ADFS v2 Troubleshooting

Published 26 January 11 12:20 PM | forefrontsecurity

I published few weeks earlier a post about ADFS v2, mentioning that it was a bit complicated to troubleshoot,

I recently had to solve an ADFS problem I encountered with a colleague that was trying to set it up for Office 365 Federation bear in mind that I am working with the beta version of office 365

Again, troubleshooting was not obvious, i would like to share with you the steps I followed in order to find out what was the problem.

First of all here is a small design of the architecture i was working with:

clip_image002

Let’s call the domain Company.test

The user we are working with TestUser6@company.com (we had a custom UPN added to the domain company.test)

The point of this configuration is to enable invisible and integrated authentication to the office 365 website.

When configuring the ADFS V2 server, we tell it to publish the ADFS authentication website to STS.Company.test, so basically when users try to authenticate to the microsoftonline website they are redirected to the sts.company.test ADFS website for authentication.

This is the basic configuration of the federation service :

clip_image004

The ADFS relaying party trust configuration is done automatically through some PowerShell scripts

The configuration as is works perfectly, you are able to login to the microsoftonline website with your Active directory credentials.

Now here is the tricky part, the client requested that the sts.company.test website be turned into sts.company.com

So we reconfigure the federation service into .com

clip_image006

I will skip the whole configuration but basically you need to generate a new certificate for the sts.company.com and bind it in IIS and then add it to the ADFS configuration interface.

Now after updating the relaying party trust

We can’t login to the microsoftonline website we get this error:

clip_image008

And now begins the troubleshooting

First of all

Install Fiddler or HTTP watch on the client computer:

http://www.fiddler2.com/fiddler2/

http://www.httpwatch.com/?gclid=CL2lwaix1aYCFdERfAodcjTrMw

Then install the MS network monitor on the federation server and the domain controller:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f

Activate the logging and tracing events on the federation server:

clip_image010

Go to the event viewer and enable the analytic and debug logs

clip_image012

And enable the ADFS 2.0 tracing logs:

clip_image014

Enable auditing of ADFS events by running this command on the ADFS Server

auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

you are now ready to monitor follow the course of your SAML ticket and see where the error appears:

let’s start by monitoring what’s happening on the client when trying to connect to the website:

I used HTTP watch Pro to check this:

This shows that this client does switch to the STS adfs website sending it the logon information

clip_image016

Looking into the details of this trace we find that all the information sent to the ADFS server is correct:

clip_image018

Query string sent:

clip_image020

now let’s monitor the traffic going through the ADFS Server

using network monitor choose to filter your events by Authentication:

this is what you should get:

clip_image022

Highlighted in yellow is the traffic between the AD and the ADFS server

Checking the details of this trafic we see the user with which we tried to logon to the website is actually getting to the AD

clip_image024

And the AD replies with success sending the requested info to the ADFS server.

clip_image026

For now, everything seems to be fine with the ADFS Server and the traffic going through.

Let’s check the logs for more info:

The trace logs shows that the authentication process is all okay

clip_image028

The admin log only shows errors related to the ADFS Service, and this is all okay too

clip_image029

The system log shows us the Audit events related to the ADFS authentication request with Active Directory and in my case that was clean too

All this troubleshooting lead us to believe that the issue was with the MS online service that was still in beta and did not support some of the setting changes we made

The issue will however be solved soon,

This post was to lead you through an ADFS troubleshooting process

Hope this helps

 

Posted by Hicham Bardawil

Filed under: , , , , , , ,

Comments

No Comments

This Blog

News

    We talk about Forefront Unified Access Gateway, Web SSO, DirectAccess, Threat Management Gateway, Identity Manager and other Forefront Technologies. Also, some post about Active Directory and other Identity and Access technos.

Syndication