Browse by Tags

Tagged Content List
  • Wiki Page: AD FS 2.x: Error Event IDs 102 and 277 - The type initializer for 'TraceUtil' threw an exception

    Symptom AD FS 2.x is not able to issue tokens, and the AD FS Management console shows that it is not able to connect to the configuration database. The AD FS Admin Event Log contains the following events with the following XML data: Log Name: AD FS 2.0/Admin Source: AD FS 2.0...
  • Wiki Page: AD FS 2.0: Understanding AutoCertificateRollover Threshold Properties

    Item Sample Value Description of Item Effect AutoCertificateRollover True Specifies whether the system will manage certificates for the administrator and generate new certificates before the expiration date of current certificates. ...
  • Wiki Page: AD FS 2.0: Asserting the NameID Claim Type with Additional Properties

    Overview The SAML NameID claim type is a special claim type used to identify the principal of the session, and this claim type can be asserted containing only the value data, or you can also choose to assert additional NameID properties. Below, you will find a Claim Rule Language sample, which...
  • Wiki Page: AD FS 2.0: Error Event 323, "MSIS5009: The impersonation authorization failed" and Event 364, "MSIS3126: Access denied"

    Symptoms Token issuance fails The following events are logged in the AD FS 2.0/Admin Event Log: Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 2/14/2011 1:32:23 PM Event ID: 323 Task Category: None Level: Error Keywords: AD FS User: NETWORK SERVICE Computer...
  • Wiki Page: Automatic Login to SharePoint 2010 with AD FS 2.0 & WS-Federation

    Table of Contents Introduction Pre-formatted Link Sample URL Broken Down Removing or Seperating Windows Authentication Links Introduction Consider the situation where you have a SharePoint 2010 site secured by AD FS 2.0 and you have a partner that accesses this application that also uses AD...
  • Wiki Page: AD FS 2.x: When a User is Not Authorized Access to a Relying Party, Redirect the User to a Specific Location

    Overview Consider the following scenario: You have deployed AD FS 2.x, and you wish to provide granular access to specific relying parties by utilizing Issuance Authorization Rules on each Relying Party Trust As an example, you have Contoso SharePoint as a relying party, and you wish to only...
  • Wiki Page: Understanding Claim Rule Language in AD FS 2.0 & Higher

    Table of Contents Introduction Understanding Claim Sets General Syntax of the Claim Rule Language Condition Statements Issuance Statements Multiple Conditions Combining Values Aggregate Functions Using Regular Expressions Querying Attribute Stores SQL Attribute Stores LDAP Attribute Stores Links to Additional...
  • Wiki Page: AD FS 2.0: How to Bulk Add Trust Relationships and Claim Rules for Testing

    Overview Included in this article is a Powershell script sample which allows bulk additions and deletions of test Claims Provider Trusts, Relying Party Trusts, and Claim Rules. These test trust relationships and claim rules may be useful for web testing in a lab environment. Usage Be...
  • Wiki Page: AD FS 2.x: Troubleshooting Proxy Server Event ID 230 (Congestion Avoidance Algorithm)

    Symptoms Client requests that traverse an AD FS 2.x Proxy server intermittently fail The AD FS/Admin Event Log contains event ID 230 showing that the proxy is experiencing congestion Possible Cause 1 The internal AD FS 2.x Federation Server is overloaded with requests Possible...
  • Wiki Page: AD FS 2.x: How to Tune or Disable Infinite Loop Detection (MSISLoopDetectionCookie)

    AD FS 2.x, by default, writes a cookie to web passive clients named MSISLoopDetectionCookie . This cookie holds a timestamp value and a number of tokens issued value so that AD FS can keep track of how often and how many times a passive client has visited the Federation Service within a specific timespan...
  • Wiki Page: AD FS 2.0: Auto-Populate the Username Field of the Forms Sign-in Page When Signing in to Office 365

    When signing in to Office 365 and the " Keep me signed in " checkbox has not previously been checked, an external federated user must type the username two times: Once on the Office 365 sign-in page, and again on the forms-based sign-in page of the AD FS 2.0 Proxy server. Federated users...
  • Wiki Page: AD FS 2.0: How to Back Up the Federation Service

    Summary The method used to back up a AD FS 2.0 Federation Service differs depending on the deployment option you have: Standalone or Windows Internal Database (WID) Farm - Requires a System State backup of all volumes involved. If you changed the default location of any AD FS 2.0 components...
  • Wiki Page: CRM 2011: How to Enable Verbose Windows Identity Foundation (WIF) Tracing for Claims-Based Authentication

