Active Directory Federation Services
15 TopicsOpenID service stopped working after installing ADFS on windows server
Hello to everyone, We have a developer server and we use it to test various scenarios. I created a service with OpenIDDict and .Net6, everything was working fine and the url https://auth.myserver.local/.well-known/openid-configuration, served with IIS, was working correctly. Now our customer asked a SSO with ADFS service, so we tried to implement it. So I followed this guide: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/ws-federation?view=aspnetcore-6.0 I installed the ADFS service on my local server (the same server we use for IIS test websites) and I was able to sign in with my AD credentials. Then I noticed: If I go to the main page of my service (https://auth.myserver.local) the service still works great, but if I try to reach https://auth.myserver.local/.well-known/openid-configuration I receive a 503 error - service unavailable (if I test it on local machine or in a production machine it works great, that's why I think it's my server problem). I've made some research in IIS logs but I cannot find requests on that url anymore, It seems something is getting the request before IIS. I tried to stop the ADFS service with no success. Anyone experienced something similar? My server is Windows Server 2019. Thanks.1.7KViews0likes0CommentsRedundancy for ADFS servers using on-premise & Azure instance of ADFS through Azure traffic manager.
Azure Traffic Manager is able to detect only the health of WAP server and not back end ADFS server. As a result, Traffic Manager is redirecting clients to a healthy WAP server with faulty ADFS back end server. Seeking guidance here to fix the health probe on Azure Traffic Manger. Seamless failover expected by using Azure traffic manager, but unfortunately, we have issue verifying the health of backend ADFS servers.646Views0likes0CommentsADFS SSO sign-in as different user
We have federation configured with Azure AD using ADFS with SSO enabled. This is working as expected. However, one slight issue for the admin team who are required to sign-in using different privileged credentials, different from their regular user account. Problem is ADFS SSO is automatically signing-in the user as the account logged-into Windows. E.g. 'User runs a PowerShell command --> Authentication prompt comes-up --> user enters their privileged ID (different from their regular account) --> User enter their password --> user sign-in as their regular account rather than the privileged account they used at the sign-in screen". Is there a workaround for this issue other than using a non-domain joined laptop?23KViews0likes4CommentsAzure B2C as a Claims Provider to ADFS 2016 to use with federated partners
Hi, A bit of an interesting use case here, we're looking at leveraging an Azure B2C directory as another claims provider in ADFS 2016 to access a federated parties resources over a federation trust setup with their ADFS system. I've been checking on resources and there's nothing yet that I've found that can help configure this, if it's at all possible which I'm still trying to validate. I could use an Identity Server v3 or 4 to do the job but with ADFS 2016 and Open-ID Connect support I was hoping we could leverage our existing infrastructure. A tricky one and hopefully someone's run into something similar before, thanks.Solved3.3KViews0likes3CommentsFederation Concepts
I have read and understood few thing on this subject with respect to Microsoft's offering 1. There is Windows Identity Foundation come into the picture Please answer why 2. OASIS WS-Trust for setting up Federation when Rich Application / Thick Clients involved (Apps) Please answer what/which are the protocols used and why Please answer what/which are the type of Tokens generated and why 3. OASIS WS-Federation for setting up Federation when Browser based access is required/involved (websites) Please answer what/which are the protocols used and why Please answer what/which are the type of Tokens generated and why 4. OASIS SAML for setting up Federation when Browser or Rich/Thick clients are involved Please answer what/which are the protocols used and why Please answer what/which are the type of Tokens generated and why I know the first two can issue SAML tokens also 5. When an Claims Aware Application is being developed how developer will choose what claims the application will ask for, Where's the STANDARD DEFINITION for the Claim-Types to be used 6. When the Trust is being established using ADFS Management Console or for that matter one is setting up Federation with Azure AD, Is it the Application/Relying Party who chooses what Claims it will ask for 7. Is there a STANDARD DEFINITION around this ? What-Where is it? 8. Should it not be the Choice of Account Owner considering security what as Claims i am ok with to share with Application 9. I do understand this bit of this after reading on Azure AD - OpenIDConnect and Oauth 2.0 there are scopes defined in the application which will show or ask for users' consent and only then will have access to those Account related details (allow/grant access to your Contacts, Pictures, Phone Logs etc..)915Views0likes0CommentsADFS - Unable to log on with UPN
Hi All, In our development environment we have ADFS 3.0 servers authenticating federated users. Recently, users have been unable to log on using their UPN. SamAaccountName works without issue. For information the domain and upn set up is as follows: The internal domain is childdomain.root.int.ac.uk Users exist in the child domain "childdomain.root.int.ac.uk" but have a their UPN changed to username@int.ac.uk. When signing into Office 365 or via ADFS theya re able to use their samaccountname but using the UPN gives an incorrect username or password error. We see the following error in the ADFS logs: Token validation failed. Additional Data Token Type: http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName %Error message: If they attempt to use the ADFS password change page I see the following error in the logs: Password change failed for following user: Additional Data User: u1234560@int.ac.uk. Device Certificate: Server on which password change was attempted: Error details: UserNotFound Any ideas what might be causing this?14KViews0likes13CommentsAAD Connect staging mode and ADFS configuration
We are migrating AAD Connect to a new server and has installed the tool using database restore option. However, we are bit puzzled with ADFS configuration. O365 tenant is federated with ADFS. Do we need to configure ADFS settings in newly installed AAD Connect? If yes, at what point we do that: when we disable the staging mode or this is something that can be done with Staging mode enabled.4.2KViews0likes0CommentsMigration from AD FS 2012 to 2019 Prerequisites
Hi Community! We currently have AD FS 2012 R2 for hybrid identity management for our Office 365 users. And we are planning to migrate it to AD FS 2019. I am looking for the prerequisite but I cannot see a Microsoft document for 2019. I can only find for 2016. Hope someone can help me with this 🙂Solved18KViews0likes1Commentneed to clean up Federated domain
Hi Members, Good day, We have a federated domain in Azure. -> eg. fed.dom.lo.com the AD Connect was set up and it had synchronized all the users in our on-prem domain controller to the Azure. Assume we had 20k users in the specific OU, which was set for the sync. Now, the change that came in would want us to sync users which have a specific attribute set. ie, departmentName = xyz and not all. My doubts are as below, 1.What would happen to the existing users in Azure federated domain, would there be a clean up automatically done? ex, users synced are 20k, but users with attribute are just 3k. 2.How would we do a clean up on Azure domain? 3. Could we delete all the users on Azure domain and add the inbound sync rule to have the limited users show up again? or any better way to achieve this. Thank you V1.7KViews0likes1Comment