locked
ADFS 2.0 Proxy Issue RRS feed

  • General discussion

  • Problem/Issue


    1. I have a working ADFS 2.0 Farm server 61 (Single) Running WIF APP successflly and would now like to add a adfs proxy 62.
    2. I have run AdfsSetup on proxy 62 and selected the proxy install.
    3. I ran the configuration wizard and type in the Federation service name and test connect and the following error  pops up            There is a problem with the SSL certificate of the specified Federation service
    4. When I click next it asks for credentials that will be used to establish a trust between the federation server proxy and the federation service.
    5. On entering the service account used on the federation server and it just says:

    Unable to establish a trust between the federation server proxy and the Federation Service. Ensure that the provided credentials are valid credentials for establishing a trust or ensure that the Federation Service address is correct, and then try again

    I am using self signed certificates and tried the following steps and am still getting the above error

    1. The self signed certificates have been added to the trusted root certificates on the FEDERATION FARM SERVER 61.
    Following is the procedure

    • Export the signing certificate created by ADFS into the Trusted Root Certificate Authorities
    • Open AD FS 2.0 Management and go to AD FS 2.0 | Service | Certificates
    • Right-click on the Token-signing certificate (“CN=ADFS Signing – adfs.domain.com”) and choose “View Certificate”
    • Go to the “Details” tab and click “Copy to File…”
    • Import the certificate into the Trusted Root Certification Authorities store of the Local Computer.

    2. Created a SPN
    for a farm server we need to use a domain account as a dedicated ADFS service account on the ADFS server & when you do this you'll also need to set the Service Principal Name (SPN) for that account in the domain (setspn -a host/<server name> <service account>)
    There a two possible ways to add the SPN to the user
    * command line : setspn -a host/logon.contoso.com AdfsSvc
    * GUI : Enable Advanced Features view on AD users and computers. Rightclick the Service account. Select the Attribute Editor   tab and scroll to servicePrincipalName and select edit. Add the SPN
    I Used command-line
    C:\Users\Administrator>setspn -a cisconordev005/utc.ciscolab2008.com Administrator
    Registering ServicePrincipalNames for CN=Administrator,CN=Users,DC=utc,DC=ciscocla
    b2008,DC=com
    cisconordev005/utc.ciscolab2008.com
    Updated object

    Please let me know if I am missing something or if I need to make any further changes...

    Thanks
    Sam

    Tuesday, January 25, 2011 10:03 PM

All replies

  • Hi,

    Can anyone plese direct me to a step-by-step setup/config guide for ADFS 2.0 Proxy.

    Thanks

     

     

    Friday, January 28, 2011 11:51 PM
  • Hi Sandeep,

    There are a few things that you'll want to look at before moving forward with the AD FS 2.0 Proxy Server.

    1. If you are in a Windows Internal Database (WID) farm, you cannot use the Federation Server's DNS name as your Federation Service Name. This will cause Kerberos authentication to fail because of the SPN requirements for AD FS 2.0. You may not be familiar with a WID farm vs. SQL Server farm, but we can make it simple: If you deployed your farm using the Federation Server Initial Configuration Wizard user interface, then we know that you have a WID farm. A SQL Server farm is only possible if you ran the initial configuration from the command line. I'm going to assume you have a WID farm since you didn't mention using the command line to configure your farm.

    Let's work on your Federation Service Name first. Example: If your Federation Server's DNS name is adfs1.contoso.com, then your Federation Service Name cannot be adfs1.contoso.com. Choosing something like sso.contoso.com or login.contoso.com or adfs.contoso.com would be recommended. The Federation Service Name is the public and internal DNS name your users will use to access the Federation Service. Your SSL certificate subject must equal the Federation Service Name. Example: If Federation Service Name is sso.contoso.com, then the subject of the SSL certificate must be sso.contoso.com. If you find that you need to change the Federation Service Name, please follow the steps outlined in my TechNet Wiki article here: http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-change-the-federation-service-name.aspx