    Overview When CRM 2011 is configured for claims-based authentication (CBA), Windows Identity Foundation (WIF) is utilized. When troubleshooting CBA, it may be necessary to gather tracing data from the CRM 2011 server. This article details the steps needed in order to create verbose WIF traces from...
  • Wiki Page: AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates

    Table of Contents Replacing the SSL and Service Communications certificate Replacing the Token-Signing certificate Replacing the Token-Decrypting certificate More Information Were you looking for AD FS 1.x information regarding certificate replacement? Have you recently enabled AutoCertificateRollover...
  • Wiki Page: AD FS 2.0: How to Utilize a Single Relying Party Trust for Multiple Web Applications that Share the Same Identifier

    A common request we receive from customers is: "I have multiple environments for the same web application. For example, development (DEV), staging (STAGE), and production (PROD). I want to create one Relying Party (RP) Trust in AD FS 2.0 which utilizes a single set of issuance claim rules,...
  • Wiki Page: AD FS 2.0: Guidance for Selecting and Utilizing a Federation Service Name

    Prior to deploying AD FS 2.0, it is essential that a Federation Service Name is selected, and there are some important items to consider before selecting the Federation Service Name. Items for Consideration 1. The Federation Service Name must never equal any machine name in the Active...
  • Wiki Page: AD FS 2.0: How to Consume RelayState to Automate Access to Relying Parties During IDP-Initiated Sign-On

    “This article has been retired since a fix for this issue has recently been made available. For details about what RelayState issue was fixed, see Description of Update Rollup 2 for Active Directory Federation Services (AD FS) 2.0 or Supporting Identity Provider Initiated RelayState .”
  • Wiki Page: AD FS 2.0: How To Modify The Duration of AutoCertificateRollover Certificates

    Overview By default in AD FS 2.0, the self-signed certificates generated by AutoCertificateRollover are valid for 365 days. Although AD FS 2.0 will maintain these certificates for the service, it is the responsibility of the AD FS 2.0 administrator or the Claims Proivder/Relying Party partner administrator...
  • Wiki Page: AD FS 2.0: How to Automatically Add the AD FS 2.0 Powershell Snap-in When Launching Powershell

    If you often administer your AD FS 2.0 Federation Service using PowerShell, there is an easy way to automatically add the AD FS 2.0 PowerShell snap-in when the PowerShell console window is launched. Ove rview PowerShell loads a profile for the user when the console window is launched. We...
  • Wiki Page: AD FS 2.0: "The request specified an Assertion Consumer Service URL that is not configured on the relying party"

    Symptoms Sign-in fails The following events are logged in the AD FS 2.0/Admin event log: Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 07/28/2011 05:15:28 PM Event ID: 364 Level: Error User: CONTOSO\ADMIN Computer: adfs.contoso.com Encountered error during federation...
  • Wiki Page: AD FS 2.0: How to Migrate Claim Rules Between Trusts

    Overview This article demonstrates how to migrate claim rules from one trust in AD FS 2.0 to another trust in AD FS 2.0. This may be useful when you are creating multiple trust relationships which will utilize similar claim rules, or when you are migrating configuration data between test, staging...
  • Wiki Page: AD FS 2.0: How to Use Fiddler Web Debugger to Analyze a WS-Federation Passive Sign-In

    This article's purpose is to demonstrate how to utilize Fiddler Web Debugger to analyze traffic in a WS-Federation sign-in conversation, specifically for AD FS 2.0. If you are looking for Fiddler debugging information for another protocol such as WS-Trust or SAML 2.0, please see the More Information...
  • Wiki Page: Federation Extensions for SharePoint 3.0 - ID1013: "Could not access the server hosting the WS-Federation metadata document. Object Identifier (OID) is unknown."

    Symptoms While executing Federation Extensions for SharePoint 3.0 on Windows Server 2003, the utility fails with the following error: ID1013: Could not access the server hosting the WS-Federation metadata document. Object Identifier (OID) is unknown Cause This is related to SHA2 support...
  • Wiki Page: AD FS 2.0: How to Request a Specific Name ID Format from a Claims Provider (CP) During SAML 2.0 Single-Sign-On (SSO)

    When AD FS 2.0 is the Service Provider Security Token Service (STS) and is involved in SAML 2.0 passive web SSO, there may be a requirement from the CP (also known as Identity Provider or IDP) to have AD FS 2.0 instruct the CP as to which Name ID Format is required. SAML 2.0 protocol specifies an...
  • Wiki Page: Active Directory Federation Services (ADFS) Wiki Articles

    This page provides a quick overview of the Technet Wiki articles related to ADFS (Active Directory Federation Services). The Wiki search engine provides you with the latest updates, but it does not provide a comprehensive overview, nor the search results are grouped (yet). This page focusses on...
Page 1 of 2 (37 items) 12
Can't find it? Write it!