Troubleshooting ADFS 2.0
This is sort of a follow-up to my first article on Active Directory Federation Services 2.0 (ADFS 2.0). This afternoon I spent far too many hours troubleshooting an issue I didn’t really have.
Part of this complete and total waste of my time stems from what I now believe to be a fake or phantom error which is logged into the Windows Event log when the ADFS Windows Service in started. Until I’ve been able to fully process tokens, I can’t reasonably discount the error as being invalid, but my gut tells me all is swell – and I’ve lost about 3 hours of my precious time for nothing.
To hopefully help people avoid wasting their time, I’m going to write up some of my experiences with ADFS 2.0, including some of the issues I faced. On the up side, I did reconfigure ADFS 2.0 with a named service account (which I generally prefer to do).
I’m going to assume that you have installed ADFS 2.0 to some degree, and that you’re generally comfortable configuring servers. My test environment is Windows Server 2008 R2 x64 (virtualized) – I haven’t tested or installed ADFS 2.0 on Windows Server 2012 as yet.
Verifying Your Installation
Why this isn’t made clearer, I don’t know. Instead of building up a valid WS-FED request which can take a while to configure, there’s a faster way to sanity check your installation and configuration. I found this information courtesy of a thread on the Geneva forum on MSDN:
If I hit the link https://<server>/adfs/fs/federationserverservice.asmx and generates the XML, That means my setup is right.
To double check, after you’ve attempted to resolve the URI above, check the Windows Event log under “Applications and Service Logs\AD FS 2.0\Admin”
In the Event ID column, look for event ID 100. If the federation server is configured properly, you see a new event—in the Application log of Event Viewer—with the event ID 100. This event verifies that the federation server was able to successfully communicate with the Federation Service
For the record, an entry with a Event Code of 100 looks like this:
You’ll notice that the General tab lists a whole bunch of URIs.
Understanding STS/ADFS Architecture
The next step is to understand the architecture of Windows Identity Foundation (WIF) and STS (Security Token Service). Scanning the WWW, I came across this diagram on MSDN which illustrates a very simple scenario (I intend on something much more complicated.. and fun).
There’s a couple of things to call out here.
The first is that an STS makes heavy use of certificates, so if you’re going to do this properly, get your certificates sorted out up front. My approach is to install and configure an Enterprise Certificate Authority and issue certificates from there. Then, it’s just a matter of trusting the root CA (signing) certificate in your environment, and your cert chain should be valid.
Another point – it’s worth the time to get everything running over IIS (if you’re using it instead of a self hosted WCF application) – even in development. Throw the Visual Studio web service (formerly Cassini) to one side and get everything running over IIS or IIS Express.
Kerberos – If you use a custom domain identity for services and the IIS app pool, make sure you remember to run the setspn utility to ensure that the domain account can register and unregister service SPNs properly.
See this article for more on using setspn for an ADFS identity account.
Last point – spend a good amount of time verifying and testing your installation and configuration. This is a valid point for all environments (not just the production environment) – it’s just as important that your development and test environments are configured and work properly, so spend the time and make sure you get it fully configured.
Helpful Sites and Links
Of course, I did this all on my own – not. This involved literally hours of searching the Web for answers, and many times I found some help. Here’s some links which proved helpful while I tried to troubleshoot ADFS 2.0.