ADFS 4.0 idpinitiatedsignon Error

Hi all,

The other day I was creating an ADFS lab in order to test some features and configurations, as you will probably know, a quick way to test an ADFS deployment is to access the idpinitiatedsignon sign page.

After I deployed my ADFS farm, I tried to access and I received the following error message: “The resource you are trying to access is not available. Contact your administrator for more information.”

At the beginning it was annoying, because I was thinking that I did someone incorrectly, so I spend some time thinking about what I did wrong, I checked the event log and I saw the following:

Description:
Encountered error during federation passive request.

Additional Data

Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So, indeed what it is saying is that the idpinitiatedsignon property is disabled. So, to check if it is this, you can execute the following PS command in the ADFS farm:

Get-AdfsProperties | fl *idpinitiatedsignon*

adfs.png

As you can see in the picture, it was disabled, so in order to solve this problem, just run the following command:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

After that, all my problems were solved 😊

ADFS: Configure your password change

Users are always allowed or forced to change their passwords, and sometimes this actions increment the amount of work to IT. However, in ADFS 3.0 include a feature that enable a self-service portal password change available for your end-users.

So this post tries to follow the steps to configure it:

  • First, enable the Password Change Portal:Open your AD FS Management tool on the primary server, navigate to the EndPoints under Services\Endpoints. At the bottom you will see the /ADFS/portal/updatepassword/ endpoint, right click it and choose enable. Right click again and choose enable on proxy.
  • Test change password portal: browse to https://sts.domain.com/adfs/portal/updatepassword you will similar to the adfs login page where you can update your password
  • Enable password expiry notification: You can configure Active Directory Federation Services (AD FS) to send password expiry claims to the relying party trusts (applications) that are protected by ADFS. To do this it is necessary to configure a Claim Rule:

c1:[Type == “http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime”%5D => issue(store = “_PasswordExpiryStore”, types = (“http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime”, “http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays”, “http://schemas.microsoft.com/ws/2012/01/passwordchangeurl”), query = “{0};”, param = c1.Value);

  • Finally: you can tweak your ADFS login page to show a link to the change password portal

That’s all!

Ref: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-send-password-expiry-claims

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-user-sign-in-customization

 

Enable ADFS automatic certificate rollover

Hi!

After the summer holidays, I realised that the token decripting and token signing certificates from the ADFS, were about to expire. I tried to execute the following command to update immediately the certificates:

Update-ADFSCertificate -Urgent

but I received the following message error:

adfscert.PNG

To disable the ADFS automatic certificate rollover, use the below Powershell script command, this will help if you want to add a token signing certificate when the automatic certificate rollover is enabled.

Set-ADFSProperties -Autocertificaterollover $true

After doing that, I was able to update the ADFS certificates from the certificate store.

Hope it helps!

Backup rules in ADFS

If you need to back up the rules of claim provider trusts and relying-party trusts in ADFS to store version control or to migrate rules to a new federation server, this is your post.

And here is the code I used:

# Guidance for this was found here: http://social.technet.microsoft.com/wiki/contents/articles/4869.ad-fs-2-0-how-to-migrate-claim-rules-between-trusts.aspx
#
#  If you want the files saved somewhere other than C:Temp, you need to change the "$RulePath" lines below.

Import-Module ADFS

# Export the Acceptance Transform Rules for each Claim Provider Trust (except the AD one)
$claimTrusts = Get-AdfsClaimsProviderTrust | ?{$_.Name -ne "Active Directory"}
foreach ($CT in $claimTrusts) {
    $RulePath = "C:Temp" + $CT.Name.Replace(" ","") + "-AcceptanceRules.txt"
    (Get-AdfsClaimsProviderTrust -Name $CT.Name).AcceptanceTransformRules | Out-File $RulePath
    $RulePath = $null
    }

# Export all three types of rules for each Relying-Party Trust
$RPTrusts = Get-AdfsRelyingPartyTrust
foreach ($RP in $RPTrusts) {
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-IssuanceTransformRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceTransformRules | Out-File $RulePath
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-IssuanceAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).IssuanceAuthorizationRules | Out-File $RulePath
    $RulePath = "C:Temp" + $RP.Name.Replace(" ","") + "-DelegationAuthRules.txt"
    (Get-AdfsRelyingPartyTrust -Name $RP.Name).DelegationAuthorizationRules | Out-File $RulePath
    }

Hope it helps!

Windows Internal Database not starting

Hi!,

Today I received a weird problem from my ADFS test environment, when I tried to navigate to the main SharePoint page it throws an error from the ADFS, so I decided to check the ADFS server to see what was the problem. To my surprise the ADFS service was stopped and when I tried to start the service it won’t fire up, things starting weird…

So after checking some things, I remember that this installation was made with the Windows Internal Database, so I decided to check the service, but it was also stopped, and when I tried to start it again it throws the following error message:

Service: MSSQL$MICROSOFT##WID
Domain and account: NT SERVICEMSSQL$MICROSOFT##WID

This service account does not have the required user right “Log on as a service.”

I don’t know if anyone of my company changed the policies or included the server in the policies overwritting all the policies previously configured by myself, but I had to solve this issue, otherwise I cannot continue with my tasks in the project.

To solve this thing, it was needed to change the Group Policy Management in the local computer, so enter to the local policy and navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies, User Rights Assignments.  Edit Log on as a service and add the following groups:

IIS_WPG
NETWORK
NETWORK SERVICE
SERVICE

After this groups were added, run gpupdate/force on the server and then try to start the WID, in my case it was succesful so I was able to start again the adfs service and continue with my tests.

Hope it helps!

 

Using Wevtutil to capture and view the ADFS Debug log

When troubleshooting ADFS server-side issues it can be useful to turn on ADFS Debug logging on the server.

To enable the ADFS debug event log, run the following in a CMD command prompt:

wevtutil sl “AD FS 2.0 Tracing/Debug” /E:true

Running the same command with /E:False disables the debug logging again.

After you have enabled it, reproduce the problem scenario and then run the following to dump out the log and convert it into XML format that you can then view:
To dump out the debug log after have been reproduced:

wevtutil epl “AD FS 2.0 Tracing/Debug” %computername%-ADFSDebuglogs.elf

To convert to it to XML

wevtutil qe %computername%-ADFSDebuglogs.elf /lf:True /f:xml