Windows Server 2012 AD FS SSO from Salesforce

%3CLINGO-SUB%20id%3D%22lingo-sub-1059715%22%20slang%3D%22en-US%22%3EWindows%20Server%202012%20AD%20FS%20SSO%20from%20Salesforce%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1059715%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20setup%20SSO%20in%20Salesforce%20by%20AD%20FS%20by%20following%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fhelp.salesforce.com%2FarticleView%3Fid%3Didentity_provider_examples_3p_adfs.htm%26amp%3Btype%3D5%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fhelp.salesforce.com%2FarticleView%3Fid%3Didentity_provider_examples_3p_adfs.htm%26amp%3Btype%3D5%3C%2FA%3E%26nbsp%3BURL%20%26amp%3B%20%3CSPAN%3EMC%20Remedyforce%20and%20Single%20Sign-On%3C%2FSPAN%3E.%20But%20when%20I%20tried%20to%20open%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fibl-unisys.ibl-unisys.local%2Fadfs%2Fls%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fibl-unisys.ibl-unisys.local%2Fadfs%2Fls%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CH1%20id%3D%22toc-hId-356748340%22%20id%3D%22toc-hId-356748340%22%3E%3CSPAN%3EThis%20site%20can%E2%80%99t%20be%20reached%3C%2FSPAN%3E%3C%2FH1%3E%3CP%3E%3CSPAN%3Eerror%20occurred.%20Maybe%20due%20to%20Identity%20provider%20issue.%20When%20I%20hit%26nbsp%3B%20Set-AdfsProperties%20-EnableIdpInitiatedSignonPage%20%24true%20in%20Powershell%20it%20give%20error.%20Below%20mentioned%20snapshot%20for%20your%20reference%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161056i82DE0BD733D4C700%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBasically%20i%20want%20to%26nbsp%3B%3CSPAN%3Econnect%26nbsp%3B%3CSTRONG%3ESalesforce%20with%20MS%20Server%202012%20active%20directory%3C%2FSTRONG%3E%3C%2FSPAN%3E%3CSPAN%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CDIV%20class%3D%22_1mf%20_1mj%22%3E%3CSPAN%3EI%20perform%20all%20steps%20from%20BMC%20documents%20%22%3C%2FSPAN%3E%3CSPAN%3EBMC%20Remedyforce%20and%20Single%20Sign-On%3C%2FSPAN%3E%3CSPAN%3E%22%20%3C%2FSPAN%3E%3CSPAN%3EConfiguring%20Single%20Sign-On%20Using%20ADFS%202.0%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%26amp%3B%20Configure%20SSO%20to%20Salesforce%20Using%20Microsoft%20AD%20FS%20as%20the%20Identity%20Provider%20but%20failed%20to%20connect%20with%20it.%20Need%20suggestion.%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1mf%20_1mj%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22_1mf%20_1mj%22%3E%3CSPAN%3EFollowing%20are%20setting%20%26amp%3B%20error%20as%20well%3A%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1mf%20_1mj%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22_1mf%20_1mj%22%3E%3CSPAN%3EAcceptableIdentifiers%20%3A%20%7B%7D%3CBR%20%2F%3EAddProxyAuthorizationRules%20%3A%20exists(%5BType%20%3D%3D%3CBR%20%2F%3E%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Fgroupsid%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Fgroupsid%3C%2FA%3E%22%2C%20Value%3CBR%20%2F%3E%3D%3D%20%22S-1-5-32-544%22%2C%20Issuer%20%3D~%20%22%5EAD%20AUTHORITY%24%22%5D)%20%3D%26gt%3B%20issue(Type%20%3D%3CBR%20%2F%3E%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fauthorization%2Fclaims%2Fpermit%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fauthorization%2Fclaims%2Fpermit%3C%2FA%3E%22%2C%20Value%20%3D%3CBR%20%2F%3E%22true%22)%3B%3CBR%20%2F%3Ec%3A%5BType%20%3D%3D%3CBR%20%2F%3E%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Fprimarysid%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Fprimarysid%3C%2FA%3E%22%2C%3CBR%20%2F%3EIssuer%20%3D~%20%22%5EAD%20AUTHORITY%24%22%20%5D%3CBR%20%2F%3E%3D%26gt%3B%20issue(store%3D%22_ProxyCredentialStore%22%2Ctypes%3D(%22http%3CBR%20%2F%3E%3A%2F%2Fschemas.microsoft.com%2Fauthorization%2Fclaims%2Fpermit%22)%2Cquery%3D%22isProxyTrust%3CBR%20%2F%3EManagerSid(%7B0%7D)%22%2C%20param%3Dc.Value%20)%3B%3CBR%20%2F%3Ec%3A%5BType%20%3D%3D%3CBR%20%2F%3E%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Fproxytrustid%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Fproxytrustid%3C%2FA%3E%22%2C%3CBR%20%2F%3EIssuer%20%3D~%20%22%5ESELF%20AUTHORITY%24%22%20%5D%3CBR%20%2F%3E%3D%26gt%3B%20issue(store%3D%22_ProxyCredentialStore%22%2Ctypes%3D(%22http%3CBR%20%2F%3E%3A%2F%2Fschemas.microsoft.com%2Fauthorization%2Fclaims%2Fpermit%22)%2Cquery%3D%22isProxyTrust%3CBR%20%2F%3EProvisioned(%7B0%7D)%22%2C%20param%3Dc.Value%20)%3B%3CBR%20%2F%3EArtifactDbConnection%20%3A%20Data%20Source%3Dnp%3A%5C%5C.%5Cpipe%5Cmicrosoft%23%23wid%5Ctsql%5Cquery%3BInitial%3CBR%20%2F%3ECatalog%3DAdfsArtifactStore%3BIntegrated%20Security%3DTrue%3CBR%20%2F%3EAuthenticationContextOrder%20%3A%20%7Burn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3APassword%2C%3CBR%20%2F%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3APasswordProtectedTransport%2C%3CBR%20%2F%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3ATLSClient%2C%3CBR%20%2F%3Eurn%3Aoasis%3Anames%3Atc%3ASAML%3A2.0%3Aac%3Aclasses%3AX509...%7D%3CBR%20%2F%3EAutoCertificateRollover%20%3A%20True%3CBR%20%2F%3ECertificateCriticalThreshold%20%3A%202%3CBR%20%2F%3ECertificateDuration%20%3A%20365%3CBR%20%2F%3ECertificateGenerationThreshold%20%3A%2020%3CBR%20%2F%3ECertificatePromotionThreshold%20%3A%205%3CBR%20%2F%3ECertificateRolloverInterval%20%3A%20720%3CBR%20%2F%3ECertificateSharingContainer%20%3A%20CN%3D9a261be4-fd91-4d09-8043-654210d3673f%2CCN%3DADFS%2CCN%3DMicrosoft%2CCN%3DProgram%3CBR%20%2F%3EData%2CDC%3Dibl-unisys%2CDC%3Dlocal%3CBR%20%2F%3ECertificateThresholdMultiplier%20%3A%201440%3CBR%20%2F%3EClientCertRevocationCheck%20%3A%20None%3CBR%20%2F%3EContactPerson%20%3A%3CBR%20%2F%3EDisplayName%20%3A%20ADFS%20for%20Salesforce%3CBR%20%2F%3EIntranetUseLocalClaimsProvider%20%3A%20False%3CBR%20%2F%3EExtendedProtectionTokenCheck%20%3A%20Allow%3CBR%20%2F%3EFederationPassiveAddress%20%3A%20%2Fadfs%2Fls%2F%3CBR%20%2F%3EHostName%20%3A%20Ibl-unisys.ibl-unisys.local%3CBR%20%2F%3EHttpPort%20%3A%2080%3CBR%20%2F%3EHttpsPort%20%3A%20443%3CBR%20%2F%3ETlsClientPort%20%3A%2049443%3CBR%20%2F%3EIdentifier%20%3A%20%3CA%20href%3D%22http%3A%2F%2Fibl-unisys.ibl-unisys.local%2Fadfs%2Fservices%2Ftrust%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fibl-unisys.ibl-unisys.local%2Fadfs%2Fservices%2Ftrust%3C%2FA%3E%3CBR%20%2F%3EInstalledLanguage%20%3A%20en-US%3CBR%20%2F%3ELogLevel%20%3A%20