Posts Tagged ‘ADFS 2.0’

ADFS Authentication not working on Chrome

March 25th, 2013

When trying to authenticate against ADFS on Chrome it just keeps prompting for your password while IE and Firefox work fine. This is due to an enhanced security configuration on IIS:

To turn Extended Protection off:
1. Launch IIS Manager (As an administrator)
2. Navigate to Sites -> Default Web Site -> adfs -> ls.
3. On the feature tab, double-click the Authentication icon, then right-click Windows Authentication and select Advanced Settings.
4. On the Advanced Settings dialog, choose Off for Extended Protection.

Bounce the IIS server or services and you should be all set.

Tags: ,
Posted in Uncategorized | Comments (0)

ADFS 2.0 error after successful login.

February 1st, 2013

When I was setting up federation with Zscaler I was unable to pass the auth token back to Zscaler.  I would get redirected to my ADFS proxy servers, I would login and upon a successful login I would get and ADFS 2.0 error page.  I checked the logs on the primary ADFS server and found the following:

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          9/17/2010 10:54:19 AM
Event ID:      303
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      ADFS.ADATUM.COM

The Federation Service encountered an error while processing the SAML authentication request.

Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier ‘SecurityKeyIdentifier
  IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
‘. Ensure that the SecurityTokenResolver is populated with the required key.
   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.CreateErrorMessage(CreateErrorMessageRequest createErrorMessageRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

I found the following article:

Which led me to running the following from a powershell prompt:

Set-ADFSRelyingPartyTrust –TargetName “Name property of your RP Trust” –SigningCertificateRevocationCheck “None”

Note: Make sure that you have met these requirements:

– Obtain the public key of the signing certificate either by parsing the SAMLRequest or by asking the RP to send it to you.
– Import the certificate to the Signature tab of the RP Trust

Tags: , ,
Posted in Uncategorized | Comments (0)