none
Error 403 - Forbidden: Access is Denied

    Question

  • Hi all

    When I install ADFS I notice the default website and ADFS, LS nodes all have "require SSL" checked on in IIS7.

    If I try connecting to my relying party I get the error below from the ADFS server 

    403 - Forbidden: Access is denied.

    You do not have permission to view this directory or page using the credentials that you supplied

    The fix/workaround: Uncheck the "require SSL" check boxes for each node.

    I've enabled failed trace logging but don't see any log files in the directory for troubleshooting.

    I'm thinking the SSL setting needs to be checked on though?  Has anyone seen this problem before?

    Piley


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

    Thursday, May 12, 2011 9:06 AM

All replies

  • SSL does need to be on.

    I think the reason you are seeing this problem is because the RP is pointing to an http URL of ADFS.


    Developer Security MVP | http://www.steveonsecurity.com
    Thursday, May 12, 2011 2:39 PM
  • SSL does need to be on.

    I think the reason you are seeing this problem is because the RP is pointing to an http URL of ADFS.


    Developer Security MVP | http://www.steveonsecurity.com


    Hi Steve

    Thanks for the reply.

    We have a test domain setup and a test connection to the same RP in question. Our identifier to them is https://OUR-ADFS-FED-NAME/adfs/services/trust

    If I enable SSL in IIS on our test domain,I still get the same 403 error.

    In our production setup our identifier begins http. I can easily change this but given our test domain gives the same result when using https I'm hesitant.

    I'm sure this is a simple fix but my brain is currently fried after several weeks of various ADFS work/troubleshooting!


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
    Thursday, May 12, 2011 2:59 PM
  • That just seems weird.  Can you confirm that when the RP is redirecting to ADFS it redirects to ADFS?  Try using Fiddler.
    Developer Security MVP | http://www.steveonsecurity.com
    Thursday, May 12, 2011 3:27 PM
  • Hi Steve

    I'll run a fiddler trace and report back tomorrow

    Thanks!


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
    Thursday, May 12, 2011 3:28 PM
  • I think I know why this is happening in my situation.

    We use ISA to pass traffic from the internet to our ADFS servers.

    Externally everything is passed on port 443 but internally everything is passed on port 80.


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
    Wednesday, May 18, 2011 8:30 AM
  • I was getting the Forbidden Access Denied error 403, as well. 

    I tried verifying that the Application Pool account had access to the C:\inetpub\adfs account and played with the ssl settings setting it to ignore client certificates.  Eventually, after a reboot, it worked.

    I initially thought that the changes I made to IIS did it, but it turns out that it was Fiddler.  When Fiddler is intercepting https messages as the proxy, I would get the 403-Forbidden: Access Denied error.  When I turn Fiddler off, the error went away, and I was able to authenticate.

    My guess is that Fiddler is not claims aware and doesn't know what to do with the claims token received from ADFS.

    Monday, July 29, 2013 2:06 AM
  • Well, Fiddler can't be claims aware as it's too low level.

    The reason it wasn't working for you was because you had integrated Windows Auth enabled with Extended Protection, which prevents something like Fiddler from getting between your browser and the server. If you disabled Extended Protection in IIS, or stopped Fiddler it would work.


    Developer Security MVP | www.syfuhs.net

    Monday, July 29, 2013 4:39 AM