Back to ADFS Certificates

Hi there!

ADFS certificates? Yes! They come back to me as little nightmare xD, but in the end, this time was pretty simple to solve it.

The problem begun with a client call that I planned to visit the same day (for other reasons), and he was in panic because the certificates associated with the CRM and ADFS needs to be updated, since the day after will expire.

At the beginning I though, “I don’t have any idea about CRM and how to update the certificates”, but having a technical background I decided to tell him that after the meeting we could have a look to the CRM and the ADFS farm to see what was happening.

Once I finished the meeting with him, I meet with the person in charge of updating the certificates, he explained me how he updated the certificates in the CRM, but he still has a problem with the certificates in the ADFS farm, for me it was like light in the darkness, I don’t need to deal with the CRM, only with ADFS!! 1 point!

Looking to the ADFS farm, the first thing that I realized it was that he updated the decrypting and signing certificates, but the service communications shows a message saying that “It is not possible to find the certificate”. Weird… the client told me that he imports the certificates in the personal Store, so the certificates exist.

If you tried to associate a new certificate with the button “Set service communications certificate”, it fires an error in the ADFS console, but it doesn’t write anything in the event viewer. I started to check in the IIS (it was a 2.0 ADFS) the certificates, I realized that in the binding, the certificate was not associated, I associated it, okay.

Come back to the ADFS console, and try to re-associate the certificate, no luck.

I was pretty sure, that the problem was with the certificate associated, so I starts to look into my PowerShells, one PowerShell to reassociate the CS certificate by scripting, since the interface does not work. But by the time, I asked to the client if he still conserves the old certificate that he delete it, he say yes, and I asked him to reimport it again to the store.

Once the certificate was imported again, I refresh the ADFS farm… and bang!! The CS shows the old certificate, great, then my following action was to try to set the set service communication certificate, and bang! It shows the dialog where is it possible to see the old certificate and the new one, I selected the new one and finally I restarted the ADFS service.

I tested with the CRM, and it was possible to see that it connects with the new certificate 😊. So… what I learned from this experience? Never delete a certificate without first renewing it and test that everything is okay.

By the way, I found the PS to set the CS certificate, but it was not necessary to execute it:

Set-AdfsSslCertificate –Thumbprint <ThumbprintCertificate>

Set-WebApplicationProxySslCertificate –Thumbprint <ThumbprintCertificate>

Advertisement

ADFS 4.0 idpinitiatedsignon Error

Hi all,

The other day I was creating an ADFS lab in order to test some features and configurations, as you will probably know, a quick way to test an ADFS deployment is to access the idpinitiatedsignon sign page.

After I deployed my ADFS farm, I tried to access and I received the following error message: “The resource you are trying to access is not available. Contact your administrator for more information.”

At the beginning it was annoying, because I was thinking that I did someone incorrectly, so I spend some time thinking about what I did wrong, I checked the event log and I saw the following:

Description:
Encountered error during federation passive request.

Additional Data

Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So, indeed what it is saying is that the idpinitiatedsignon property is disabled. So, to check if it is this, you can execute the following PS command in the ADFS farm:

Get-AdfsProperties | fl *idpinitiatedsignon*

As you can see in the picture, it was disabled, so in order to solve this problem, just run the following command:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

After that, all my problems were solved 😊

Enable ADFS automatic certificate rollover

Hi!

After the summer holidays, I realised that the token decripting and token signing certificates from the ADFS, were about to expire. I tried to execute the following command to update immediately the certificates:

Update-ADFSCertificate -Urgent

but I received the following message error:

To enable the ADFS automatic certificate rollover, use the below Powershell script command, this will help if you want to add a token signing certificate when the automatic certificate rollover is enabled.

Set-ADFSProperties -Autocertificaterollover $true

After doing that, I was able to update the ADFS certificates from the certificate store.

Hope it helps!

Backup rules in ADFS

If you need to back up the rules of claim provider trusts and relying-party trusts in ADFS to store version control or to migrate rules to a new federation server, this is your post.

And here is the code I used:

# Guidance for this was found here: http://social.technet.microsoft.com/wiki/contents/articles/4869.ad-fs-2-0-how-to-migrate-claim-rules-between-trusts.aspx
#
#  If you want the files saved somewhere other than C:Temp, you need to change the "$RulePath" lines below.

Import-Module ADFS

# Export the Acceptance Transform Rules for each Claim Provider Trust (except the AD one)
$claimTrusts = Get-AdfsClaimsProviderTrust | ?{$_.Name -ne "Active Directory"}
foreach ($CT in $claimTrusts) {
    $RulePath = "C:Temp" + $CT.Name.Replace(" ","") + "-AcceptanceRules.txt"
    (Get-AdfsClaimsProviderTrust -Name $CT.Name).AcceptanceTransformRules | Out-File $RulePath
    $RulePath = $null
    }

# Export all three types of rules for each Relying-Party Trust
$RPTrusts = Get-AdfsRelyingPartyTrust
foreach ($RP in $RPTrusts) {
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-IssuanceTransformRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceTransformRules | Out-File $RulePath
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-IssuanceAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceAuthorizationRules | Out-File $RulePath
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-DelegationAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).DelegationAuthorizationRules | Out-File $RulePath
    }

Hope it helps!

