Hi,
I just recently posted this case below to the forum
- http://community.office365.com/en-us/forums/613/t/176667.aspx
and got the recommendation from MS support to post here.
I hope you can help?
I'm currently setting up a test environment with Exchange 365 on one external IP address.
Using
- 2008 r2 with the latest ADFS 2.0 and rollout patch, downloaded from MS on July 1st.
- and Server 2013 with the built in ADFS 2.1
I can get everything to work, when using the standard ports 443 for ADFS and ADFS proxy. Because I also want to install Exchange in hybrid mode (and try not to use TMG), I want to run ADFS on port 444, which works with the ADFS server, but not with the ADFS proxy.
1st, I change the cert binding in IIS, so that it runs on port 444 for both ADFS and ADFS proxy.
Then run the config wizard.
On the ADFS server, no issue, get eventlog 100 and can open the *.xml file via a browser on port 444 https://<ADFS.server>:444/FederationMetadata/2007-06/FederationMetadata.xml
On the ADFS proxy, this does not work.
When I start the wizard, and do [test connection], I get an error:
"The specified Federation service could not be reached. The federation metadata endpoint may be disabled. Verify that the Federation Service Name is correct and that the federation metadata endpoint is enabled, and try again."
When I run a "netstat -n" during the test, I see that the ADFS proxy is trying to connect to the ADFS server via port 443 (and not port 444, as set in the binding in IIS), causing the error!
C:\Users\Administrator>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 192.168.1.13:49167 192.168.1.12:443 SYN_SENT
It seems to me, that the wizard has the port 443 hard coded which can't be changed (it seems to completely ignore the binding settings in IIS). In ADFS proxy config wizard, it will not accept the federation server name <server name>:444
I found an MS article for Windows 2012 Server explaining how to change the port to 444, after installing everything to port 443. http://technet.microsoft.com/en-us/library/dd807067.aspx
This doesn't work.
1st, I changed the port binding back to 443 on both servers, and rerun the wizards on both ADFS and ADFS proxy.
Everything works perfectly (event 100 on ADFS server, access to xml works via browser and get event 198 on the ADFS proxy server).
Now I change the IIS bindings back to port 444 on both servers.
Based on the article, I now run some commands on the ADFS proxy and ADFS server.
I start power shell via start -> Administrative tools -> Windows Power shell Modules and enter the following commands on the ADFS server:
Set-ADFSProperties -HttpsPort 444
netsh http del urlacl https://+:443/ADFS/fs/federationserverservice.asmx/
netsh http del urlacl https://+:443/FederationMetadata/2007-06/
netsh http del urlacl https://+:443/ADFS/services/
netsh http del urlacl https://+:444/ADFS/fs/federationserverservice.asmx/
netsh http del urlacl https://+:444/FederationMetadata/2007-06/
netsh http del urlacl https://+:444/ADFS/services/
netsh http add urlacl https://+:444/ADFS/fs/federationserverservice.asmx/ user="NT SERVICE\ADFSsrv"
netsh http add urlacl https://+:444/FederationMetadata/2007-06/ user="NT SERVICE\ADFSsrv"
netsh http add urlacl https://+:444/ADFS/services/ user="NT SERVICE\ADFSsrv"
net stop ADFSsrv
net start ADFSsrv
Then I run the commands on the ADFS proxy server:
Set-ADFSProxyProperties -HttpsPort 444
netsh http del urlacl https://+:443/ADFS/fs/federationserverservice.asmx/
netsh http del urlacl https://+:443/FederationMetadata/2007-06/
netsh http del urlacl https://+:443/ADFS/services/
netsh http del urlacl https://+:444/ADFS/fs/federationserverservice.asmx/
netsh http del urlacl https://+:444/FederationMetadata/2007-06/
netsh http del urlacl https://+:444/ADFS/services/
netsh http add urlacl https://+:444/ADFS/fs/federationserverservice.asmx/ user="NT SERVICE\ADFSsrv"
netsh http add urlacl https://+:444/FederationMetadata/2007-06/ user="NT SERVICE\ADFSsrv"
netsh http add urlacl https://+:444/ADFS/services/ user="NT SERVICE\ADFSsrv"
net stop ADFSsrv
net start ADFSsrv
Before I ran these commands, I checked the output on both ADFS and ADFS proxy servers, with "netsh http show urlacl". Based on the output, I e.g. changed the service to "ADFSsrv" versus the service explained in the article. Output from the ADFS proxy:
Reserved URL : https://+:443/ADFS/services/ User: NT SERVICE\ADFSsrv Listen: Yes Delegate: Yes SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL : https://+:443/FederationMetadata/2007-06/ User: NT SERVICE\ADFSsrv Listen: Yes Delegate: Yes SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL : https://+:443/ADFS/fs/federationserverservice.asmx/ User: NT SERVICE\ADFSsrv Listen: Yes Delegate: Yes SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
After the services were restarted, I checked the event logs, at 1st it all looks ok.
