Browse by Tags

Tagged Content List

Wiki Page: AD FS 2.0: Federation Server Proxy Servers Fail to Authenticate Users, Events 248 and 996 Logged

Fernando Lugão Veltem

Table of Contents Symptoms Cause Resolution More Information Symptoms An AD FS 2.0 Proxy server fails to authenticate users The following is displayed on the web page: There was a problem accessing the site. Try to browse to the site again. If the problem...

on21 May 2012
Wiki Page: AD FS 2.0: Sign-In Fails and Event 364 is Logged Showing Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7012

Fernando Lugão Veltem

Table of Contents Symptoms Cause Resolution See Also Symptoms Sign-in to AD FS 2.0 fails The AD FS 2.0/Admin event log shows the following: Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 6/5/2011 1:32:58 PM Event ID: 364 Task Category: None Level: Error Keywords...

on21 May 2012
Wiki Page: AD FS 2.0: Claims to work with shadow accounts

nzpcmad1

Introduction When using AD FS 2.0, it may be beneficial to use shadow accounts in some situations. One reason may be that the service accesses back-end resources that require a Windows token. The Claim to Windows Token Service (c2WTS). This article is intended to focus on the AD FS 2.0 perspective...

on16 May 2012
Wiki Page: AD FS 2.0: Claims Are Missing From The Output Claim Set After A User's Name Has Changed

nzpcmad1

Symptoms A user has previously authenticated via AD FS 2.0 The user's name has changed, such as samAccountName or UPN. After the name change, the user does not receive the expected output set of claims from AD FS 2.0 Cause The Local Security Authority...

on16 May 2012
Wiki Page: AD FS 2.0: How to Change the net.tcp Ports for Services and Administration

Ed Price - MSFT

Active Directory Federation Services (AD FS) 2.0 uses two net.tcp ports for functions of the Federation Service. Services net.tcp port - 1501 Administration net.tcp port - 1500 There may come a time when another application or service is using either of the above ports, and a conflict...

on16 Apr 2012
Wiki Page: Windows Identity Foundation (WIF): A Potentially Dangerous Request.Form Value Was Detected from the Client (wresult="<t:RequestSecurityTo...")

Quenby Mitchell

Symptoms While processing an RSTR (Request for Security Token Response), System.Web throws the following exception: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo..."). at System...

on29 Feb 2012
Wiki Page: AD FS 2.0: How to Bulk Add Trust Relationships and Claim Rules for Testing (en-US)

Craig Lussier

Overview Included in this article is a Powershell script sample which allows bulk additions and deletions of test Claims Provider Trusts, Relying Party Trusts, and Claim Rules. These test trust relationships and claim rules may be useful for web testing in a lab environment. Usage Be...

on19 Feb 2012
Wiki Page: Automatic Login to SharePoint 2010 with AD FS 2.0 & WS-Federation (en-US)

Craig Lussier

Table of Contents Introduction Pre-formatted Link Sample URL Broken Down Removing or Seperating Windows Authentication Links Introduction Consider the situation where you have a SharePoint 2010 site secured by AD FS 2.0 and you have a partner that accesses this application that also uses AD...

on18 Feb 2012
Wiki Page: Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type

David Loder

There are two ways in which Windows Identity Foundation (WIF) can utilize the WS-Federation passive WAUTH parameter to specify an authentication type. There are a few questions to ask before deciding which method to implement: 1. Can the WAUTH parameter remain static for a Relying Party (RP) application...

on16 Nov 2011
Wiki Page: Windows Identity Foundation (WIF): How to Utilize the WS-Federation WHR Parameter to Bypass Home Realm Discovery (HRD)

Gregory Hoffman

There are two ways in which Windows Identity Foundation (WIF) can utilize the WS-Federation passive WHR parameter to bypass home realm discovery (HRD). There are a few questions to ask before deciding which method to implement: 1. Can the WHR parameter remain static for a Relying Party (RP) application...

on29 Sep 2011
Wiki Page: Install AD FS 2.0 Hotfixes in Preparation for Office 365

Ed Price - MSFT

This article is intended for Microsoft Office 365 customers who need to determine whether AD FS 2.0 specific hotfixes must first be installed on existing AD FS 2.0 servers before they proceed with configuring single sign-on (SSO) functionality for Office 365 users. To determine if you will need to install...

on9 Sep 2011
Wiki Page: AD FS 2.0: How to Restore the Default Acceptance Transform Rules for the Active Directory Claims Provider Trust

stevta

If you are experiencing a Federation Service outage after modifying the claim rules on the Active Directory Claims Provider (CP) Trust, follow the steps below to restore the default Acceptance Transform Rules. Perform the following steps on a Federation Server that has write access to the...

on24 Aug 2011
Wiki Page: AD FS 2.0: ID4149: "The Saml2SecurityToken is rejected because the SAML2:Assertion specifies a OneTimeUse condition."

Ed Price - MSFT

Table of Contents Symptoms Cause 2.5.1 Element <Conditions> 2.5.1.5 Element <OneTimeUse> Resolution Symptoms Token acceptance from a third party Claims Provider (CP) fails The following exception is thrown by AD FS 2.0: ID4149: The Saml2SecurityToken is rejected because...

on24 Jun 2011
Wiki Page: Change or Update the Service Identity for a Federation Server Farm (AD FS 2.0)

Ed Price - MSFT

To change or update the AD FS 2.0 service identity for a federation server farm requires additional changes beyond that of updating the logon user for the service in the Services node in Server Manager. The service identity for Active Directory Federation Service (AD FS) 2.0 is the Windows user account...

on21 Jun 2011
Wiki Page: AD FS 2.0: How to Perform an Unattended Installation of an AD FS 2.0 STS or Proxy

NeverEatAlone

Summary The steps below detail how to perform an unattended installation and initial configuration of an AD FS 2.0 STS or Proxy Unattended Installation of AD FS 2.0 Server Installation of AD FS 2.0 Server from the command line is accomplished using ADFSSetup.exe /quiet I...

on28 Apr 2011
Wiki Page: AD FS 2.0: Initial configuration fails during "Creating default claim set" and Event ID 37 is logged in AD FS 2.0 Tracing/Debug

Adam Conkle - MSFT

Symptoms AD FS 2.0 initial configuration fails using either FSConfig.exe or FSConfigWizard.exe The failure occurs on the step: " Creating default claim set " The following error messge is shown: Creating default claim set... Failed: An error occurred during an attempt...

on5 Apr 2011
Wiki Page: AD FS 2.0: Error Event 323, "MSIS5009: The impersonation authorization failed" and Event 364, "MSIS3126: Access denied"

Ed Price - MSFT

Symptoms Token issuance fails The following events are logged in the AD FS 2.0/Admin Event Log: Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 2/14/2011 1:32:23 PM Event ID: 323 Task Category: None Level: Error Keywords: AD FS User: NETWORK SERVICE ...

on21 Mar 2011
Wiki Page: AD FS 2.0: How to Perform IDP-initiated Sign-on to a Relying Party (RP) Application that Supports Only WS-Federation

Ed Price - MSFT

Summary AD FS 2.0 offers a .aspx page for idp-initiated sign-on, and this functionality is limited to SAML 2.0 protocol Relying Parties (RPs). The .aspx page is located here: https:// your-Federation-Service-Name /adfs/ls/idpinitiatedsignon.aspx There is a way, however, to...

on21 Mar 2011
Wiki Page: Forefront UAG Troubleshooting: Federation Metadata Retrieval Errors

Ed Price - MSFT

Forefront Unified Access Gateway (UAG) performs a number of tests and checks when you retrieve the federation metadata from the Active Directory Federation Services (AD FS) 2.0 server. This topic describes how to troubleshoot any errors you may receive when retrieving the federation metadata. Cannot...

on21 Mar 2011
Wiki Page: Forefront UAG Troubleshooting: Web Monitor ID 45: Users Cannot Sign In and Receive Error about Attempting to Access Restricted URL

Ed Price - MSFT

Symptoms —When end users attempt to access the Forefront UAG portal, they may receive the following message " You have attempted to access a restricted URL. The URL contains an invalid parameter. " There may also be an event 45 in the Forefront UAG Web Monitor with the short description...

on21 Mar 2011
Wiki Page: Forefront UAG: Troubleshooting Forefront UAG with AD FS 2.0 Event Viewer Messages

Ed Price - MSFT

This topic lists the messages that you may encounter on Forefront Unified Access Gateway (UAG) in the event viewer or in the Forefront UAG Web Monitor when end users attempt to access your published site using Active Directory Federation Services (AD FS) 2.0 authentication. Event ID/Web Monitor...

on7 Mar 2011
Wiki Page: Forefront UAG Troubleshooting: Associate Your Current AD FS 2.0 Application with the Authentication Server

Ed Price - MSFT

Description —When you add an AD FS 2.0 authentication repository for trunk authentication in the Forefront UAG Management console, Forefront UAG automatically creates an AD FS 2.0 application on that trunk and you may receive the following message " An AD FS 2.0 authentication server is used...

