is being passed as part of the token to the Sharepoint site (RP). Can you check if the AD attribute used to source the name claim on the IP-STS is populated? Another possibility is that the token/cookie received by the RP is rejected.
RP tracing (relevant to your issue): http://msdn.microsoft.com/en-us/library/ee517282.aspx
AD FS tracing: http://blogs.msdn.com/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspx
Tuesday, July 27, 2010 10:32 PM
You can turn on the AD FS security audits (see the following link for instructions) to see all the claims contained in the token generated by your IP-STS.
Friday, November 12, 2010 6:12 PM
I know it has been almost 12months since you responded to my request for help, but unfortunately I was pulled off onto other projects. The ADFS 2.0 project in my organisation is now on the go again and I have rebuild my environment, ADFS 2.0 RC & SharePoint 2007, as described above and I still get exactly the same results & error:
"When I try to access my SSO extended web app I am successfully redirected to the ADFS server which then returns me to the SharePoint site, however the url is truncated to just the web app, the full path to the site has been removed, and I get an error message “An unexpected error has occurred”.
You mention you have seen this before and suggest that I check the AD attribute used to source the name claim on the IP-STS is populated, which I have done and everything looks ok, but as I'm new to ADFS 2.0 could you provide me some further instructions so that I can double check. Also to note my SharePoint site (RP) is also the IP-STS AD account store, this is a configuration I have used with ADFS 1.1 and I assume it is still a supported configuration in ADFS 2.0?
Your help is appreciated.
Tuesday, September 18, 2012 6:34 PM
I realize that this response is "quite delayed" from the last posting, however I was going through the documentation for ADFS 2.0 and SharePoint 2007 and ran into the same issue. A quick search came up with this page and didn't exactly display an answer to the problem.
This note is for anyone else that has run into this issue following the "Federated Document Collaboration Using Microsoft Office SharePoint Server 2007 and AD FS 2.0" guide"
Rakesh (above) points out using AD FS tracing: http://blogs.msdn.com/card/archive/2010/01/21/diagnostics-in-ad-fs-2-0.aspx to troubleshoot ADFS issues. In enabling the ADFS tracing I found a warning message in the AD FS 2.0 Tracing event log (after enabling the log in accordance with the instructions in the link above) that hinted at the source of the issue. The warning message is an Event 23 warning with the text of "LDAPAttributeStoreReader: Attribute value for claimType http://schemas.microsoft.com/ws/2007/08/ldap/mail is not found in attribute cache"
This is basically saying that one of the attributes being used to build the claim for SharePoint 2007 to consume does not exist in AD.
I recalled that one of the steps in enabling the claim was that the e-mail address field is being used to pass the Name Claim type. A quick look in AD Users and Computers verified that the Administrator account has an empty e-mail address field.
Quickly populating e-mail address field of the Administrator account with the email@example.com entry fixed the problem for me.