CBA In ADFSv4 With Alternate TLSClient Binding

  • 89 Views
  • Last Post 13 February 2019
ZJORZ posted this 13 February 2019

Hi, I have got an ADFSv4 environment that was upgrade from ADFSv3. It is configured with the highest farm level.Just before the upgrade to ADFSv4, ADFSv3 was configured with new certs (all). The SSL cert does have a SAN “CERTAUTH.<FQDN FED SVC>”In both ADFSv3 and ADFSv4 the TLSClient port was configured with 49443. While using this setup CBA worked internally and externally. So far so good! In this CBA AuthN means CBA AuthN as secondary/additional authentication, not primary Now it is time to configure the Alternate HostName binding feature in ADFSv4 through :  Set-AdfsAlternateTlsClientBinding -Thumbprint <SSL Cert Thumbprint>Restarted ADFS service Now CBA does not work anymore internally. Have not tested yet externallyAfter successfully doing primary authN (username/password), in the MFA screen in ADFS I see multiple MFA providers, CBA being on of them. As soon as I click on the Cert AuthN option, it presents a popup to select the certificate (there is only one). After doing so, it presents an error. Trying to understand why it fails to build an SSO token, but failing miserably The error in the ADFS Admin Event Log is:Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.ProcessSingleSignOn(ProtocolContext context)   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context) The error in the ADFS Debug Log is:SSO token not present…AND…Exception: MSIS7012: An error occurred while processing the request. Contact your administrator for details.StackTrace:    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.ProcessSingleSignOn(ProtocolContext context)   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)…AND…Passive pipeline error What bugs me is that it works on the old mode (using port 49443) and it does not work in the new mode (port 443 with a new hostname, and yes it is resolvable) Anyone have any ideas/hints/next steps, or similar experiences? Thanks! Met Vriendelijke Groeten / Cumprimentos / Kind Regards,Jorge de Almeida Pinto MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCTMVP Profile | Blog | Facebook | Twitter Description: Description: Description: Description: Think Green 

matheesha posted this 13 February 2019

I recommend getting a support ticket with Microsoft raised so we can gather some diagnostic data. Else all we can do is guess.
Do you know if cert auth works as primary? I expect no. You can craft auth requests with required cert auth methods easily if you use claims X-ray from adfshelp.microsoft.com.
Did you take network traces on adfs to see if adfs attempts to use the received cert to get Kerberos tickets? We need to see how far in the logon process it got to.
Personally I’d prefer if you raise a support ticket so we can troubleshoot.
On Wed, 13 Feb 2019 at 16:20, Jorge de Almeida Pinto [MVP-EMS] <jorge@xxxxxxxxxxxxxxxx> wrote:
Hi, I have got an ADFSv4 environment that was upgrade from ADFSv3. It is configured with the highest farm level.Just before the upgrade to ADFSv4, ADFSv3 was configured with new certs (all). The SSL cert does have a SAN “CERTAUTH.<FQDN FED SVC>”In both ADFSv3 and ADFSv4 the TLSClient port was configured with 49443. While using this setup CBA worked internally and externally. So far so good! In this CBA AuthN means CBA AuthN as secondary/additional authentication, not primary Now it is time to configure the Alternate HostName binding feature in ADFSv4 through :  Set-AdfsAlternateTlsClientBinding -Thumbprint <SSL Cert Thumbprint>Restarted ADFS service Now CBA does not work anymore internally. Have not tested yet externallyAfter successfully doing primary authN (username/password), in the MFA screen in ADFS I see multiple MFA providers, CBA being on of them. As soon as I click on the Cert AuthN option, it presents a popup to select the certificate (there is only one). After doing so, it presents an error. Trying to understand why it fails to build an SSO token, but failing miserably The error in the ADFS Admin Event Log is:Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.ProcessSingleSignOn(ProtocolContext context)   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context) The error in the ADFS Debug Log is:SSO token not present…AND…Exception: MSIS7012: An error occurred while processing the request. Contact your administrator for details.StackTrace:    at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.ProcessSingleSignOn(ProtocolContext context)   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)   at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)…AND…Passive pipeline error What bugs me is that it works on the old mode (using port 49443) and it does not work in the new mode (port 443 with a new hostname, and yes it is resolvable) Anyone have any ideas/hints/next steps, or similar experiences? Thanks! Met Vriendelijke Groeten / Cumprimentos / Kind Regards,Jorge de Almeida Pinto MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCTMVP Profile | Blog | Facebook | Twitter Description: Description: Description: Description: Think Green 

Close