ADFS v2 Troubleshooting
I published few weeks earlier a post about ADFS v2, mentioning that it was a bit complicated to troubleshoot,
I recently had to solve an ADFS problem I encountered with a colleague that was trying to set it up for Office 365 Federation bear in mind that I am working with the beta version of office 365
Again, troubleshooting was not obvious, i would like to share with you the steps I followed in order to find out what was the problem.
First of all here is a small design of the architecture i was working with:
Let’s call the domain Company.test
The user we are working with TestUser6@company.com (we had a custom UPN added to the domain company.test)
The point of this configuration is to enable invisible and integrated authentication to the office 365 website.
When configuring the ADFS V2 server, we tell it to publish the ADFS authentication website to STS.Company.test, so basically when users try to authenticate to the microsoftonline website they are redirected to the sts.company.test ADFS website for authentication.
This is the basic configuration of the federation service :
The ADFS relaying party trust configuration is done automatically through some PowerShell scripts
The configuration as is works perfectly, you are able to login to the microsoftonline website with your Active directory credentials.
Now here is the tricky part, the client requested that the sts.company.test website be turned into sts.company.com
So we reconfigure the federation service into .com
I will skip the whole configuration but basically you need to generate a new certificate for the sts.company.com and bind it in IIS and then add it to the ADFS configuration interface.
Now after updating the relaying party trust
We can’t login to the microsoftonline website we get this error:
And now begins the troubleshooting
First of all
Install Fiddler or HTTP watch on the client computer:
Then install the MS network monitor on the federation server and the domain controller:
Activate the logging and tracing events on the federation server:
Go to the event viewer and enable the analytic and debug logs
And enable the ADFS 2.0 tracing logs:
Enable auditing of ADFS events by running this command on the ADFS Server
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
you are now ready to monitor follow the course of your SAML ticket and see where the error appears:
let’s start by monitoring what’s happening on the client when trying to connect to the website:
I used HTTP watch Pro to check this:
This shows that this client does switch to the STS adfs website sending it the logon information
Looking into the details of this trace we find that all the information sent to the ADFS server is correct:
Query string sent:
now let’s monitor the traffic going through the ADFS Server
using network monitor choose to filter your events by Authentication:
this is what you should get:
Highlighted in yellow is the traffic between the AD and the ADFS server
Checking the details of this trafic we see the user with which we tried to logon to the website is actually getting to the AD
And the AD replies with success sending the requested info to the ADFS server.
For now, everything seems to be fine with the ADFS Server and the traffic going through.
Let’s check the logs for more info:
The trace logs shows that the authentication process is all okay
The admin log only shows errors related to the ADFS Service, and this is all okay too
The system log shows us the Audit events related to the ADFS authentication request with Active Directory and in my case that was clean too
All this troubleshooting lead us to believe that the issue was with the MS online service that was still in beta and did not support some of the setting changes we made
The issue will however be solved soon,
This post was to lead you through an ADFS troubleshooting process
Hope this helps
Posted by Hicham Bardawil