January 2011 - Posts

ADFS v2 Troubleshooting
26 January 11 12:20 PM | forefrontsecurity | with no comments

I published few weeks earlier a post about ADFS v2, mentioning that it was a bit complicated to troubleshoot,

I recently had to solve an ADFS problem I encountered with a colleague that was trying to set it up for Office 365 Federation bear in mind that I am working with the beta version of office 365

Again, troubleshooting was not obvious, i would like to share with you the steps I followed in order to find out what was the problem.

First of all here is a small design of the architecture i was working with:


Let’s call the domain Company.test

The user we are working with TestUser6@company.com (we had a custom UPN added to the domain company.test)

The point of this configuration is to enable invisible and integrated authentication to the office 365 website.

When configuring the ADFS V2 server, we tell it to publish the ADFS authentication website to STS.Company.test, so basically when users try to authenticate to the microsoftonline website they are redirected to the sts.company.test ADFS website for authentication.

This is the basic configuration of the federation service :


The ADFS relaying party trust configuration is done automatically through some PowerShell scripts

The configuration as is works perfectly, you are able to login to the microsoftonline website with your Active directory credentials.

Now here is the tricky part, the client requested that the sts.company.test website be turned into sts.company.com

So we reconfigure the federation service into .com


I will skip the whole configuration but basically you need to generate a new certificate for the sts.company.com and bind it in IIS and then add it to the ADFS configuration interface.

Now after updating the relaying party trust

We can’t login to the microsoftonline website we get this error:


And now begins the troubleshooting

First of all

Install Fiddler or HTTP watch on the client computer:



Then install the MS network monitor on the federation server and the domain controller:


Activate the logging and tracing events on the federation server:


Go to the event viewer and enable the analytic and debug logs


And enable the ADFS 2.0 tracing logs:


Enable auditing of ADFS events by running this command on the ADFS Server

auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

you are now ready to monitor follow the course of your SAML ticket and see where the error appears:

let’s start by monitoring what’s happening on the client when trying to connect to the website:

I used HTTP watch Pro to check this:

This shows that this client does switch to the STS adfs website sending it the logon information


Looking into the details of this trace we find that all the information sent to the ADFS server is correct:


Query string sent:


now let’s monitor the traffic going through the ADFS Server

using network monitor choose to filter your events by Authentication:

this is what you should get:


Highlighted in yellow is the traffic between the AD and the ADFS server

Checking the details of this trafic we see the user with which we tried to logon to the website is actually getting to the AD


And the AD replies with success sending the requested info to the ADFS server.


For now, everything seems to be fine with the ADFS Server and the traffic going through.

Let’s check the logs for more info:

The trace logs shows that the authentication process is all okay


The admin log only shows errors related to the ADFS Service, and this is all okay too


The system log shows us the Audit events related to the ADFS authentication request with Active Directory and in my case that was clean too

All this troubleshooting lead us to believe that the issue was with the MS online service that was still in beta and did not support some of the setting changes we made

The issue will however be solved soon,

This post was to lead you through an ADFS troubleshooting process

Hope this helps


Posted by Hicham Bardawil

UAG SP1 Transparent Logon with ADFS V2
07 January 11 04:40 PM | forefrontsecurity | with no comments

Forefront UAG’s Service pack 1 was recently released and with it the ability to automatically login to your UAG portal without the need to manually authenticate. This feature is activated when configuring ADFS V2 as an authentication repository.

Pretty exciting since those two technologies are pretty recent and fun to work with.

I’ll show in this post how to configure ADFS to work with UAG.

Begin by installing and configuring ADFS on a server in you LAN, I used my domain controller and installed the ADFS V2 package I found here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b&displaylang=en

The integrated ADFS Role doesn’t work as well for some reason…

I’ll let you install and do the basic ADFS configuration on you own, it’s pretty simple and there are lots of resources on the net.here’s one that should help :


Once the installation is complete you’ll have a federation service web address of the type https://adfs2_server/FederationMetadata/2007-06/federationmetadata.xml that you will need to use when configuring UAG.

In the ADFS 2.0 MMC go to the certificates folder and import the token encryption into the ADFS Server and the UAG’s local Certificate store.


1- UAG Configuration:

Create a new Trunk


Choose to create a portal trunk and not an active directory federation service as you might be inclined to do. (The latter is for the old ADFS V1).


Set up the trunk as you usually do


When choosing the authentication repository


Select ADFS V2,

The URL of the federation metadata file will be the one you created when installing ADFS V2:


click Retrieve Metadata and select Name in as a claim value to be used as a lead value.


Complete the “create trunk wizard” and copy the federation metadata link displayed at the bottom of the page.


Finish and activate the configuration.

To make my configuration easier what I did was copy this file directly to the ADFS Server:

The file is called federationmetadata.xml and is in here:

“C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\ADFSv2Sites\extranet\FederationMetadata\2007-06”

2- ADFS configuration

Next step is to configure ADFS to allow active directory users to authenticate to the UAG portal.

In the ADFS V2 console, add a relying party trust:


In the select data source window, either paste the link you got form the UAG trunk creation wizard or point to the federation metadata file you copied to the server as I did below.


Proceed with the default remaining settings and finish.

Finally you need to configure the rule template you would like to apply to your trust.

Basically here you are telling you ADFS which value to get from your active directory users and to send to the UAG portal.

You select to send LDAP attributes as claims.


You choose active directory as your attribute store and select the attributes you would like to put in your outgoing claim.


Once you are done, the transparent authentication should work perfectly.

3- Troubleshooting:

ADFS troubleshooting is not straight forward, you will need to monitor you web traffic using a software such as fiddler or http watch and see what is being transmitted.


Published by Hicham Bardawil

This Blog


    We talk about Forefront Unified Access Gateway, Web SSO, DirectAccess, Threat Management Gateway, Identity Manager and other Forefront Technologies. Also, some post about Active Directory and other Identity and Access technos.