on7 Mar 2011
Wiki Page: Forefront UAG Troubleshooting: The Trunk Contains Applications that Have the Same Public Host Name and Path

Ed Price - MSFT

Description —You have configured one or more applications on a trunk that use the same public host name and path and you receive the following message " The trunk 'trunk_name' contains applications that have the same public host name and path. Configure unique public host names and...

on7 Mar 2011
Wiki Page: Forefront UAG Troubleshooting: The Application Uses Authorization Rules Based on Claims that Are Not Provided by the Authentication Server

Ed Price - MSFT

Description —You have configured claims-based authorization for a published application using claim types provided by the AD FS 2.0 authentication server and you receive the following message " The application 'application_name' in trunk 'trunk_name' uses authorization rules...

on7 Mar 2011
Wiki Page: Forefront UAG Troubleshooting: The Application Uses Authorization Rules Based on Claims from the Wrong Trunk Authentication Server

Ed Price - MSFT

Description —You have configured claims-based authorization for a published application using claim types provided by an AD FS 2.0 authentication server that is not configured for trunk authentication and you receive the following message " The application 'application_name' in trunk...

on7 Mar 2011

Can't find it? Write it!

Post an Article

Browse by Tags

Wiki Page: AD FS 2.0: Federation Server Proxy Servers Fail to Authenticate Users, Events 248 and 996 Logged

Wiki Page: AD FS 2.0: Sign-In Fails and Event 364 is Logged Showing Microsoft.IdentityServer.Protocols.Saml.NoAuthenticationContextException: MSIS7012

Wiki Page: AD FS 2.0: Claims to work with shadow accounts

Wiki Page: AD FS 2.0: Claims Are Missing From The Output Claim Set After A User's Name Has Changed

Wiki Page: AD FS 2.0: How to Change the net.tcp Ports for Services and Administration

Wiki Page: Windows Identity Foundation (WIF): A Potentially Dangerous Request.Form Value Was Detected from the Client (wresult="<t:RequestSecurityTo...")

Wiki Page: AD FS 2.0: How to Bulk Add Trust Relationships and Claim Rules for Testing (en-US)

Wiki Page: Automatic Login to SharePoint 2010 with AD FS 2.0 & WS-Federation (en-US)

Wiki Page: Windows Identity Foundation (WIF): How to Utilize the WS-Federation WAUTH Parameter to Specify an Authentication Type

Wiki Page: Windows Identity Foundation (WIF): How to Utilize the WS-Federation WHR Parameter to Bypass Home Realm Discovery (HRD)

Wiki Page: Install AD FS 2.0 Hotfixes in Preparation for Office 365

Wiki Page: AD FS 2.0: How to Restore the Default Acceptance Transform Rules for the Active Directory Claims Provider Trust

Wiki Page: AD FS 2.0: ID4149: "The Saml2SecurityToken is rejected because the SAML2:Assertion specifies a OneTimeUse condition."

Wiki Page: Change or Update the Service Identity for a Federation Server Farm (AD FS 2.0)

Wiki Page: AD FS 2.0: How to Perform an Unattended Installation of an AD FS 2.0 STS or Proxy

Wiki Page: AD FS 2.0: Initial configuration fails during "Creating default claim set" and Event ID 37 is logged in AD FS 2.0 Tracing/Debug

Wiki Page: AD FS 2.0: Error Event 323, "MSIS5009: The impersonation authorization failed" and Event 364, "MSIS3126: Access denied"

Wiki Page: AD FS 2.0: How to Perform IDP-initiated Sign-on to a Relying Party (RP) Application that Supports Only WS-Federation

Wiki Page: Forefront UAG Troubleshooting: Federation Metadata Retrieval Errors

Wiki Page: Forefront UAG Troubleshooting: Web Monitor ID 45: Users Cannot Sign In and Receive Error about Attempting to Access Restricted URL

Wiki Page: Forefront UAG: Troubleshooting Forefront UAG with AD FS 2.0 Event Viewer Messages

Wiki Page: Forefront UAG Troubleshooting: Associate Your Current AD FS 2.0 Application with the Authentication Server

Wiki Page: Forefront UAG Troubleshooting: The Trunk Contains Applications that Have the Same Public Host Name and Path

Wiki Page: Forefront UAG Troubleshooting: The Application Uses Authorization Rules Based on Claims that Are Not Provided by the Authentication Server

Wiki Page: Forefront UAG Troubleshooting: The Application Uses Authorization Rules Based on Claims from the Wrong Trunk Authentication Server

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?