    2. From the command line syntax you showed for setspn.exe, I can see that we definitely need to correct your SPNs on the AD FS service account. AD FS 2.0 requires that you utilize the HOST service for the SPN, and also requires that the name in the SPN equal your Federation Service Name. Example: If your Federation Service Name is sso.contoso.com, then your SPN registered to the AD FS service account should be: HOST/sso.contoso.com. You should use setspn.exe or something like ADSIEdit.msc to correct the servicePrincipalName attribute on the service account. I recommend removing all other, unneeded SPNs from the account, leaving only the correct SPN registered. Please follow the steps outlined in my TechNet Wiki article here: http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-configure-the-spn-serviceprincipalname-for-the-service-account.aspx

    3. Now it's time to set up DNS. Your internal DNS should resolve the Federation Service Name to the IP address of the internal Federation Server (or internal load balancer IP address if you have multiple servers in the FS farm). Your external, internet-facing DNS should resolve the Federation Service name to the public IP address of the Federation Server Proxy (or public IP address of a load balancer if you have multiple Federation Server Proxy servers). The Federation Server Proxy should resolve the Federation Service Name to the internal IP of the internal Federation Server (or internal IP of the internal load balancer if you have multiple Federation Servers in your farm). It is common to use a HOSTS file on the Federation Server Proxy. Verify name resolution with ping and/or nslookup.

    The end result:

    Internet clients --> Federation Server Proxy --> Federation Server

    Internal clients --> Federation Server

    4. Firewall configuration should be discussed here as well. You'll need TCP/443 open between the internet and the Federation Server Proxy, and you'll need TCP/443 open between the Federation Server Proxy and the internal Federation Server.

    The end result:

    Internet clients -- TCP/443 --> Federation Server Proxy -- TCP/443 --> Federation Server

    5. The subject of the SSL certificate on the Federation Server Proxy needs to match the subject of the SSL certificate on the internal Federation Server. Example: If the Federation Service Name is sso.contoso.com, then the subject of the SSL certificate on both the Federation Server Proxy and the Federation Server must be sso.contoso.com. You can technically use the same SSL certificate on the Federation Server Proxy as you are using on the Federation Server, but, as a security best practice, we do recommend using separate keys.

    6. After we have completed all above steps, we need to ensure that the Federation Server Proxy can access the Federation Metadata URL of the internal Federation Server. The best way to test this is to open Internet Explorer on the Federation Server Proxy and browse to the Federation Metadata URL. Example: If your Federation Service Name is sso.contoso.com, then your Federation Metadata URL is: https://sso.contoso.com/federationmetadata/2007-06/federationmetadata.xml.

    If you find that this URL is not accessible from the Federation Server Proxy, try disabling Internet Explorer Enhanced Security Configuration via Server Manager. When you open Server Manager, on the main page, you'll see a link for "IE ESC" on the middle-right side. Try the Federation Metadata URL again. If you're still failing, then re-visit the above steps to verify: configuration of the Federation Service Name, connectivity over TCP/443, name resolution, and also make sure that your Federation Service is running. Reference: http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-browsing-to-federation-metadata-fails-quot-unable-to-download-federationmetadata-xml-quot.aspx

    7. Once you are able to access the Federation Metadata URL from the Federation Server Proxy via Internet Explorer, you're ready to run the Proxy Configuration Wizard. Example: If your Federation Service Name is sso.contoso.com and you have bound a SSL certificate with the subject sso.contoso.com to the Default Web Site in IIS prior to running the Proxy Configuration Wizard, the wizard will automatically pick up your Federation Service Name based on the subject of the SSL certificate bound to the Default Web Site. You have the option of entering information about a HTTP proxy server. Use this option ONLY if you require an HTTP proxy in order for the Federation Server Proxy to communicate with the Federation Server.

    When you are prompted for credentials by the Federation Server, provide domain credentials for a user who is a local administrator on the Federation Server. This should cover everything you need to be successful with Federation Proxy Server deployment. Be sure to test the Federation Server Proxy by authenticating to your WIF sample from a client who will resolve the Federation Service Name to the public IP address of the Federation Server Proxy.

