locked
Adjusting HomeRealmDiscovery Page in ADFSv2

    Question

  • Does anyone have an example of how to change the HomeRealmDiscovery Page in ADFSv2 to accept an e-mail address in a text field and based upon that (actually the domain suffix) select the correct Claims/Identity Provider?
    I’m not a programmer, so I’m having a real hard time in doing this myself.
     
    Thanks 

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------


    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Tuesday, July 12, 2011 10:38 AM

All replies

  • This isn't necessarily the simplest thing to do because it requires a database or something to store the email/IdP mapping, plus you need to update it somehow.  If you have a database then I can work something out later tonight and get back to you.
    Developer Security MVP | www.steveonsecurity.com
    Tuesday, July 12, 2011 6:36 PM
  • Hello Steve,
     
    That would be awesome!
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Steve Syfuhs" wrote in message news:2c9736f3-b988-4851-a7fd-90d07006ffd0...
    This isn't necessarily the simplest thing to do because it requires a database or something to store the email/IdP mapping, plus you need to update it somehow.  If you have a database then I can work something out later tonight and get back to you.
    Developer Security MVP | www.steveonsecurity.com

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Tuesday, July 12, 2011 8:08 PM
  • by the way, preferably storing the mapping in some table/database
     
    xxxxx@adcorp.lab –> URI = urn:federation:ADCORP
    yyyyyy@something.adcorp.lab –> URI = urn:federation:ADCORP
    zzzzzz@company.com –> URI = urn:federation:COMPANY
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Steve Syfuhs" wrote in message news:2c9736f3-b988-4851-a7fd-90d07006ffd0...
    This isn't necessarily the simplest thing to do because it requires a database or something to store the email/IdP mapping, plus you need to update it somehow.  If you have a database then I can work something out later tonight and get back to you.
    Developer Security MVP | www.steveonsecurity.com

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Tuesday, July 12, 2011 8:12 PM
  • now we are at it....
     
    the default is for ADFS to provide a drop down list. Companies may not want that because they do not want to tell everyone with whom they are federating. So, there must be some mechanism to perform the Home realm Discovery
     
    comment –> although part of the solution when the link is provided on some page/portal, it may be difficult for users if it is not published somewhere
     
    [2] the user specifies the e-mail and ADFS figures out which IdP to redirect to based upon the domain suffix
     
    [3] ????? what other options exist here?????
     
    how’s everybody doing this? really interested in hearing from all of you that have deployed ADFS in an SP/RP scenario and of course everybody else that wants to contribute to the talk!
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Steve Syfuhs" wrote in message news:2c9736f3-b988-4851-a7fd-90d07006ffd0...
    This isn't necessarily the simplest thing to do because it requires a database or something to store the email/IdP mapping, plus you need to update it somehow.  If you have a database then I can work something out later tonight and get back to you.
    Developer Security MVP | www.steveonsecurity.com

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Tuesday, July 12, 2011 8:18 PM
  • by the way....
     
    using the WHR thing works perfectly in ADFSv1.
     
    However, when I use it (https://app-token.adcorp.lab:444/?whr=urn:federation:PARTNERADFSv2) against ADFSv2, ADFSv2 still presents me with the drop down list to select something.
     
    I have been searching and reading all over the place and I see two answers:
    [A] it should work
    [B] by default not available and you must configure WIF to accept that
     
    and when [B] whatever is mentioned to be changed it does not work in my environment
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Jorge de Almeida Pinto [MVP-DS]" wrote in message news:3e3d15ec-8df7-4153-b83a-e273438c2e99...
    now we are at it....
     
    the default is for ADFS to provide a drop down list. Companies may not want that because they do not want to tell everyone with whom they are federating. So, there must be some mechanism to perform the Home realm Discovery
     
    comment –> although part of the solution when the link is provided on some page/portal, it may be difficult for users if it is not published somewhere
     
