ADFS with AD RMS
I'm having trouble getting Windows Server 2003 R2 ADFS working with Windows Server 2008 AD RMS that I'm hoping someone can help me out with. I know this is a Longhorn forum, but I can't find any W2K3 forums on the Technet forums site, and I am using Longhorn FS1 AD RMS in this scenario.
I have two forests configured- r2res.com (my resource forest, containing my AD RMS server) and r2acct.net (my account forest, containing the user accounts and client computer (Windows Vista) trying to use ADFS).
r2res.com forest:
r2resdc1: Windows 2003 R2, AD, E2K7 SP1
r2resdb1: SQL 2005 SP2
r2resrms1: Windows 2008 RC1, AD RMS role with Identity Federation Support role service added
r2resfs1: Windows 2003 R2 with ADFS installed
r2acct.net forest:
r2acctdc1: Windows 2003 R2, AD, E2K7 SP1
r2acctfs1: Windows 2003 R2 with ADFS installed
r2acctvista1: Windows Vista, Office 2007 Enterprise
When my user logged on to r2acctvista1 attempts to access RMS-protected content, the AD RMS server re-directs him to the resource ADFS server, which in turn re-directs him to the account ADFS server- I can see this in the ADFS debug logs on both ADFS servers. When he hits the account ADFS server, though, the last line in the ADFS log is 2008-01-"Client is unauthenticated. Attempting to collect credentials"; it never goes any farther, and there are no errors in the debug logs or the Windows event logs.
I've compared the values on the trust policies on both sides and the corresponding account/resource partner settings, and they all look OK. I've also ensured that the root certificates for both CAs (from the resource and account forests) are present on all machines in both forests.
The full ADFS debug logs are as follows:
Resource ADFS server (r2resfs1):
2008-01-16T14:17:56 [INFO] Processing HTTP POST: https://r2resfs1.r2res.com/adfs/fs/federationserverservice.asmx
2008-01-16T14:17:57 [VERBOSE] Received message that is not SignIn Request or Response.
2008-01-16T14:18:00 [INFO] Loading trust policy from C:\ADFS\TrustPolicy.xml
2008-01-16T14:18:01 [INFO] IsValidDomainName: DnsValidateName_W returned 0
2008-01-16T14:18:01 [INFO] IsValidDomainName: DnsValidateName_W returned 0
2008-01-16T14:18:01 [INFO] UpdateTrustPolicyCallback: Update started
2008-01-16T14:18:01 [INFO] UpdateTrustPolicyCallback: Updating SID filtering cache
2008-01-16T14:18:01 [INFO] UpdateSidFilteringCache: Calling WsUpdateSidFilteringCache with actions GetDomainNames
2008-01-16T14:18:01 [VERBOSE] UpdateSidFilteringCache: Domains list after sort: 1 entries
2008-01-16T14:18:01 [VERBOSE] UpdateSidFilteringCache: R2RES r2res.com
2008-01-16T14:18:01 [INFO] UpdateTrustPolicyCallback: Updated SID filtering cache successfully
2008-01-16T14:18:01 [INFO] FS Account Name: Using computer name 'R2RES\R2RESFS1$'
2008-01-16T14:18:01 [INFO] UpdateTrustPolicyCallback: The next load time scheduled at 2008-01-16T15:18:01
2008-01-16T14:18:01 [INFO] UpdateTrustPolicyCallback: The next SFCU scheduled at 2008-01-16T15:18:01
2008-01-16T14:18:01 [VERBOSE] InternalGetFsTrustInformation: received query with WS version 00000000-0000-0000-0000-000000000000 0
2008-01-16T14:18:01 [INFO] InternalGetFsTrustInformation: Updating trust information with FS version 3a1595db-acfb-4fc0-83a8-4ef36f79c4b4 22
2008-01-16T14:18:02 [VERBOSE] Processing HTTP GET: https://r2resfs1.r2res.com/adfs/ls/?wa=wsignin1.0&wreply=https://rms.r2res.com/_wmcs/licensingexternal/&whr=urn:federation:r2acct.net&wct=2008-01-16T14:18:01Z&wctx=https://rms.r2res.com/_wmcs/licensingexternal/servicelocator.asmx&ttpindex=0
2008-01-16T14:18:02 [VERBOSE] Received SignIn Request.