    One final note: You will need to modify web.config of your WIF sample to use the new Federation Service Name in case you needed to change it while following the steps above. You can change this manually, or run FedUtil.exe from the WIF SDK, which will pull in the new Federation Metadata and update the web.config for you. If you use FedUtil.exe to update the configuration, be sure to verify the changes in web.config are correct.

     

    Good luck, and I hope this helped!

    Adam Conkle - MSFT

    Sunday, January 30, 2011 2:24 AM
  • Hi Adam,

    I am facing a problem with ADFS Proxy setup and hope you or someone will be able to help me. I setup 2 virtual servers and installed ADFS server on on one. It looks good and I can load configuration, etc. Problem is when I setup Proxy server. It goes thru wizard and everything appears to be fine. One event I see on-start: 

    Log Name:      AD FS 2.0/Admin
    Source:        AD FS 2.0
    Event ID:      248
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          NETWORK SERVICE
    Description:
    The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at adfs.internal.xxxxx.com. The error message is 'There was no endpoint listening at https://adfs.internal.xxxx.com/adfs/services/proxytrustpolicystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.'.

    I enabled trace and following event is entered when I try to get FederationMetadata.xml from external client:

    Log Name:      AD FS 2.0 Tracing/Debug
    Source:        AD FS 2.0 Tracing
    Date:          2/11/2011 9:13:20 PM
    Event ID:      54
    Task Category: None
    Level:         Information
    Keywords:      ADFSSTS
    User:          NETWORK SERVICE
    Description:
    WSTrustProxyListener.ProcessRequest: Received front-end request to resource 'https://adfs.internal.xxxxxx.com/federationmetadata/2007-06/federationmetadata.xml'.

    Log Name:      AD FS 2.0 Tracing/Debug
    Source:        AD FS 2.0 Tracing
    Date:          2/11/2011 9:13:20 PM
    Event ID:      54
    Task Category: None
    Level:         Information
    Keywords:      ADFSSTS
    User:          NETWORK SERVICE
    Description:
    WSTrustProxyListener.ProcessRequest: Rejected front-end request to resource 'https://adfs.internal.xxxxxxx.com:443/federationmetadata/2007-06/federationmetadata.xml'.

    So I cannot access proxy as it is intended.

    Any sugestions?

    Thanks

    Saturday, February 12, 2011 5:33 AM
  • Hi I am facing the exact same problem, i have followed your instruction and was already able to access the https://adfs.domain.com/federationmetadata/2007-06/federationmetadata.xml but still having the credential issue,

    It kept prompting Unable to establish a trust between the federation server proxy and the Federation Service. Ensure that the provided credentials are valid credentials for establishing a trust or ensure that the Federation Service address is correct, and then try again 

     

    Please advise, thank you,

    Leon

    Thursday, November 3, 2011 6:38 AM
  • Great post Adam, thanks.

    I would like to add that to be able to establish the trust, the proxy must trust the certificate used by the federation service, i.e. when you use IE to browse to the metadata URL of the service (see step 6 of Adam's post), you must not see a certificate warning.

    Monday, January 23, 2012 8:49 AM
  • I resolved my issue through step 6 of Adam's post. In short, IESC was enabled on the ADFS Proxy servers, thus preventing access to the XML configuration data. Disabling IESC for administrators and users did the trick.

    Shawn

    Thursday, February 16, 2012 10:59 PM
  • This is absolutely the best post ever regarding ad fs proxy!

    I managed to set up an evironment with seperated CRM Server Roles, AD FS and AD FS Proxy, internal and external access.

    Thursday, March 22, 2012 3:04 PM
  • i am having the same issue. I guess my problem is a bit diffrent. when i pull up the wizard it shows my federation service name, but it is not the complet name.

    My service is called adfs.ad.domain.com and what shows up is domain.com. My cert is made for domain.com

    It telled there is a problem with the SSL cert when i go to do test.

    Tuesday, May 8, 2012 2:25 PM