This error is getting me crazy for two days!.
I have a web server and an adfs server (both windows server 2012). I configured adfs correctly. I can see the adfs/ls authentication page and I can log on using an AD user from the adfs server. When I try to reach adfs/ls authentication page, from the web server, is redirecting correctly to the adfs server so I can enter my username and password. When is coming back I receive this error on the page:
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Authentication failed. Close the browser and try again, or contact your administrator for more information.
Reference number: 8949f368-ee3b-4c94-a749-63950dfc42b9
and on the adfs server I have this event id 111:
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityServer.Framework.SecurityTokenService.FailedAuthenticationException: MSIS3055: The requested relying party trust 'http://myserver.com/MyApplication' is unspecified or unsupported. If a relying party trust was specified, it is possible the user does not have permission to access the relying party trust. ---> Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'http://myserver.com/MyApplication' could not be located.
--- End of inner exception stack trace ---
at System.IdentityModel.AsyncResult.End(IAsyncResult result)
at System.ServiceModel.Security.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
at System.ServiceModel.Security.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.ScopeNotFoundPolicyRequestException: MSIS3020: The relying party trust with identifier 'http://myserver.com/MyApplication' could not be located.
Relying party trust are configured in both servers, also certificates are correct but apparently something is missing or wrong. Any help would be much appreciated!
The normal reason for this is that the WIF realm in the app. web.config does not match the string in the ADFS RP Identifiers tab.
And that includes the trailing slash!
You have:
http://myserver.com/MyApplication in ADFS
Did you configure it as:
http://myserver.com/MyApplication/ in WIF?
Related
I implement my ASP.Net Web Application SSO with Azure AD. Everything work fine my testing server which has an internet connection.
My customer policy does not allow internet connection on their server and the SSO failed when validate the token from the Microsoft after user authenticated. The error is "IDX20803: Unable to obtain configuration from: [PII is Hidden]".
I add the Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true; to my Startup.cs class, the error more detail: "IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/MYTENANTID/.well-known/openid-configuration'".
My question is: I will request my customer open their firewall to allow only login.mirosoftonline.com. Does it enough? Does it need to allow another requests? And what are another requests?
according to microsoft, https://learn.microsoft.com/en-ca/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online
I believe category 56 is for identity and authentication, whether you need them all, I'm not sure, but Microsoft seems to think so?
56 Allow
Required Yes *.msappproxy.net, *.msftidentity.com, *.msidentity.com, account.activedirectory.windowsazure.com, accounts.accesscontrol.windows.net, adminwebservice.microsoftonline.com, api.passwordreset.microsoftonline.com, autologon.microsoftazuread-sso.com, becws.microsoftonline.com, clientconfig.microsoftonline-p.net, companymanager.microsoftonline.com, device.login.microsoftonline.com, graph.microsoft.com, graph.windows.net, login.microsoft.com, login.microsoftonline.com, login.microsoftonline-p.com, login.windows.net, logincert.microsoftonline.com, loginex.microsoftonline.com, login-us.microsoftonline.com, nexus.microsoftonline-p.com, passwordreset.microsoftonline.com, provisioningapi.microsoftonline.com
20.190.128.0/18, 40.126.0.0/18, 2603:1006:2000::/48, 2603:1007:200::/48, 2603:1016:1400::/48, 2603:1017::/48, 2603:1026:3000::/48, 2603:1027:1::/48, 2603:1036:3000::/48, 2603:1037:1::/48, 2603:1046:2000::/48, 2603:1047:1::/48, 2603:1056:2000::/48, 2603:1057:2::/48
I've encountered a challenge regarding internet-facing deployment installation for CRM using a AD FS server. After the setup is complete, users are able to access the CRM server - but when trying to run custom pages the following error message is prompted:
"The authentication endpoint Kerberos was not found on the configured Secure Token Service!"
I've found several solutions on the internet for this issue:
First I found a KB article from Microsoft providing a possible
solution, this involves updating MEX endpoints by running a provided
PowerShell script.
(https://support.microsoft.com/en-us/help/2828015/configuring-ad-fs-2.1-with-microsoft-dynamics-crm-2011).
But this doesn't seem to be the issue.
Another solution could be to update the CRM rollup version (currently have version 14 installed, latest is version 18) - this is something that I want to avoid as it might lead to further issues.
Have anybody else encountered a similar issue, and in that case how did you solve it?
I have just spent last few days to figure this exact same error message and it turned out that it was the "Domain" attribute in crm connection string. Copied my answer to my own question at the Microsoft Dynamics CRM community forum here:
"Well, I found the culprit - it was the Domain attribute in the connection string:
For connecting from outside the domain, it does not like to have a Domain in the connection string:
Connection string format 1 (without Domain attribute): "Authentication Type=Passport;Server=https://devcrm.myco.com;Username=devuser#myco.com;Password=pwd" - this works both inside and outside the domain "myco.com"
Connection string format 2 (with Domain attribute): "Authentication Type=Passport;Server=https://devcrm.myco.com;Domain=myco;Username=devuser#myco.com;Password=pwd" - this only works inside the domain myco.com but NOT outside (exception: The authentication endpoint Kerberos was not found on the configured Secure Token Service!)
The key is in the Xrm.Client.CrmConnection.ClientCredential:
If Domain is NOT specified in the connection string, when connecting from outside domain, Xrm.Client.CrmConnection.ClientCredentials.UserName is populated whereas the ClientCredentials.Windows.ClientCredentials.UserName is empty.