    [2] the user specifies the e-mail and ADFS figures out which IdP to redirect to based upon the domain suffix
     
    [3] ????? what other options exist here?????
     
    how’s everybody doing this? really interested in hearing from all of you that have deployed ADFS in an SP/RP scenario and of course everybody else that wants to contribute to the talk!
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Steve Syfuhs" wrote in message news:2c9736f3-b988-4851-a7fd-90d07006ffd0...
    This isn't necessarily the simplest thing to do because it requires a database or something to store the email/IdP mapping, plus you need to update it somehow.  If you have a database then I can work something out later tonight and get back to you.
    Developer Security MVP | www.steveonsecurity.com

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Tuesday, July 12, 2011 8:21 PM
  • Jorge,

    Have you seen: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/9044450e-53a7-44bb-b652-8c424d9cfb68/

    It works fine and gives you the ADFS1 "compatibility"!


    Paul Lemmers
    Wednesday, July 13, 2011 7:14 PM
  • Yes I have.
     
    I’m not a programmer so understanding what’s being said in the following text is difficult. In other words, I do not know what to do
    So..... if you can “translate” that for me on what I REALLY must do, that would be great. Thanks in advance
    ---------------------------------------------------------------------------------------

    Shiva,

    There is a bit of a nuance here. AD FS v1 could be installed as an STS or an RP. The URL you pointed out above - https://adfstest.abc.com/?whr=urn:federation:abc is an RP URL that worked with AD FS v1 RP for home realm discovery.

    AD FS v2 implements the STS only. The corresponding RP functionality is provided by WIF (Windows Identity Foundation).

    When you deploy the end-to-end scenario with AD FS v2 STS and WIF RP, you can continue to use the whr parameter as before. You'll need to make a small change in the WIF RP -

    1. In your Global.asax, implement an event handler for the WSFederationAuthenticationModule.RedirectingToIdentityProvider event
    2. Take the SignInRequestMessage from the event args.
    3. Set SignInRequestMessage.HomeRealm = Request.QueryString["whr"].

    Based on this, WIF RP will create the WS-Federation passive request with the wa=wsignin1.0 etc & your whr, so that AD FS v2 can do home realm discovery based on the request.

    Have a look at the WIF SDK sample "End-to-end\Federation for Web Apps" for a similar whr usage example.

    Going back to your original question for a moment, it seems like you tried a scenario and it failed? If so, please feel free to share the details of the error for further troubleshooting.

    Vani.

    ----------------------------------------------------------------------------------------

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "paullem" wrote in message news:e86137b8-6a88-46ab-9cc6-9221c563e7fc...

    Jorge,

    Have you seen: http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/9044450e-53a7-44bb-b652-8c424d9cfb68/

    It works fine and gives you the ADFS1 "compatibility"!


    Paul Lemmers

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Thursday, July 14, 2011 2:13 PM
  • Within the global.asax file there is a method Application_BeginRequest().  It should start at or around line 20.  Add the following line to the beginning of it:

      public void Application_BeginRequest()
      {
        FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider 
          += new EventHandler<RedirectingToIdentityProviderEventArgs>(WSFederationAuthenticationModule_RedirectingToIdentityProvider);
    
    

    Then below that method add the following chunk of code:

    void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
    {
      if (!string.IsNullOrEmpty(Request.QueryString["whr"]))
        e.SignInRequestMessage.HomeRealm = Request.QueryString["whr"];
    }
    

    Finally add the following using statement to the top:

    using Microsoft.IdentityModel.Web;
    

    Mind you, you should reeeeeally get a developer to test this change before doing anything production-related.


    Developer Security MVP | www.steveonsecurity.com
    Thursday, July 14, 2011 3:24 PM
  • I implemented the steps above in the GLOBAL.ASAX after reading it carefully, but it does not work for me.

    The error in IE is: "Internet Explorer cannot display the webpage"

     

    Did I do something wrong?

