Browse by Tags

Tagged Content List
  • Wiki Page: Windows Identity Foundation (WIF) Throws Exception: "ID6018: Digest verification failed for reference"

    Symptoms During a federation passive request to a WIF-protected web application, WIF throws an exception on the web server. When WIF tracing is enabled, the following exception is found in the service trace: < <ExceptionType>System.Security.Cryptography.CryptographicException...
  • Wiki Page: Forefront UAG Troubleshooting: Event ID 167: The KCD Shadow User Name Claim Cannot Be Retrieved

    Symptoms — When end users attempt to access the Forefront UAG portal, they may receive the following message " You are not authorized to access this application. " There may also be an event 167 in the event viewer or in the Web Monitor with the description " The KCD shadow user name...
  • Wiki Page: Forefront UAG Troubleshooting: The AD FS 2.0 Authentication Server Is Used in More than One Trunk

    Description —You have configured a single AD FS 2.0 authentication server and you have attempted to use it for trunk authentication in more than one trunk and you receive the following message " The AD FS 2.0 authentication server 'authentication_server' is used in more than one trunk...
  • Wiki Page: AD FS 2.x: Error Event IDs 102 and 277 - The type initializer for 'TraceUtil' threw an exception

    Symptom AD FS 2.x is not able to issue tokens, and the AD FS Management console shows that it is not able to connect to the configuration database. The AD FS Admin Event Log contains the following events with the following XML data: Log Name: AD FS 2.0/Admin Source: AD FS 2.0...
  • Wiki Page: AD FS 2.0: Understanding AutoCertificateRollover Threshold Properties

    Item Sample Value Description of Item Effect AutoCertificateRollover True Specifies whether the system will manage certificates for the administrator and generate new certificates before the expiration date of current certificates. ...
  • Wiki Page: AD FS 2.0: Asserting the NameID Claim Type with Additional Properties

    Overview The SAML NameID claim type is a special claim type used to identify the principal of the session, and this claim type can be asserted containing only the value data, or you can also choose to assert additional NameID properties. Below, you will find a Claim Rule Language sample, which...
  • Wiki Page: AD FS 2.0: Configuration options for shared computers and kiosks

    Introduction Using claims aware applications on a shared computer or kiosk adds additional challenges for configuration. One common challenge faced by administrators is with users gaining access to applications as the previous user. Scenario: - User A browses to a claims aware application...
  • Wiki Page: Forefront UAG Troubleshooting: Web Monitor ID 45: Users Cannot Sign In and Receive Error about Attempting to Access Restricted URL

    Symptoms —When end users attempt to access the Forefront UAG portal, they may receive the following message " You have attempted to access a restricted URL. The URL contains an invalid parameter. " There may also be an event 45 in the Forefront UAG Web Monitor with the short description "...
  • Wiki Page: Forefront UAG: Troubleshooting Forefront UAG with AD FS 2.0 Event Viewer Messages

    This topic lists the messages that you may encounter on Forefront Unified Access Gateway (UAG) in the event viewer or in the Forefront UAG Web Monitor when end users attempt to access your published site using Active Directory Federation Services (AD FS) 2.0 authentication. Event ID/Web...
  • Wiki Page: Forefront UAG Troubleshooting: Associate Your Current AD FS 2.0 Application with the Authentication Server

    Description —When you add an AD FS 2.0 authentication repository for trunk authentication in the Forefront UAG Management console, Forefront UAG automatically creates an AD FS 2.0 application on that trunk and you may receive the following message " An AD FS 2.0 authentication server is used in...
  • Wiki Page: AD FS 2.0: Continuously Prompted for Credentials When Using FireFox 3.6.3

    Symptoms Users are continuously prompted for credentials when authenticating to AD FS 2.0 while using FireFox 3.6.3. Internet Explorer does not exhibit this behavior. Cause The default FireFox 3.6.3 network authentication configuration is incorrect. Resolution...
  • Wiki Page: AD FS 2.0: The AD FS 2.0 Windows Service Fails to Start, Event 102 and 220 Logged

    Symptoms Starting AD FS 2.0 Windows Service fails From the Services console: "Windows could not start the AD FS 2.0 Windows Service service on Local Computer. Error 1064: An exception occurred in the service when handling the control request." From the command line...
  • Wiki Page: AD FS 2.0: How to Configure the SPN (servicePrincipalName) for the Service Account

    Summary When you deploy an AD FS 2.0 Federation Server farm you must specify a domain-based service account , and the AD FS 2.0 service account needs to have a SPN ( servicePrincipalName ) registered to allow Kerberos to function for the Federation Service. When you initially configure...
  • Wiki Page: AD FS 2.0: How to Enable and Immediately Use AutoCertificateRollover

    Summary When the GUI Initial Configuration Wizard (ICW) of AD FS 2.0 has been executed, AutoCertificateRollover is automatically enabled by default and the token-signing and token-decrypting certificates are self-signed and maintained by the AD FS 2.0 service. When the command line ICW of...
  • Wiki Page: AD FS 2.0: "Script is disabled. Click Submit to continue."

