Get started for free
Visual Studio Developer Center >
Problem with the adfs/ls/IdpInitiatedSignOn.aspx

Unanswered Problem with the adfs/ls/IdpInitiatedSignOn.aspx

  • Thursday, August 12, 2010 11:20 AM
     
     
    Sign In to Vote
    0

    Hi Everyone.

     

    I am trying to set up a federation scenario with ADFS 2.0 as the Identity Provider. We are considering the IDP initiated profile.

     

    However when I access the adfs/ls/IdpInitiatedSignOn.aspx and then chose the Relying Party I got the follow error :

     

    There was a problem accessing the site. Try to browse to the site again.
    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
    Reference number: a163dffc-922e-4fef-b223-d922f714bcae



    When I look into the event viewer I see the following details :

    Encountered error during federation passive request.

    Additional Data

    Exception details:
    Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost:1501/samlprotocol' may be incorrect or the service is not running. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://localhost:1501/samlprotocol that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

    Server stack trace:
       at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.ISamlProtocolContract.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.SignMessage(HttpSamlMessage httpSamlMessage, PrincipalType principalType, String principalIdentifier)
       at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.BuildSignedSamlRequestMessage(HttpRedirectSamlBindingSerializer httpRedirectSamlBindingSerializer, AuthenticationRequest authenticationRequest)
       at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.SignOn(AuthenticationRequest authenticationRequest)
       at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.SignOn(String relyingPartyIdentity, SignOnRequestParameters parameters)

    System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://localhost:1501/samlprotocol that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

    Server stack trace:
       at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
       at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
       at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
       at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.ISamlProtocolContract.ProcessRequest(Message request)
       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)






    It seems like I have to enable some component but I cannot find what I have to do.

    I hope someone could help me!

    Thanks.



     

     

     

All Replies

  • Friday, August 20, 2010 8:01 AM
     
     
    Sign In to Vote
    0

    I was able to determine that it was actually a certificate problem.It seems that ADFS is not able to access the private keys of my certificates

     

    Here are the error details found in the Windows logs :

    __________________________________________________________________________________________

    During processing of the Federation Service configuration, the element 'signingToken' was found to have invalid data. The private key for the certificate that was configured could not be accessed. The following are the values of the certificate:
    Element: signingToken
    Subject: CN=PAR1AP5-108.axa-im.intraxa
    Thumbprint: CCE066C8CF5C091195811FD69DE6080248C82D82
    storeName: My
    storeLocation: 0
    Federation Service identity: NT AUTHORITY\NETWORK SERVICE

    The Federation Service will not be able to start until this configuration element is corrected.

    This condition can occur when the certificate is found in the specified store but there is a problem accessing the certificate's private key. Common causes for this condition include the following:
    (1) The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file.
    (2) The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store specified above.
    (3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.
    (4) The Federation Service identity 'NT AUTHORITY\NETWORK SERVICE' has not been granted read access to the certificate's private key.

    User Action
    If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file).

    If the certificate was imported in a user context, verify that the store specified above matches the store the certificate was imported into.

    If the certificate was generated by a certificate request that did not specify the "Machine Key" option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file and import it again directly into the store specified in the configuration file. If the key is not marked as exportable, request a new certificate using the "Machine Key" option.

    If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition using the Certificates  snap-in.

    __________________________________________________________________________________________

     

    And then :

     

    __________________________________________________________________________________________

    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

    Additional Data
    Exception details:
    System.ArgumentNullException: Value cannot be null.
    Parameter name: certificate
       at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate, String id, Boolean clone, Boolean disposable)
       at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate)
       at Microsoft.IdentityServer.Service.Configuration.MSISSecurityTokenServiceConfiguration.Create(Boolean forSaml)
       at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.ConfigureWIF()
       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISConfigurableServiceHost.Configure()
       at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.Create()
       at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.StartProxyPolicyStoreService(ServiceHostManager serviceHostManager)
       at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.OnStartInternal(Boolean requestAdditionalTime)

    __________________________________________________________________________________________

     

     

    Any idea on how this can be resolved? My signing and decrypting certificates are stored on the local machine store.

     

    Thanks.