     

    //------------------------------------------------------------
    // Copyright (c) Microsoft Corporation.  All rights reserved.
    //------------------------------------------------------------

    using System;
    using System.Globalization;
    using System.Resources;
    using System.Web;
    using System.Reflection;
    using Microsoft.IdentityModel.Web;

    public partial class WebApplication : Microsoft.IdentityServer.Web.PassiveProtocolApplication
    {
        /// <summary>
        /// Per request, set the thread UICulture attribute to the best match from the request's
        /// Accept-Language header.
        ///
        /// If no header is found, this will default to the culture of the server install.
        /// </summary>
        public void Application_BeginRequest()
        {
      FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider
       += new EventHandler<RedirectingToIdentityProviderEventArgs>(WSFederationAuthenticationModule_RedirectingToIdentityProvider);

      System.Threading.Thread.CurrentThread.CurrentUICulture = CultureInfo.InvariantCulture;

            if ( null != HttpContext.Current.Request.UserLanguages
                    && HttpContext.Current.Request.UserLanguages.Length > 0 )
            {
                int languagesAttempted = 0;

                foreach ( string acceptlang in HttpContext.Current.Request.UserLanguages )
                {
                    if( languagesAttempted == 5 )
                    {
                        //
                        // Only consider the first 5 languages sent to prevent
                        // spinning on malformed requests.
                        //
                        return;
                    }

                    languagesAttempted++;
                    if ( string.IsNullOrEmpty( acceptlang ) )
                    {
                        continue;
                    }

                    string requestedLang = acceptlang;
                    if ( requestedLang.IndexOf( ";" ) >= 0 )
                    {
                        requestedLang = acceptlang.Substring( 0, requestedLang.IndexOf( ";" ) );
                    }

                    CultureInfo requestedCulture = null;
                    try
                    {
                        requestedCulture = CultureInfo.GetCultureInfo( requestedLang );
                    }
                    catch ( ArgumentException )
                    {
                        //
                        // The requested culture was not a recognized .NET culture.
                        //
                        continue;
                    }

                    //
                    // Test if the culture is supported by loading the resource set associated with it
                    // and querying the Culture resource.  If it matches, we have a localized resource
                    // set and should set the CurrentUICulture property appropriately.
                    //
                    ResourceSet set = Resources.CommonResources.ResourceManager.GetResourceSet( requestedCulture, true, true );

                    if ( set.GetString( "Culture" ) == requestedCulture.ToString() )
                    {
                        System.Threading.Thread.CurrentThread.CurrentUICulture = requestedCulture;
                        break;
                    }

                    //
                    // If the request was for a specific culture (e.g., fr-FR), and we support the neutral culture (fr),
                    // use the neutral culture.
                    //
                    if ( !requestedCulture.IsNeutralCulture && requestedCulture.Parent != null )
                    {
                        set = Resources.CommonResources.ResourceManager.GetResourceSet( requestedCulture.Parent, true, true );

                        if ( set.GetString( "Culture" ) == requestedCulture.Parent.ToString() )
                        {
                            System.Threading.Thread.CurrentThread.CurrentUICulture = requestedCulture.Parent;
                            break;
                        }
                    }
                }
            }
        FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider
       += new EventHandler<RedirectingToIdentityProviderEventArgs>(WSFederationAuthenticationModule_RedirectingToIdentityProvider);
        }
     void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
     {
      if (!string.IsNullOrEmpty(Request.QueryString["whr"]))
       e.SignInRequestMessage.HomeRealm = Request.QueryString["whr"];
     }
    }


    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Friday, July 15, 2011 12:26 PM
  • with FIDDLER I see:
    There was a problem accessing the site. Try to browse to the site again.
    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
    Exception has been thrown by the target of an invocation.
    Reference number: 3c70e248-cc60-41e3-9261-72f9e3e559ce
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Jorge de Almeida Pinto [MVP-DS]" wrote in message news:1b9ed0cc-3a92-49b7-b24a-e193dbf9271b...