%7BErrors%2C%20Information%2C%20Verbose%2C%20Warnings%7D%3CBR%20%2F%3EMonitoringInterval%20%3A%201440%3CBR%20%2F%3ENetTcpPort%20%3A%201501%3CBR%20%2F%3ENtlmOnlySupportedClientAtProxy%20%3A%20False%3CBR%20%2F%3EOrganizationInfo%20%3A%3CBR%20%2F%3EPreventTokenReplays%20%3A%20False%3CBR%20%2F%3EProxyTrustTokenLifetime%20%3A%2021600%3CBR%20%2F%3EReplayCacheExpirationInterval%20%3A%2060%3CBR%20%2F%3ESignedSamlRequestsRequired%20%3A%20False%3CBR%20%2F%3ESamlMessageDeliveryWindow%20%3A%205%3CBR%20%2F%3ESignSamlAuthnRequests%20%3A%20False%3CBR%20%2F%3ESsoLifetime%20%3A%20480%3CBR%20%2F%3EPersistentSsoLifetimeMins%20%3A%2010080%3CBR%20%2F%3EKmsiLifetimeMins%20%3A%201440%3CBR%20%2F%3EPersistentSsoEnabled%20%3A%20True%3CBR%20%2F%3EPersistentSsoCutoffTime%20%3A%201%2F1%2F0001%2012%3A00%3A00%20AM%3CBR%20%2F%3EKmsiEnabled%20%3A%20False%3CBR%20%2F%3ELoopDetectionEnabled%20%3A%20True%3CBR%20%2F%3ELoopDetectionTimeIntervalInSeconds%20%3A%2020%3CBR%20%2F%3ELoopDetectionMaximumTokensIssuedInInterval%20%3A%205%3CBR%20%2F%3EPasswordValidationDelayInMinutes%20%3A%2060%3CBR%20%2F%3ESendClientRequestIdAsQueryStringParameter%20%3A%20False%3CBR%20%2F%3EWIASupportedUserAgents%20%3A%20%7BMSAuthHost%2F1.0%2FIn-Domain%2C%20MSIE%206.0%2C%20MSIE%207.0%2C%20MSIE%208.0...%7D%3CBR%20%2F%3EExtranetLockoutThreshold%20%3A%202147483647%3CBR%20%2F%3EExtranetLockoutEnabled%20%3A%20False%3CBR%20%2F%3EExtranetObservationWindow%20%3A%2000%3A30%3A00%3CBR%20%2F%3EGlobalRelyingPartyClaimsIssuancePolicy%20%3A%20c%3A%5BType%20%3D%3D%20%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2F2012%2F01%2Fdevicecontext%2Fclaims%2Fisre%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2F2012%2F01%2Fdevicecontext%2Fclaims%2Fisre%3C%2FA%3E%3CBR%20%2F%3Egistereduser%22%5D%20%3D%26gt%3B%20issue(claim%20%3D%20c)%3Bc%3A%5BType%20%3D%3D%3CBR%20%2F%3E%22%3CA%20href%3D%22http%3A%2F%2Fschemas.microsoft.com%2F2012%2F01%2Fdevicecontext%2Fclaims%2Fidentifier%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fschemas.microsoft.com%2F2012%2F01%2Fdevicecontext%2Fclaims%2Fidentifier%3C%2FA%3E%22%5D%3CBR%20%2F%3E%3D%26gt%3B%20issue(claim%20%3D%20c)%3B%3CBR%20%2F%3EPromptLoginFederation%20%3A%20FallbackToProtocolSpecificParameters%3CBR%20%2F%3EPromptLoginFallbackAuthenticationType%20%3A%20urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aam%3Apassword%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1mf%20_1mj%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22_1mf%20_1mj%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161067i47BA299E9D93F2C6%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22_1mf%20_1mj%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F161068iE88322889633F114%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_2.png%22%20title%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1059715%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Ead%20fs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esaml%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eserver%202012%20r2%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSO%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