2008-01-16T14:18:02 [VERBOSE] GetLsTrustConfiguration: received query with LS version 00000000-0000-0000-0000-000000000000 0
2008-01-16T14:18:02 [VERBOSE] TCD[0]
trustType: SelfhostedRealm
trustDisplayName: r2res.com
trustUri: urn:federation
elf
trustLsUrl: https://r2resfs1.r2res.com/adfs/ls/
acceptableAuthenticationMethods:
TCD[1]
trustType: TrustedRealm
trustDisplayName: r2acct.net
trustUri: urn:federation:r2acct.net
trustLsUrl: https://r2acctfs1.r2acct.net/adfs/ls
acceptableAuthenticationMethods:
TCD[2]
trustType: TrustingResource
trustDisplayName: AD RMS Certification
trustUri: https://rms.r2res.com/_wmcs/certificationexternal/
trustLsUrl:
acceptableAuthenticationMethods:
TCD[3]
trustType: TrustingResource
trustDisplayName: AD RMS Licensing
trustUri: https://rms.r2res.com/_wmcs/licensingexternal/
trustLsUrl:
acceptableAuthenticationMethods:2008-01-16T14:18:02 [INFO] GetLsTrustConfiguration: returning 4 trust config's with FS version 3a1595db-acfb-4fc0-83a8-4ef36f79c4b4 22:
2008-01-16T14:18:02 [VERBOSE] Proxy Information: hostedRealmUriStr: urn:federation:r2res.com
cookiePath: /adfs/ls/
realmCookieLifetime: 30
realmCookieSuppress: False
2008-01-16T14:18:02 [EVENTLOG] Information ProxyUpdatedPolicy (00000000-0000-0000-0000-000000000000, 0, 3a1595db-acfb-4fc0-83a8-4ef36f79c4b4, 22)
2008-01-16T14:18:02 [VERBOSE] HOMEREALM: Realm = urn:federation:r2acct.net, Source = FromQueryString
2008-01-16T14:18:02 [INFO] Received signin request via query string.
2008-01-16T14:18:02 [VERBOSE] Sign In Request Dump
--------------------
wreply = https://rms.r2res.com/_wmcs/licensingexternal/
wtrealm =
whr = urn:federation:r2acct.net
wauth =
wcontext = https://rms.r2res.com/_wmcs/licensingexternal/servicelocator.asmx
wct = 2008-01-16T14:18:01Z
ttpindex = 0
--------------------
2008-01-16T14:18:02 [INFO] Redirecting to account realm r2acct.net (https://r2acctfs1.r2acct.net/adfs/ls).
2008-01-16T14:18:02 [VERBOSE] SignIn Request Dump:
System.Web.Security.SingleSignOn.SignInRequest
2008-01-16T14:18:02 [COOKIE] WRITING (/adfs/ls/) - _TTPRealm=urn:federation:r2acct.net
Account ADFS server (r2acctfs1):2008-01-16T14:18:05 [VERBOSE] Processing HTTP GET: https://r2acctfs1.r2acct.net/adfs/ls?wa=wsignin1.0&wtrealm=urn:federation:r2res.com&wct=2008-01-16T14:18:02Z&wctx=https://rms.r2res.com/_wmcs/licensingexternal/\https://rms.r2res.com/_wmcs/licensingexternal/servicelocator.asmx&ttpindex=0
2008-01-16T14:18:05 [VERBOSE] Received SignIn Request.