    Symptoms When accessing an AD FS-protected resource using a web browser (passive requestor), the AD FS server presents a page similar to the following: "Script is disabled. Click Submit to continue." Once the user clicks the "Submit" button, access to the application is...
  • Wiki Page: Forefront UAG Troubleshooting: Federation Metadata Retrieval Errors

    Forefront Unified Access Gateway (UAG) performs a number of tests and checks when you retrieve the federation metadata from the Active Directory Federation Services (AD FS) 2.0 server. This topic describes how to troubleshoot any errors you may receive when retrieving the federation metadata. ...
  • Wiki Page: AD FS 2.0: Error Event 323, "MSIS5009: The impersonation authorization failed" and Event 364, "MSIS3126: Access denied"

    Symptoms Token issuance fails The following events are logged in the AD FS 2.0/Admin Event Log: Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 2/14/2011 1:32:23 PM Event ID: 323 Task Category: None Level: Error Keywords: AD FS User: NETWORK SERVICE Computer...
  • Wiki Page: Forefront UAG: Troubleshoot Forefront UAG with AD FS 2.0 Activation Errors

    When you use Forefront Unified Access Gateway (UAG) with Active Directory Federation Services (AD FS) 2.0 authentication, you may encounter a number of errors when activating the configuration in the Forefront UAG Management console. The following table provides links to troubleshooting topics for...
  • Wiki Page: Forefront UAG Troubleshooting: Event ID 158: The Application Settings Could Not Be Read

    Symptoms — When end users attempt to access the Forefront UAG portal, they may receive the following message " An unexpected error occurred when starting the application. " There may also be an event 158 in the event viewer or in the Web Monitor with the description " ADFSv2Site: The...
  • Wiki Page: Forefront UAG Troubleshooting: Event ID 165: The Single Sign-Out for a User Was Not Complete

    Symptoms — End users click the Log Off button in the Forefront UAG portal and are logged out of the portal, but an event 165 appears in the event viewer or in the Web Monitor with the description " ADFSv2Site: Single sign out process for user with lead user claim value [user_name] was not complete...
  • Wiki Page: Forefront UAG Troubleshooting: Event ID 159: The Trunk Received a Request with More than One Identity

    Symptoms — When end users attempt to access the Forefront UAG portal, they may receive the following message " A request was received with an incorrect number of identities. Only single identity requests are supported. " There may also be an event 159 in the event viewer or the Web Monitor...
  • Wiki Page: Automatic Login to SharePoint 2010 with AD FS 2.0 & WS-Federation

    Table of Contents Introduction Pre-formatted Link Sample URL Broken Down Removing or Seperating Windows Authentication Links Introduction Consider the situation where you have a SharePoint 2010 site secured by AD FS 2.0 and you have a partner that accesses this application that also uses AD...
  • Wiki Page: AD FS 2.x: When a User is Not Authorized Access to a Relying Party, Redirect the User to a Specific Location

    Overview Consider the following scenario: You have deployed AD FS 2.x, and you wish to provide granular access to specific relying parties by utilizing Issuance Authorization Rules on each Relying Party Trust As an example, you have Contoso SharePoint as a relying party, and you wish to only...
  • Wiki Page: AD FS 2.0 & Higher: Truncate strings in claims using RegEx

    Scenario: There is an incoming claim ( or user attribute ) that is being sent to a relying party When the claim is sent, the value must not exceed a certain character limit Data that exceeds this limit must be truncated to accommodate this requirement Example: Incoming claim http...
  • Wiki Page: Understanding Claim Rule Language in AD FS 2.0 & Higher

    Table of Contents Introduction Understanding Claim Sets General Syntax of the Claim Rule Language Condition Statements Issuance Statements Multiple Conditions Combining Values Aggregate Functions Using Regular Expressions Querying Attribute Stores SQL Attribute Stores LDAP Attribute Stores Links to Additional...
Page 1 of 5 (102 items) 12345
Can't find it? Write it!