Windows Internal Database not starting

Hi!,

Today I received a weird problem from my ADFS test environment, when I tried to navigate to the main SharePoint page it throws an error from the ADFS, so I decided to check the ADFS server to see what was the problem. To my surprise the ADFS service was stopped and when I tried to start the service it won’t fire up, things starting weird…

So after checking some things, I remember that this installation was made with the Windows Internal Database, so I decided to check the service, but it was also stopped, and when I tried to start it again it throws the following error message:

Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICEMSSQL$MICROSOFT##WID

This service account does not have the required user right “Log on as a service.”

I don’t know if anyone of my company changed the policies or included the server in the policies overwritting all the policies previously configured by myself, but I had to solve this issue, otherwise I cannot continue with my tasks in the project.

To solve this thing, it was needed to change the Group Policy Management in the local computer, so enter to the local policy and navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments.  Edit Log on as a service and add the following groups:

IIS_WPG
NETWORK
NETWORK SERVICE
SERVICE

After this groups were added, run gpupdate/force on the server and then try to start the WID, in my case it was succesful so I was able to start again the adfs service and continue with my tests.

Hope it helps!

 

ADFS 2.0: Chrome users repeteadly prompted for credentials

Hi all!

Recently I came across into an issue related with ADFS2.0, SharePoint 2013 and Chrome. The problem was that I configured SharePoint to work with ADFS, it seems that all worked well, I tested the web application with IE and works well. But, for my surprise, when I tried to test the Web Application with Chrome it prompted the credentials several times until it shows the message of “Access Denied”

At the beggining I was stuck with the problem and also I was doubting from my initial configuration, so I tried again with IE in another web application and it worked well. First match ball saved.

So, again, I configured another time the web application to work with adfs, I tested again with IE and it worked, but when I tried with Chrome, the same behaviour as before.

So I started to dig about it, and I found 2 KB’s of Microsoft explaining the problem and possible solutions: https://support.microsoft.com/en-us/kb/2709891 and https://support.microsoft.com/en-us/kb/2461628

The first solution is to configure in each registry of the computer that experienced that problem with Chrome the following:

1. On the computer where the web browser is experiencing the issue, start Registry Editor (regedit), and locate the following subkey.
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsa

2. In the Lsa subkey, locate the SuppressExtendedProtection value. If the value does not exist, you must add it. To add the value, right-clickLsa, point to New, and then click DWORD (32-bit) Value. Type SuppressExtendedProtection, and then press ENTER.

3. Right-click SuppressExtendedProtection, click Modify, and enter 1 (REG_DWORD).

4. Click OK and close Registry Editor.

The second solution is not recommended by Microsoft, but it is still valid.

Execute the following command to disable Extended Protection TokenCheck (See notes for what this is at the bottom of this article)

1. Set-ADFSProperties –ExtendedProtectionTokenCheck None
2. Restart the Active Directory Federation Services service on each of the ADFS farm servers for the changes to take effect.  You do not need to make any changes to the proxy servers.

Notes
ExtendedProtectionTokenCheck – Copied directly from technet – Specifies the level of extended protection for authentication supported by the federation server. Extended Protection for Authentication helps protect against man-in-the-middle (MITM) attacks, in which an attacker intercepts a client’s credentials and forwards them to a server. Protection against such attacks is made possible through a Channel Binding Token (CBT) which can be either required, allowed or not required by the server when establishing communications with clients.  http://technet.microsoft.com/en-us/library/ee892317.aspx

The other option is in the ADFS server, change the following:

Open IIS Management and browse Down to the LS Site. Open Authentication and choose Windows Authentication. Then Advanced Settings in Your right sidebar:

Set Extended Protection to Off.

After I made one of these changes, I was able to login to the Web Application with Chrome

Hope it helps!

O365 – How to renew your certificates

Hi! Today I will talk about something that happens recently in one of our O365 deployments. We renewed our SSL certificates in our ADFS server, but when any administrator user Access to the O365 portal they were receiving the following alert inside the poertal:

Renew your certificates
One of your on-premises Federation Service certificates is expiring. Failure to renew the certificate and update trust properties within XX days will result in a loss of access to all Office 365 services for all users

Solution: This error can be caused if any of the three primary SSL Certificates that are required to federate to an external identity are nearing their experation date. In this case we know that this was a false positive, and automatically the certificate in the O365 tenant will be replaced, but some people at o our company were complaining about this message, so we decided to force to update the certificate.

So once again, we need some powershell to do that, let’s start

Open up the Windows Azure Active Direcotry Module for Windows PowerShell as an administrator.

Execute the following command: Connect-MsolService and enter your Office 365 administrator credentials

Execute the following command: Update-MsolFederatedDomain -DomainName yourdomain.com -SupportMultiDomain

Is it necessary to replace “yourdomain.com” with your federated domain. In case you have multiple domains you are federating with Office 365, add the optional -SupportMultiDomain parametyer as well.