    I implemented the steps above in the GLOBAL.ASAX after reading it carefully, but it does not work for me.

    The error in IE is: "Internet Explorer cannot display the webpage"

     

    Did I do something wrong?

     

    //------------------------------------------------------------
    // Copyright (c) Microsoft Corporation.  All rights reserved.
    //------------------------------------------------------------

    using System;
    using System.Globalization;
    using System.Resources;
    using System.Web;
    using System.Reflection;
    using Microsoft.IdentityModel.Web;

    public partial class WebApplication : Microsoft.IdentityServer.Web.PassiveProtocolApplication
    {
        /// <summary>
        /// Per request, set the thread UICulture attribute to the best match from the request's
        /// Accept-Language header.
        ///
        /// If no header is found, this will default to the culture of the server install.
        /// </summary>
        public void Application_BeginRequest()
        {
      FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider
       += new EventHandler<RedirectingToIdentityProviderEventArgs>(WSFederationAuthenticationModule_RedirectingToIdentityProvider);

      System.Threading.Thread.CurrentThread.CurrentUICulture = CultureInfo.InvariantCulture;

            if ( null != HttpContext.Current.Request.UserLanguages
                    && HttpContext.Current.Request.UserLanguages.Length > 0 )
            {
                int languagesAttempted = 0;

                foreach ( string acceptlang in HttpContext.Current.Request.UserLanguages )
                {
                    if( languagesAttempted == 5 )
                    {
                        //
                        // Only consider the first 5 languages sent to prevent
                        // spinning on malformed requests.
                        //
                        return;
                    }

                    languagesAttempted++;
                    if ( string.IsNullOrEmpty( acceptlang ) )
                    {
                        continue;
                    }

                    string requestedLang = acceptlang;
                    if ( requestedLang.IndexOf( ";" ) >= 0 )
                    {
                        requestedLang = acceptlang.Substring( 0, requestedLang.IndexOf( ";" ) );
                    }

                    CultureInfo requestedCulture = null;
                    try
                    {
                        requestedCulture = CultureInfo.GetCultureInfo( requestedLang );
                    }
                    catch ( ArgumentException )
                    {
                        //
                        // The requested culture was not a recognized .NET culture.
                        //
                        continue;
                    }

                    //
                    // Test if the culture is supported by loading the resource set associated with it
                    // and querying the Culture resource.  If it matches, we have a localized resource
                    // set and should set the CurrentUICulture property appropriately.
                    //
                    ResourceSet set = Resources.CommonResources.ResourceManager.GetResourceSet( requestedCulture, true, true );

                    if ( set.GetString( "Culture" ) == requestedCulture.ToString() )
                    {
                        System.Threading.Thread.CurrentThread.CurrentUICulture = requestedCulture;
                        break;
                    }

                    //
                    // If the request was for a specific culture (e.g., fr-FR), and we support the neutral culture (fr),
                    // use the neutral culture.
                    //
                    if ( !requestedCulture.IsNeutralCulture && requestedCulture.Parent != null )
                    {
                        set = Resources.CommonResources.ResourceManager.GetResourceSet( requestedCulture.Parent, true, true );

                        if ( set.GetString( "Culture" ) == requestedCulture.Parent.ToString() )
                        {
                            System.Threading.Thread.CurrentThread.CurrentUICulture = requestedCulture.Parent;
                            break;
                        }
                    }
                }
            }
        FederatedAuthentication.WSFederationAuthenticationModule.RedirectingToIdentityProvider
       += new EventHandler<RedirectingToIdentityProviderEventArgs>(WSFederationAuthenticationModule_RedirectingToIdentityProvider);
        }
    void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
    {
      if (!string.IsNullOrEmpty(Request.QueryString["whr"]))
       e.SignInRequestMessage.HomeRealm = Request.QueryString["whr"];
    }
    }


    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Friday, July 15, 2011 12:50 PM
  • what would I need to change in the default ADFS pages?
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Steve Syfuhs" wrote in message news:e7125a8f-f560-4c7a-9d98-9976fd78d17a...