On the ADFS server: all OK (event 100),
On the ADFS proxy, I 1st get an Event error 248 , then a event 198, where all is ok (???):
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 13.07.2013 14:44:18
Event ID: 248
Task Category: None
Level: Error
Keywords: AD FS
User: NETWORK SERVICE
Computer: 49ADFSp
Description:
The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at ADFS.xyz.de. The error message is 'Could not connect to https://ADFS.xyz.de:444/ADFS/services/proxytrustpolicystoretransfer. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 192.168.1.12:444. '.
User Action
Make sure that the Federation Service is running. Troubleshoot network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the Federation Server Proxy Configuration Wizard again.
[...]
After this, Event 198 on the proxy server reads like this, where all seems to be OK (after the Event error 248 ):
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 13.07.2013 14:44:18
Event ID: 198
Task Category: None
Level: Information
Keywords: AD FS
User: NETWORK SERVICE
Computer: 49ADFSp
Description:
The federation server proxy started successfully. The following proxy listeners have been added:
https://+:444/FederationMetadata/2007-06/
http://+:80/ADFS/services/trust/
https://+:444/ADFS/services/trust/
[...]
What is wrong ? All seems to be OK.
Netstat -n shows a permanent connection via port 444 between both ADFS and ADFS proxy servers (after adding a rule in the firewall for port 444). Towards the cloud, I fixed the federation trust by running the "Update-MsolFederatedDomain -domainname:xyz.de "command, All seems to be ok:
Running "Get-MsolFederationProperty -domain xyz.de" shows that my ADFS server and Cloud have the same serial numbers, that both sides have the correct config via port 444.
Ports 443 and 444 are open on my external firewall.
As next test, I removed the ADFS proxy and point the firewall (port 444) directly to the ADFS server.
I rerun the wizard and ran the " Update-MsolFederatedDomain -domainname:xyz.de" command
Now single sign on works, via port 444, without the ADFS proxy.
Now, I set everything back to port 443 on both ADFS servers:
- change IIS binding to 443
- Removed Applications in "default web site" (2 x ) in IIS
- Removed ADFSAppPool from Application Pools in IIS
- Deleted directory C:\inetpub\adfs
- Running the upper netsh and powershell commands, changing everything to port 443
- and rerun the wizards,
- and do the " Update-MsolFederatedDomain -domainname:xyz.de"
it all works.
Now, I change the IIS bindings back to port 444 by running the upper commands (netsh and power shell command as described above (from the article)), run the command do the " Update-MsolFederatedDomain -domainname:xyz.de".
Now ... I get Event log error 248 !!
When I visit the login page (outlook.com/<site>), the cloud directs me to the logon page on the ADFS proxy.
I get an error page (in German, translated it):
Error accessing the web page, please retry access to the web page again.
Contact you administrator if the problem still persists.