2008-01-16T14:18:07 [INFO] Loading trust policy from C:\ADFS\TrustPolicy.xml
2008-01-16T14:18:08 [INFO] FS Account Name: Using computer name 'R2ACCT\R2ACCTFS1$'
2008-01-16T14:18:08 [VERBOSE] GetLsTrustConfiguration: received query with LS version 00000000-0000-0000-0000-000000000000 0
2008-01-16T14:18:08 [VERBOSE] TCD[0]
trustType: SelfhostedRealm
trustDisplayName: r2acct.net
trustUri: urn:federationelf
trustLsUrl: https://r2acctfs1.r2acct.net/adfs/ls/
acceptableAuthenticationMethods:
TCD[1]
trustType: TrustingRealm
trustDisplayName: R2RES
trustUri: urn:federation:r2res.com
trustLsUrl: https://r2resfs1.r2res.com/adfs/ls/
acceptableAuthenticationMethods:2008-01-16T14:18:08 [INFO] GetLsTrustConfiguration: returning 2 trust config's with FS version 75ee966e-8f2b-4f83-9abf-bee7df76dbad 9:
2008-01-16T14:18:08 [VERBOSE] Proxy Information: hostedRealmUriStr: urn:federation:r2acct.net
cookiePath: /adfs/ls/
realmCookieLifetime: 30
realmCookieSuppress: False
2008-01-16T14:18:09 [EVENTLOG] Information ProxyUpdatedPolicy (00000000-0000-0000-0000-000000000000, 0, 75ee966e-8f2b-4f83-9abf-bee7df76dbad, 9)
2008-01-16T14:18:09 [INFO] UpdateTrustPolicyCallback: Update started
2008-01-16T14:18:09 [INFO] UpdateTrustPolicyCallback: Updating SID filtering cache
2008-01-16T14:18:09 [INFO] UpdateSidFilteringCache: Calling WsUpdateSidFilteringCache with actions GetDomainNames
2008-01-16T14:18:09 [VERBOSE] UpdateSidFilteringCache: Domains list after sort: 1 entries
2008-01-16T14:18:09 [VERBOSE] UpdateSidFilteringCache: R2ACCT r2acct.net
2008-01-16T14:18:09 [INFO] UpdateTrustPolicyCallback: Updated SID filtering cache successfully
2008-01-16T14:18:09 [INFO] UpdateTrustPolicyCallback: The next load time scheduled at 2008-01-16T15:18:08
2008-01-16T14:18:09 [INFO] UpdateTrustPolicyCallback: The next SFCU scheduled at 2008-01-16T15:18:09
2008-01-16T14:18:09 [VERBOSE] HOMEREALM: Realm = urn:federationelf, Source = Implied
2008-01-16T14:18:09 [INFO] Received signin request via query string.
2008-01-16T14:18:09 [VERBOSE] Sign In Request Dump
--------------------
wreply =
wtrealm = urn:federation:r2res.com
whr =
wauth =
wcontext = https://rms.r2res.com/_wmcs/licensingexternal/\https://rms.r2res.com/_wmcs/licensingexternal/servicelocator.asmx
wct = 2008-01-16T14:18:02Z
ttpindex = 0
--------------------
2008-01-16T14:18:09 [INFO] Client is unauthenticated. Attempting to collect credentials.Can anyone help me out here with something else I can check/correct? I've gotten this scenario past this point in the past, but I had to rebuild my virtual environment and I can't get a handle on what's wrong here in my new environment.
Thanks,
Andy Schan
Titus International
andy dot schan at titus dot com
Answers
A couple of suggestions:
1) Check the security event logs, usually there is additional information in there which is useful
2) It sounds as though these are default installations of ADFS. Try replacing the clientlogon.aspx page on the FS-A with the one located in the integratedauth folder. The default page has forms, client-SSL, and integrated on the same page. Replacing it with only the integrated auth page, will cause all clients to automatically authenticate, rather than prompting them (which the RMS client doesn't handle)
All Replies
A couple of suggestions:
1) Check the security event logs, usually there is additional information in there which is useful
2) It sounds as though these are default installations of ADFS. Try replacing the clientlogon.aspx page on the FS-A with the one located in the integratedauth folder. The default page has forms, client-SSL, and integrated on the same page. Replacing it with only the integrated auth page, will cause all clients to automatically authenticate, rather than prompting them (which the RMS client doesn't handle)
Thanks for the reply. I think I did look in the security logs with no joy, but I'll double-check that & have a look at the clientlogon pages; that sounds promising.
Andy Schan
Titus
Andy - you most likely have done this - but have you verified ADFS can pass the token without RMS running on the target system? Try that first to see if you have an RMS/ADFS issue or just an issue with ADFS. Another tool that we have found useful in troubleshooting ADFS issues is iehttpheaders. I don't think the security logs will be very helpful, but the IIS logs might prove a better source for this type of transaction.