     
  • Wednesday, November 17, 2010 11:04 PM
     
     
    Sign In to Vote
    0

    Hi,

     

    I am facing the same problem right now. I am not sure you solve this problem or not. Can anybody help us?

     

     
  • Thursday, April 14, 2011 12:21 PM
     
      Has Code
    Sign In to Vote
    0

    Hi!. I had the same problem. An the ADFS account service can access to the private key of the certificates.

     

    "AD FS 2.0 detected that all the service certificates have appropriate access given to the AD FS service account."

     

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
 <System>
 <Provider Name="AD FS 2.0" Guid="{20e25ddb-09e5-404b-8a56-edae2f12ee81}" /> 
 <EventID>388</EventID> 
 <Version>0</Version> 
 <Level>4</Level> 
 <Task>0</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8000000000000001</Keywords> 
 <TimeCreated SystemTime="2011-04-13T13:22:40.482Z" /> 
 <EventRecordID>95</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="4992" ThreadID="3208" /> 
 <Channel>AD FS 2.0/Admin</Channel> 
 <Computer>keroro.dtts.com</Computer> 
 <Security UserID="S-1-5-21-1177880347-1715757267-3467460929-1163" /> 
 </System>
 <UserData>
 <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
 <EventData /> 
 </Event>
 </UserData>
 </Event>

     
  • Tuesday, July 05, 2011 9:57 AM
     
     
    Sign In to Vote
    0

    Hello,

    I am having the same problem. I have verified that the AD FS service account has read access rights to the private key (in the certificate snap-in, right click the certificate, All Tasks -> Manage Provate Keys).

    How can I troubleshoot this issue?

    Thanks in advance for any help.

    Milos

     
  • Tuesday, July 05, 2011 3:26 PM
     
     
    Sign In to Vote
    0

    Hello,

    I had the same issue when I import certificates with powershell.

    The solution is to add the "PersistKeySet" option.

    $p12cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $certfile, $certpwd, "MachineKeySet, Exportable, PersistKeySet"
    $store = new-object system.security.cryptography.X509Certificates.X509Store -argumentlist "MY", LocalMachine
    $store.Open([System.Security.Cryptography.X509Certificates.OpenFlags]"ReadWrite")
    $store.Add($p12cert)
    $store.close()

    You can find more here : http://support.microsoft.com/kb/950090

    Arnaud


     
  • Tuesday, July 05, 2011 4:29 PM
     
     
    Sign In to Vote
    1
    Posershell?
    Developer Security MVP | www.steveonsecurity.com
     
  • Tuesday, August 09, 2011 2:53 AM
     
     
    Sign In to Vote
    0

    Hi,

    I am facing the same problem right now. I am not sure you solve this problem or not.

    Can you help me?

    Thanks

     
  • Thursday, June 28, 2012 10:47 AM
     
     
    Sign In to Vote
    0

    Hi,

    System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://localhost:1501/samlprotocol that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

    I had a similar problem which turned out to be another service, Tivoli Storage manager, using the default ports for ADFS.  You can check which porcess is using the ports with "netstat -aonp TCP" and look for the PID of the process at ports 1500 & 1501.  if it is not the ADFS process, cant remember the name now, then you will need to change the ports for ADFS as below:

    1. Launch PowerShell
    2. Add the AD FS 2.0 PowerShell snap-in:
      add-pssnapin microsoft.adfs.powershell
    3. Configure the Services net.tcp port via the Set-ADFSProperties cmdlet:
      Set-ADFSProperties -nettcpport 1601
    4. Confirm the change:
      Get-ADFSProperties
    5. Restart the AD FS 2.0 service in the Services console.

    and then:

    1. Get a WMI object into a $temp variable:
      $temp= Get-WmiObject -namespace root/ADFS -class SecurityTokenService
    2. Set the ConfigurationServiceAddress property to the new net.tcp address using the new port:
      $temp.ConfigurationServiceAddress=”net.tcp://localhost:1600/policy”
    3. Write your change back to the object:
      $temp.put()
    4. Restart the AD FS 2.0 service in the Services console

    Although, if you ADFS service is running this may not be applicable.

    jim