Error code: 6eb9acb0-f739-4c3b-b92a-5bf97bf662a7
With this, I get 4 new event log entries with error #364
(which I do not get, when I set everything back to port 443 (then get a login page)):
Log Name: AD FS/Admin
Source: AD FS
Date: 18.07.2013 01:05:16
Event ID: 364
Task Category: None
Level: Error
Keywords: AD FS
User: NETWORK SERVICE
Computer: ADFSP
Description:
Encountered error during federation passive request.
Additional Data
Exception details:
System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: At least one security token in the message could not be validated.
--- End of inner exception stack trace ---
Server stack trace:
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.FetchServiceSettingsData()
at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetServiceSettingsData()
at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetFederationPassiveConfiguration()
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveEndpointAbsolutePath()
System.ServiceModel.FaultException: At least one security token in the message could not be validated.
[...]
What ever this means, could there be an issue with the Token certificates between the ADFS server and Proxy? The connection between the cloud and ADFS seems to be ok.
I'm starting to think, if one thing (somewhere) was not switched over from port 443 to 444 (missing in the documentation), but where?
I have also restarted the servers after doing the changes.
Then I noticed in the documentation
http://technet.microsoft.com/en-us/library/dd807067.aspx
a section explaining how to modify a web.config file for IIS:
Quote:
Update the IIS installation at the federation server proxy so that Security Assertion Markup Language (SAML) and WS-Trust endpoints are configured to reflect the updated port number. To do this, you can use Notepad to modify the following
in the Web.config file, which is located at %systemdrive%\inetpub\ADFS\ls\ on the federation server proxy computer. For example, assuming that you have a federation server named sts1.contoso.com and the new port number is 444, browse to and open the Web.config
file in Notepad on the federation server proxy computer, locate the following section, modify the port number as highlighted below, and then save and exit Notepad.
<securityTokenService samlProtocolEndpoint="https://sts1.contoso.com:444/ADFS/services/trust/samlprotocol/proxycertificatetransport" wsTrustEndpoint="https://sts1.contoso.com:444/ADFS/services/trust/proxycertificatetransport" />
This entry in the web.config file does not exist in any of my ADFS servers I installed (on 2008 R2 and 2012. it should be on the ADFS Proxy?).
Can this maybe be the issue?
Then, I ran a last test and installed a port forwarder on the ADFS server (server 2012), which forwards port 443 to port 444 (currently, ADFS server and proxy are set to run on port 444).
In various articles, I read:
Rerun the federation proxy wizard, if such errors happen.
I run the federation proxy wizard, and do the "[test connection]" -> successful !! (via (hardcoded) port 443, forwarded to port 444). When I then click "next", I'm asked to enter username and password for ADFS service account. This fails.
When I turn off the port forwarder on the ADFS server, then the "[test connection]" fails.
This shows:
- Port 443 is hardcoded in the proxy config wizard (no chance to run this tool after the port was changed) , or
- the proxy config wizard is having an issue reading the binding information from IIS (which is showing to port 444).
What do I need to do, so that ADFS server and proxy will run on port 444?
The technet article http://technet.microsoft.com/en-us/library/dd807067.aspx describes that one can run the ADFS servers on port 444 with server 2012.
Running the "ADFS server" alone on port 444 works:
- using the commands described in the article (netsh, Set-ADFSProperties)
- running the ADFS server config wizard
This does not work on the ADFS proxy.
Why doesn't this work?
What is the fix, to get ADFS proxy (and ADFS server) to work on a different port on server 2008 R2 and server 2012 ?
It would be great, to get instructions:
- how to manually change the config so that it really works on a different port (power shell commands ?) or
- the configuration wizard on the ADFS proxy is fixed on server 2008 r2 and server 2012
Please do not comment, that "this is not recommended" (as I have already read this in a different forum).
Changing the ports this is described to work in the MS article. Why will this not work?
Changing the ports is perfect when running ADFS and Exchange 2010/2013 via one IP in a test environment (with office 365).
I appreciate your help, thank you.
J.Mann