But if the Domain is specified, Xrm.Client.CrmConnection.ClientCredentials.UserName becomes null and Xrm.Client.CrmConnection.ClientCredentials.Windows.ClientCredentials.UserName populated, which led to the service trying to authenticate user as a Windows AD user so of course it would fail when running app from outside Windows domain. And it explains why the same app works inside the domain even with Domain specified in the connection string.
For more detail, refer here for my original post asking for help in Dynamics CRM Forum
Im trying to configure ADFS to work as a Claim Provider (I suppose AD will be the identity provider in this case).
Just for simple testing, ive tried the following on windows server 2016 machine:
1) Setup AD and domain = t1.testdom (Its working cause im actually able to login with the domain)
2) Setup DNS. Added a host (A) for adfs as fs.t1.testdom
3) selfsigned certificate (https://technet.microsoft.com/library/hh848633):
powershell> New-SelfSignedCertificate -DnsName "*.t1.testdom"
4) created a dedicated service account for gMSA
5) setup ADFS.
Server name set as fs.t1.testdom
service>authentication method is enabled as form authentication
6) Also fixed the SPN via powershell to make sure all needed SPNs are there and given to the right user account and that no duplicates are found
--
However, when I try to access the login page on browser via https://fs.t1.testdom/adfs/ls I get the error. The log on server manager says the following:
`There are no registered protocol handlers on path /adfs/ls to process the incoming request`
So is there a way to reach at least the login screen? So I can move on to the next error.
this is what I get on the /ls screen:
Finally found the solution after a week of google, tries, server rebuilds etc!
(This guru answered it in a blink and no one knew it!
https://www.experts-exchange.com/questions/28994182/ADFS-Passive-Request-There-are-no-registered-protocol-handlers.html)
The IdP-Initiated SSO page (https://fs.t1.testdom/adfs/ls/idpinitiatedsignon.aspx). Note that if you are using Server 2016, this endpoint is disabled by default and you need to enable it first via the AD FS console or
Set-AdfsProperties -EnableIdPInitiatedSignonPage $true
--
My question is, if this endpoint is disabled, why isnt it listed in the endpoints section of ADFS Management console?!!
I'm configuring a Service Provider to connect to ADFS, and looking up the error we get says:
The Federation Service encountered an error while processing the SAML authentication request.
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer 'myapp.domain.com'.
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
I'm just the client / SP, I don't have access to the ADFS server, its managed by a different company, in a different country. So, like Jon Snow, I know nothing.
The internet seems to suggest that perhaps these two Microsoft KB's might be relevant:
KB2843638 (a security update that causes an issue)
KB2896713 (a follow up patch)
Is the metadata not trusted by the IDP, or that would be a different issue?
I have seen this error when the request and the Relying Party identifier registration on ADFS (2.1) did not match in casing. For instance the error would occur if the request said: urn:MyRPId and the ADFS registration was urn:myrpid.
asp.net app (c#) worked fine in debug mode; published, getting 401.1 error (unauthorized).
When I put in the url, a dialog asks for username & password. Put it in 3x, error.
It's an internal app, using Windows authentication only.
IIS 7.5, using ApplicationPoolIdentity.
SQLServer Database
Specific Error Message from 401.1 page:
Module WindowsAuthenticationModule
Notification AuthenticateRequest
Handler ExtensionlessUrlHandler-Integrated-4.0
Error Code 0x8009030e
Requested URL http://smalltools.dbsvc.com:80/ Ap
Physical Path C:\inetpub\SmallTools
Logon Method Not yet determined
Logon User Not yet determined
The app has a users table to determine the "role" of that user. I put a method in the master page that queries the table based on authenticated user, and returns the role. This, in turns, determines which buttons are visible on the navigation bar.
Looked in the security log, and found the following 3 entries:
2012-07-20 14:55:11 10.0.1.38 GET / - 80 - 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 401 2 5 15
2012-07-20 14:55:20 10.0.1.38 GET / - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 500 0 0 125
2012-07-20 14:55:20 10.0.1.38 GET /favicon.ico - 80 DE\cin.bro 10.0.13.106 Mozilla/5.0+(Windows+NT+6.1;+rv:14.0)+Gecko/20100101+Firefox/14.0.1 404 0 2 0
Any idea what might be causing the inability to log in? Any clues what I can fix to make it work? I've researched all day and haven't found what might be the problem.
Any information is gratefully received.
Thanks
Cindy
I've successfully solved the issue; I had to allow impersonation, and make an adjustment to the AD group.
The article in the following link helped a great deal:
http://msdn.microsoft.com/en-us/library/bsz5788z.aspx
If this is an external site, then Windows authentication isn't really the way to go. But you can still do it, here's some links I found that should help.
Q&A about similar issue
Microsoft guide on how to implement
Typically Windows Authentication is used with internal systems because the users are logged on directly to the system and all their credentials are right there. However for external apps this isn't always the case, since your home Windows account and work windows account aren't the same, in addition you may not even be using windows from the external location.
Another gotcha I came across is the local loopback address security check when you setup a DEV instance and modify hosts file to use Fully Qualified Domain Name (FQDN) or simply when you browse IIS site with custom headers and the name does not match the server hostname. While this is necessary for production servers it is a problem when setting up Developer environments.
"This issue occurs when the Web site uses Integrated Authentication and has a name that is mapped to the local loopback address"
There are two main methods to resolve the issue:
Specify host names (Preferred method if NTLM authentication is desired) by creating/updating the Multi-String value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
Disable the loopback check (less-recommended method - do not use on production servers) by setting the following registry DWORD value to 1
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\DisableLoopbackCheck
Please refer to this HTTP 401.1 - Unauthorized: Logon Failed - Microsoft Support article for detailed overview and registry settings.