I'm trying to setup SSO in Salesforce by AD FS by following https://help.salesforce.com/articleView?id=identity_provider_examples_3p_adfs.htm&type=5 URL & MC Remedyforce and Single Sign-On. But when I tried to open https://ibl-unisys.ibl-unisys.local/adfs/ls/ 

This site can’t be reached

error occurred. Maybe due to Identity provider issue. When I hit  Set-AdfsProperties -EnableIdpInitiatedSignonPage $true in Powershell it give error. Below mentioned snapshot for your reference;

clipboard_image_0.png

 

Basically i want to connect Salesforce with MS Server 2012 active directory

I perform all steps from BMC documents "BMC Remedyforce and Single Sign-On" Configuring Single Sign-On Using ADFS 2.0 & Configure SSO to Salesforce Using Microsoft AD FS as the Identity Provider but failed to connect with it. Need suggestion.
 
Following are setting & error as well:
 
AcceptableIdentifiers : {}
AddProxyAuthorizationRules : exists([Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value
== "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"]) => issue(Type =
"http://schemas.microsoft.com/authorization/claims/permit", Value =
"true");
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^AD AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http
://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrust
ManagerSid({0})", param=c.Value );
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid",
Issuer =~ "^SELF AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http
://schemas.microsoft.com/authorization/claims/permit"),query="isProxyTrust
Provisioned({0})", param=c.Value );
ArtifactDbConnection : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial
Catalog=AdfsArtifactStore;Integrated Security=True
AuthenticationContextOrder : {urn:oasis:names:tc:SAML:2.0:ac:classes:Password,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,
urn:oasis:names:tc:SAML:2.0:ac:classes:X509...}
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
CertificateSharingContainer : CN=9a261be4-fd91-4d09-8043-654210d3673f,CN=ADFS,CN=Microsoft,CN=Program
Data,DC=ibl-unisys,DC=local
CertificateThresholdMultiplier : 1440
ClientCertRevocationCheck : None
ContactPerson :
DisplayName : ADFS for Salesforce
IntranetUseLocalClaimsProvider : False
ExtendedProtectionTokenCheck : Allow
FederationPassiveAddress : /adfs/ls/
HostName : Ibl-unisys.ibl-unisys.local
HttpPort : 80
HttpsPort : 443
TlsClientPort : 49443
Identifier : http://ibl-unisys.ibl-unisys.local/adfs/services/trust
InstalledLanguage : en-US
LogLevel : {Errors, Information, Verbose, Warnings}
MonitoringInterval : 1440
NetTcpPort : 1501
NtlmOnlySupportedClientAtProxy : False
OrganizationInfo :
PreventTokenReplays : False
ProxyTrustTokenLifetime : 21600
ReplayCacheExpirationInterval : 60
SignedSamlRequestsRequired : False
SamlMessageDeliveryWindow : 5
SignSamlAuthnRequests : False
SsoLifetime : 480
PersistentSsoLifetimeMins : 10080
KmsiLifetimeMins : 1440
PersistentSsoEnabled : True
PersistentSsoCutoffTime : 1/1/0001 12:00:00 AM
KmsiEnabled : False
LoopDetectionEnabled : True
LoopDetectionTimeIntervalInSeconds : 20
LoopDetectionMaximumTokensIssuedInInterval : 5
PasswordValidationDelayInMinutes : 60
SendClientRequestIdAsQueryStringParameter : False
WIASupportedUserAgents : {MSAuthHost/1.0/In-Domain, MSIE 6.0, MSIE 7.0, MSIE 8.0...}
ExtranetLockoutThreshold : 2147483647
ExtranetLockoutEnabled : False
ExtranetObservationWindow : 00:30:00
GlobalRelyingPartyClaimsIssuancePolicy : c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isre
gistereduser"] => issue(claim = c);c:[Type ==
"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"]
=> issue(claim = c);
PromptLoginFederation : FallbackToProtocolSpecificParameters
PromptLoginFallbackAuthenticationType : urn:oasis:names:tc:SAML:1.0:am:password
 
clipboard_image_1.png
clipboard_image_2.png
0 Replies