Hope it helps!

Customizing the ADFS forms based login page

By default the login page for the ADFS is very ugly, so this post will talk about how to customize it. This post will be divided into ADFS 2.0 and ADFS 3.0

Customize login page for ADFS 2.0

First of all, we have to do this modifications in the ADFS Proxy Server, so let’s begin:

Adding a Logo
Logo image file should be 600×100
Save image file to c:inetpubadfslslogo.jpg (or logo.png)
Open c:inetpubadfslsweb.config in notepad
Locate text
<!–
<add key=”logo” value=”logo.jpg” />
–>
Remove the “<!–” and “–>” to uncomment the section. Change filename to match the logo you saved.
Save file and close

Change the “Example” Instructions

• Go to C:inetpubadfslsApp_GlobalResources
• Edit file CommonResources.en.resx in Notepad (replace the “en” with your localization code if not English)
• Locate text:
  <data name=”UsernameExample” xml:space=”preserve”>
  <value>Example: DomainUsername</value>
  </data>
• Edit this text to be what you want
• Save File and close

Change the Instruction Text

• Edit CommonResources.en.resx in Notepad as per item above
• Locate text:

  <data name=”FormsSignInHeader” xml:space=”preserve”>

  <value>Type your user name and password.</value>

  </data>

• Edit this text to be what you want
• Save file and close

Change the Page Title

• Go to C:inetpubadfslsApp_GlobalResources
• Edit file CommonResources.en.resx in Notepad
• Locate text:
  <data name=”FormsSignInPageTitle” xml:space=”preserve”>
  <value>Sign In</value>
  </data>
• Edit this text to be what you want
• Save File and close
  

Remove or Change the Hostname Header Above the Login Box

• Go to C:inetpubadfslsMasterPages
• Edit MasterPage.master.cs in Notepad
• Locate text:
  {
  PageTitleLabel.Text = Page.Title;
  STSLabel.Text = FriendlyName;
  }
• Change this text to what you want. Your text MUST BE IN QUOTES. Like this
  STSLabel.Text = “Contoso Limited Single Sign On”;
• Save File and close

More information: Here

Customize login page for ADFS 3.0

To make this changes is pretty easy, and we will done them by Powershell!!

So, we need to enter into ADFS and open a Powershell CMD as Administrator, and type the following:

 
Import-Module ADFS
#This simply adds the ADFS commands to PowerShell. It’s necessary so the rest can run.</
SetAdfsGlobalWebContent CompanyName "Your company name
#This sets the name that is listed above the logon form
Set-AdfsWebTheme -TargetName default -Logo @{path=”c:Contosologo.png”}
#To set a logo
Set-AdfsWebTheme -TargetName default -Illustration @{path="c:background.png"}
#This sets the “illustration” – the image to the right of the sign-in form. Just change the path from “c:background.png” to the path to your image. Microsoft recommends the dimensions for the illustration to be 1420×1080 pixels @ 96 DPI with a file size of no greater than 200 KB
Set-AdfsGlobalWebContent -SignInPageDescriptionText "<P><B>Sign-in requires format yourdomainusername.</B></P>" 
#This inserts the text right below the sign-in screen – it uses basic HTML for formatting. Simply type whatever text you want between the quotation marks.

And that’s it! Just a few simple changes and you have your custom ADFS 3.0 logon page! If you want other ways to change this, visit https://technet.microsoft.com/en-us/library/dn280950.aspx

Cheers!

 

SharePoint 2013: The SAML Assertion is either not signed or the signature…

Hi again!

Today I’m gonna explain a problem that I recently faced, I received a call from a customer, complaining about the SharePoint portal was down. Firstly, I tried to access to the portal and I was alarmed, I only see the error like: “Default Error in application server” nothing more. I observed that in the url stuck on https://appweb/_trust so I guess that something was happening with the ADFS.

I decided to check the Event Viewer log, and I found errors like the following:

Exception message: ID4220: The SAML Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements, extend Saml11TokenSerializer and override ReadToken.
   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

So, after viewing that, we decided to ask to customer IT deparment if they has renewed the ADFS certificate, and bang! was that the reason of the error. So all you need to solve this problem is to renew the ADFS certificate in the SharePoint Server. To do that, you have to execute the following PowerShell scripts:

 

$certPath = "C:certstokensigner.cer"
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("$certPath")
New-SPTrustedRootAuthority -Name "Token Signing Certificate" -Certificate $cert
$sts = Get-SPTrustedIdentityTokenIssuer
$sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert

 

ADFS for Sharepoint: Cert Expiring

Hi again,

Next post of the series, is a problema that happen once time in one of our customers farm

If your ADFS cert is expiring, the SharePoint site will throw this error: The SAML Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver

To resolve this, just go into your ADFS server, export the new Token Signing certificate, then run this in CA server:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“D:SSL CertificateADFSCert.cer”)

New-SPTrustedRootAuthority -Name “Token Signing Certificate” -Certificate $cert $sts =

Get-SPTrustedIdentityTokenIssuer $sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert

And voila! it will start working again.