For AD FS 2.0 the name identifier is yet another claim but you may want to generate name identifiers if you plan to: · Use SAML 2.0 protocol (particularly name identifier is necessary if you plan to take advantage of SAML logout protocol), · Federate with non-AD FS 2.0 deployment. I will show name identifier configuration on two privacy sensitive scenarios: persistent identifier, transient identifier. Persistent identifier is meant to obfuscate the real user identity, so it’s not possible to link user activities across different relying parties. At the same time the STS guarantees that persistent id will remain the same each time same the user logs in again. In…

To update the AD FS service user password in a federation server farm Perform the following steps in order for each federation server in a server farm, beginning with the primary (first) server in the farm: Update the password for the AD FS service.Use the following command at an elevated command prompt: “sc config adfssrv password=new_password“ Restart the AD FS service.First, use the following command at an elevated command prompt to stop the service: “net stop adfssrv“Next, use the following command at an elevated command prompt to restart the service: “net start adfssrv“ Update password for the AD FS application pool (ADFSAppPool).You can do this using the following steps within…

In some event that the primary Federation Server becomes unavailable and will not be brought back online, we need to promote one of the secondary Federation Servers to primary for the farm. The below Command to run on the secondary server which we want to make primary: Add-PsSnapin Microsoft.Adfs.PowerShell Set-AdfsSyncProperties -Role PrimaryComputer  Now that we have set a new Primary Federation Server, we need to configure the other Secondary Federation Servers to sync with the new Primary Federation Server Command to run on the other farm member servers: Add-PsSnapin Microsoft.Adfs.Powershell Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName {FQDN of the Primary Federation Server} The WID database on the primary server is read/write and…

We can use the following procedure to identify the primary token signing and token decryption certificates and to determine when the current certificates expire. We can run the following Windows PowerShell command: Get-AdfsCertificate –CertificateType token-signing (or Get-AdfsCertificate –CertificateType token-decrypting Or you can examine the current certificates in the MMC: Service->Certificates. The certificate for which the IsPrimary value is set to True is the certificate that AD FS is currently using. The date shown for the Not After is the date by which a new primary token signing or decrypting certificate must be configured. To ensure service continuity, all federation partners (represented in your AD FS farm by either relying party trusts or claims provider trusts) must consume the…

Symptoms When using Fiddler Web Debugger to troubleshoot an AD FS 2.0 scenario, you are continuously prompted for credentials by the AD FS 2.0 Federation Server. This prompt comes in the form of a HTTP 401 challenge dialog box. Cause By default, AD FS 2.0 utilizes Extended Protection for Authentication (EPA) in IIS. When this is turned on, the client browser cannot successfully authenticate while Fiddler is proxying all requests. Resolution For troubleshooting purposes, you should disable Extended Protection for Authentication in IIS by following one of these two options:Option 1  – IIS Manager on each ADFS server in the farm Start > Administrative Tools > IIS Manager Expand: <server-name>, Sites, Default Web Site, and adfs Select the ls application and double-click Authentication Select Windows Authentication and select Advanced Settings….…

Table of Contents Overview Applies To Implementation Details Viewing the Relying Party Trust Identifier(s) Create an Issuance Authorization Rule to Restrict Access to Contoso SharePoint Edit error.aspx.cs Test Access Notes: Overview Consider the following scenario: You have deployed AD FS 2.x, and you wish to provide granular access to specific relying parties by utilizing Issuance Authorization Rules on each Relying Party Trust As an example, you have Contoso SharePoint as a relying party, and you wish to only allow users in the Active Directory group Sales Staff to access the Contoso SharePoint relying party All other users should be denied access to Contoso SharePoint, and these users should be redirected to a Forefront Identity Manager web service in…

Summary The steps below detail how to perform an unattended installation and initial configuration of an AD FS 2.0 STS or Proxy Unattended Installation of AD FS 2.0 Server Installation of AD FS 2.0 Server from the command line is accomplished using ADFSSetup.exe /quiet I recommend using the “start /w” command in conjunction with ADFSSetup.exe /quiet so that you can monitor when ADFSSetup.exe returns Example: start /w adfssetup.exe /quiet Unattended Installation of AD FS 2.0 Proxy Installation of AD FS 2.0 Proxy from the command line is accomplished using ADFSSetup.exe /proxy /quiet I recommend using the “start /w” command in conjunction with ADFSSetup.exe /proxy /quiet so that you can monitor when ADFSSetup.exe returns Example: start /w adfssetup.exe /proxy /quiet Unattended…

AD FS: How to Obtain Exception Details from the AD FS Error Page In AD FS 2.x, debug logging is not enabled by default, and there are specific instructions provided here   which step through how to turn on various types of trace messages. However, there may be times where customers are experiencing an AD FS exception, and their web passive client (browser) is landing on the AD FS error page with a generic error message. This article details how you can display exceptions on the error page, and also demonstrates how to obtain exception details, including stack trace information. Steps        1. Enable displayExceptions in the AD FS web.config file a. In Windows…