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Friday, July 15, 2011 1:17 PM
  • What do you mean?  It was explained in the post what needs to change.
    Developer Security MVP | www.steveonsecurity.com
    Friday, July 15, 2011 1:29 PM
  • When *I* look at it I see that you adjusted the “HomeRealmDiscovery.aspx.cs” file with the contents in the blog post.
     
    OK, I did adjust that file and then I get:
     
     
    There was a problem accessing the site. Try to browse to the site again.
    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
    c:\inetpub\adfs\ls\HomeRealmDiscovery.aspx.cs(9): error CS0246: The type or namespace name 'AdfsHomeRealm' could not be found (are you missing a using directive or an assembly reference?)

     

    Hence the question of which files need to be updated?

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Steve Syfuhs" wrote in message news:9f6a7985-f05e-43e6-9e29-7cbfe08650eb...
    What do you mean?  It was explained in the post what needs to change.
    Developer Security MVP | www.steveonsecurity.com

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Friday, July 15, 2011 2:27 PM
  • Ahh.  It's missing a reference to some of the files.  Did you try replacing all the files (and folders) in the directory with what was in the zip file?


    Developer Security MVP | www.steveonsecurity.com
    Friday, July 15, 2011 2:41 PM
  • that was my next step to try. I was creating a backup of my env to make sure I could go back in case needed
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Steve Syfuhs" wrote in message news:58753811-aec5-4d22-a5a3-c1fbcfbd2003...

    Ahh.  It's missing a reference to some of the files.  Did you try replacing all the files (and folders) in the directory with what was in the zip file?


    Developer Security MVP | www.steveonsecurity.com

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Friday, July 15, 2011 2:51 PM
  • yes, I replaced everything.
     
    First I saw
    Server Error in '/adfs/ls' Application.
    --------------------------------------------------------------------------------
     
    Configuration Error
    Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
     
    Parser Error Message: Unrecognized attribute 'targetFramework'. Note that attribute names are case-sensitive.
     
    Source Error:
     
     
    Line 6:    <system.web>
    Line 7:      <customErrors mode="Off"/>
    Line 8:      <compilation defaultLanguage="c#" targetFramework="4.0">
    Line 9:        <assemblies>
    Line 10:         <add assembly="Microsoft.IdentityServer, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
     
     
    Source File: C:\inetpub\adfs\ls\web.config    Line: 8
     
     
    --------------------------------------------------------------------------------
    Version Information: Microsoft .NET Framework Version:2.0.50727.5446; ASP.NET Version:2.0.50727.5420
     
     
    After changing the .NET Framework version on the app pool account, I saw
    Server Error in '/adfs/ls' Application.
    --------------------------------------------------------------------------------
     
    Parser Error
    Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.
     
    Parser Error Message: Could not load type 'WebApplication'.
     
    Source Error:
     
     
    Line 1:  <%@ Application Inherits="WebApplication" Codebehind="Global.asax.cs" %>
     
     
     
    Source File: /adfs/ls/global.asax    Line: 1
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Steve Syfuhs" wrote in message news:58753811-aec5-4d22-a5a3-c1fbcfbd2003...

    Ahh.  It's missing a reference to some of the files.  Did you try replacing all the files (and folders) in the directory with what was in the zip file?


    Developer Security MVP | www.steveonsecurity.com

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Friday, July 15, 2011 3:00 PM
  • Ah right.  Change the AppPool from .NET 2 to .NET 4.
    Developer Security MVP | www.steveonsecurity.com
    Friday, July 15, 2011 3:37 PM
  • that's what I did....

