When I install ADFS I notice the default website and ADFS, LS nodes all have "require SSL" checked on in IIS7.
If I try connecting to my relying party I get the error below from the ADFS server
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied
The fix/workaround: Uncheck the "require SSL" check boxes for each node.
I've enabled failed trace logging but don't see any log files in the directory for troubleshooting.
I'm thinking the SSL setting needs to be checked on though? Has anyone seen this problem before?
IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
Thursday, May 12, 2011 9:06 AM
SSL does need to be on.
I think the reason you are seeing this problem is because the RP is pointing to an http URL of ADFS.
Developer Security MVP | http://www.steveonsecurity.com
Thanks for the reply.
We have a test domain setup and a test connection to the same RP in question. Our identifier to them is https://OUR-ADFS-FED-NAME/adfs/services/trust
If I enable SSL in IIS on our test domain,I still get the same 403 error.
In our production setup our identifier begins http. I can easily change this but given our test domain gives the same result when using https I'm hesitant.
I'm sure this is a simple fix but my brain is currently fried after several weeks of various ADFS work/troubleshooting!
IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.Thursday, May 12, 2011 2:59 PM
I think I know why this is happening in my situation.
We use ISA to pass traffic from the internet to our ADFS servers.
Externally everything is passed on port 443 but internally everything is passed on port 80.
IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.Wednesday, May 18, 2011 8:30 AM
I was getting the Forbidden Access Denied error 403, as well.
I tried verifying that the Application Pool account had access to the C:\inetpub\adfs account and played with the ssl settings setting it to ignore client certificates. Eventually, after a reboot, it worked.
I initially thought that the changes I made to IIS did it, but it turns out that it was Fiddler. When Fiddler is intercepting https messages as the proxy, I would get the 403-Forbidden: Access Denied error. When I turn Fiddler off, the error went away, and I was able to authenticate.
My guess is that Fiddler is not claims aware and doesn't know what to do with the claims token received from ADFS.Monday, July 29, 2013 2:06 AM
Well, Fiddler can't be claims aware as it's too low level.
The reason it wasn't working for you was because you had integrated Windows Auth enabled with Extended Protection, which prevents something like Fiddler from getting between your browser and the server. If you disabled Extended Protection in IIS, or stopped Fiddler it would work.
Developer Security MVP | www.syfuhs.netMonday, July 29, 2013 4:39 AM