none
ADFS Certificate problem

    Pergunta

  • Hi

    I have just inherited the following ADFS setup:

    Internet clients -- TCP/443 --> F5 LB (No SSL Offloading) --> Federation Server Proxy (WEB01) -- TCP/443 --> Federation Server (ADFS01)

    The certificate will soon expire. We test access to our custom web application using the following link "adfs-test.mi.emailer.com/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2fapp-test.mi.emailer.com%2fCI%2fCustomerInformation.aspx"

    With the old certificate, website is accessible but when I installed the new certificate and set the Token-Signing, Token-decrypting and Service comm to the new one, the external access stops working but internally I can access the page without going through the ADFS Proxy.

    I see the following event logs:

    WEB01 Log:

    ------------------------------------------------------------------------------------------------------------------------------

    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          NETWORK SERVICE
    Computer:      WEB01.abc.local
    Description:
    Encountered error during federation passive request.

    Additional Data

    Exception details:
    System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when processing the security tokens in the message.
       --- End of inner exception stack trace ---

    Server stack trace:
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

    Exception rethrown at [0]:
       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
       at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
       at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
       at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetServiceSettingsData()
       at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetFederationPassiveConfiguration()
       at Microsoft.IdentityServer.Web.PassivePolicyManager.GetPassiveEndpointAbsolutePath()
       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveEndpointAbsolutePath()

    System.ServiceModel.FaultException: An error occurred when processing the security tokens in the message.

    ------------------------------------------------------------------------------------------------------------------------------

    ADFS1 Log:

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Date:          22/07/2012 13:13:49
    Event ID:      371
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          abc\ADFS-admin
    Computer:      ADFS1.abc.local
    Description:
    Cannot find certificate to validate message/token signature obtained from claims provider.
    Claims provider: http://adfs-test.mi.emailer.com/adfs/services/trust

    This request failed.

    User Action
    Check that Claim Provider Trust configuration is up to date.

    ------------------------------------------------------------------------------------------------------------------------------

    Anyone come across this before?

    Thanks


    Isaac2k2

    quinta-feira, 26 de julho de 2012 09:29

Respostas