    After changing the .NET Framework version on the app pool account, I saw
    Server Error in '/adfs/ls' Application.
    --------------------------------------------------------------------------------
    Parser Error
    Description: An error occurred during the parsing of a resource required to service this request. Please review the following specific parse error details and modify your source file appropriately.
    Parser Error Message: Could not load type 'WebApplication'.
    Source Error:
    Line 1: <%@ Application Inherits="WebApplication" Codebehind="Global.asax.cs" %>
    Source File: /adfs/ls/global.asax Line: 1
     

     

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    BLOG (WEB-BASED) --> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test ANY suggestion in a test environment before implementing!
    -------------------------------------------------------------------------------------------------------

    "Steve Syfuhs" wrote in message news:b6abeec7-50bc-4ce4-a799-86eee3c737cf...
    Ah right.  Change the AppPool from .NET 2 to .NET 4.
    Developer Security MVP | www.steveonsecurity.com

    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    Saturday, July 16, 2011 2:21 PM
  • Sorry, didn't read the message completely.  I'm not entirely sure why it's doing that.  I've created a compiled version of the site here: http://www.syfuhs.net/adfsHomeRealmCompiled.zip.  Just copy the files to the same directory (delete everything already in the folder).  That *should* solve the problem.


    Developer Security MVP | www.steveonsecurity.com
    Sunday, July 17, 2011 9:07 PM
  • Hi Steve,
     
    I have tried the compiled version also and that too also shows me an error �??An attempt was made to load a program with an incorrect format�?�. For whatever reason I cannot get it to work.
    My env:
    * W2K8R2 SP1 DC +ADFS v2.0 (latest version) + SP2010
     
    Can you show me a screendump so that I can see how it looks like?
     
    Thanks <o:p></o:p>

    Cheers,<o:p></o:p>


    (HOPEFULLY THIS INFORMATION HELPS YOU!)
    Jorge de Almeida Pinto | MVP Identity & Access - Directory Services

    -------------------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always evaluate/test yourself before using/implementing this!
    * DISCLAIMER:
    http://jorgequestforknowledge.wordpress.com/disclaimer/
    -------------------------------------------------------------------------------------------------------
    ################# Jorge's Quest For Knowledge ###############
    ###### BLOG URL:
    http://JorgeQuestForKnowledge.wordpress.com/ #####
    #### RSS Feed URL:
    http://jorgequestforknowledge.wordpress.com/feed/ ####
    -------------------------------------------------------------------------------------------------------
    <o:p></o:p>

    "Steve Syfuhs" wrote in message news:eb372c8a-d31e-4232-bee0-a1e2867d414d...

    Sorry, didn't read the message completely.  I'm not entirely sure why it's doing that.  I've created a compiled version of the site here: http://www.syfuhs.net/adfsHomeRealmCompiled.zip.  Just copy the files to the same directory (delete everything already in the folder).  That *should* solve the problem.


    Developer Security MVP | www.steveonsecurity.com

    Jorge de Almeida Pinto [MVP-DS] (http://jorgequestforknowledge.wordpress.com/)
    Monday, September 12, 2011 12:34 PM
  • This isually happens when the IIS app pool is running in 64 bits, and you are inserting a DLL in the bin directory of the web application that is compiled to x86 (32 bits). You could try however to Switch Enable 32 bits applications on that app pool (preferably you make a new one, so it doesn't interfere with other applications running on that pool).

    If all the other .NET DLL's were compiled targetting any CPU, then the MSIL wil automatically switch all the other depending dll's to 32 bits as well. If you have a mix of specifically tageted x64 an x86 dll's in your reference stack, you will not able to run the web application.

    Info on how to enable 32 bits applications on the app pool can be found here:

    http://help.webcontrolcenter.com/KB/a1114/how-to-enable-a-32-bit-application-pool-in-iis7-dedicatedvps.aspx

    Thursday, October 27, 2011 2:19 PM