DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Databases
  4. Troubleshooting ADFS 2.0

Troubleshooting ADFS 2.0

Rob Sanders user avatar by
Rob Sanders
·
Jan. 07, 13 · Interview
Like (0)
Save
Tweet
Share
9.19K Views

Join the DZone community and get the full member experience.

Join For Free

This is sort of a follow-up to my first article on Active Directory Federation Services 2.0 (ADFS 2.0).  This afternoon I spent far too many hours troubleshooting an issue I didn’t really have.

Part of this complete and total waste of my time stems from what I now believe to be a fake or phantom error which is logged into the Windows Event log when the ADFS Windows Service in started.  Until I’ve been able to fully process tokens, I can’t reasonably discount the error as being invalid, but my gut tells me all is swell – and I’ve lost about 3 hours of my precious time for nothing.

To hopefully help people avoid wasting their time, I’m going to write up some of my experiences with ADFS 2.0, including some of the issues I faced.  On the up side, I did reconfigure ADFS 2.0 with a named service account (which I generally prefer to do).

I’m going to assume that you have installed ADFS 2.0 to some degree, and that you’re generally comfortable configuring servers.  My test environment is Windows Server 2008 R2 x64 (virtualized) – I haven’t tested or installed ADFS 2.0 on Windows Server 2012 as yet.

Verifying Your Installation

Why this isn’t made clearer, I don’t know.  Instead of building up a valid WS-FED request which can take a while to configure, there’s a faster way to sanity check your installation and configuration.  I found this information courtesy of a thread on the Geneva forum on MSDN:

If I hit the link https://<server>/adfs/fs/federationserverservice.asmx and generates the XML, That means my setup is right.

To double check, after you’ve attempted to resolve the URI above, check the Windows Event log under “Applications and Service Logs\AD FS 2.0\Admin”

In the Event ID column, look for event ID 100. If the federation server is configured properly, you see a new event—in the Application log of Event Viewer—with the event ID 100. This event verifies that the federation server was able to successfully communicate with the Federation Service

For the record, an entry with a Event Code of 100 looks like this:

image

You’ll notice that the General tab lists a whole bunch of URIs. 

Understanding STS/ADFS Architecture

The next step is to understand the architecture of Windows Identity Foundation (WIF) and STS (Security Token Service).  Scanning the WWW, I came across this diagram on MSDN which illustrates a very simple scenario (I intend on something much more complicated.. and fun).

WIF Basic Claims Aware WCF Service

There’s a couple of things to call out here. 

The first is that an STS makes heavy use of certificates, so if you’re going to do this properly, get your certificates sorted out up front.  My approach is to install and configure an Enterprise Certificate Authority and issue certificates from there.  Then, it’s just a matter of trusting the root CA (signing) certificate in your environment, and your cert chain should be valid.

Another point – it’s worth the time to get everything running over IIS (if you’re using it instead of a self hosted WCF application) – even in development.  Throw the Visual Studio web service (formerly Cassini) to one side and get everything running over IIS or IIS Express.

Kerberos – If you use a custom domain identity for services and the IIS app pool, make sure you remember to run the setspn utility to ensure that the domain account can register and unregister service SPNs properly. 

See this article for more on using setspn for an ADFS identity account.

Last point – spend a good amount of time verifying and testing your installation and configuration.  This is a valid point for all environments (not just the production environment) – it’s just as important that your development and test environments are configured and work properly, so spend the time and make sure you get it fully configured.

Helpful Sites and Links

Of course, I did this all on my own – not.  This involved literally hours of searching the Web for answers, and many times I found some help.  Here’s some links which proved helpful while I tried to troubleshoot ADFS 2.0.

Installation
  • Checklist for Setting up a Federation Server
  • Configuring Active Directory Federation Services 2.0
  • ADFS 2.0 Step by Step Guides
  • Manually Configure a Service Account for a Federation Server Farm

Troubleshooting
  • Troubleshooting ADFS 2.0
  • Verifying Installation
  • Cleaning up prior to re-installation
  • Migrating an ADSF 2.0 Database & more
  • ADFS 2.0 Federation with a WIF Application (Step-By-Step Guide)
  • Claims based Authentication and WIF
  • Claims-Aware WCF Service
  • Building a Claims-Aware WCF Service
  • Connecting to the ADFS attribute store (SQL)
  • Locating the ‘Correlation ID’ from an ADFS error page
  • Determining if ADSF 2.0 is listening on the default ports

Web Service Database Event Federation (information technology)

Published at DZone with permission of Rob Sanders, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Express Hibernate Queries as Type-Safe Java Streams
  • How to Secure Your CI/CD Pipeline
  • A Brief Overview of the Spring Cloud Framework
  • How To Check Docker Images for Vulnerabilities

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: