locked
ADFS 3 password change not working RRS feed

  • Question

  • Hi,

    I enabled the password change endpoint as described here:

    https://blogs.msdn.microsoft.com/samueld/2015/05/13/adfs-2012-r2-now-supports-password-change-not-reset-across-all-devices/

    however when I got to the page: fs.mydomain.co.uk/adfs/portal/updatepassword/

    All I get is this error:

    An error occurred
    An error occurred. Contact your administrator for more information.
    Error details
    Activity ID: 00000000-0000-0000-1300-0080000000c8
    Error time: Fri, 03 Feb 2017 13:07:07 GMT
    Cookie: enabled
    User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36

    I have installed all updates on the machine, and I'm aware of the hotfix kb 3035025 however because the machine is fully updated, this hotfix is not applicable.

    I have tried re-starting the ADFS server and rebooting the machine too.

    Friday, February 3, 2017 1:23 PM

Answers

All replies

  • Does your ADFS-service account has proper permission in the local directory to reset passwords?

    Friday, February 3, 2017 9:01 PM
  • The service account does not need permissions.

    Look on the ADFS Admin event logs and look for the corresponding error message (you should have an error with the Activity ID: 00000000-0000-0000-1300-0080000000c8 according to your message). Tell us what it says. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, February 5, 2017 3:35 AM
  • The service account does not need permissions.

    Look on the ADFS Admin event logs and look for the corresponding error message (you should have an error with the Activity ID: 00000000-0000-0000-1300-0080000000c8 according to your message). Tell us what it says. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thanks for the reply, I tried clearing the log and refreshing the page.

    There are no events logged, at all.

    Found, in the debug log:    ENTER: ErrorPage.Get

    so it looks like when I enabled the endpoint, it didn't create the page? or its missing for some reason.


    • Edited by Andrew Busby Monday, February 6, 2017 11:39 AM edit
    Monday, February 6, 2017 8:32 AM
  • Well then we have a bigger issue. Every error visible by the end user should have its corresponding error event in the ADFS Admin logs. Unless you disabled the logging (it is enabled by default). Can you ensure the logging is still enabled? And if you have a farm of ADFS server, check on each nodes?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 6, 2017 1:57 PM
  • yes, its enabled. Its logging everyone's bad login attempts perfectly well. I'm running a farm, but I dropped down to one node to troubleshoot this.

    As I said, I did also enable the debug log, and found a corresponding error.

    ENTER: ErrorPage.Get

    that's all I have.

    Monday, February 6, 2017 2:53 PM
  • Just restarted the server and noticed that:

    The Federation Service started successfully. The following service hosts have been added: 
    Federation Server Proxy ServiceHost
    https://fs.mycompany.uk:443/adfs/services/proxytrustpolicystoretransfer
    
    MSIS0004
    https://fs.mycompany.uk/adfs/fs/federationserverservice.asmx
    
    Issuance ServiceHost
    http://localhost:80/adfs/services/trust/mexsoap
    https://fs.mycompany.uk:443/adfs/services/trust/proxymex/
    
    Issuance ServiceHost
    http://localhost/adfs/services/trust/proxymexsoap
    https://fs.mycompany.uk:443/adfs/services/trust/proxymex/
    
    Issuance ServiceHost
    https://fs.mycompany.uk/adfs/services/trust/2005/windowstransport
    https://fs.mycompany.uk/adfs/services/trust/2005/certificatemixed
    https://fs.mycompany.uk:49443/adfs/services/trust/2005/certificatetransport
    https://fs.mycompany.uk/adfs/services/trust/2005/usernamemixed
    https://fs.mycompany.uk/adfs/services/trust/2005/kerberosmixed
    https://fs.mycompany.uk/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256
    https://fs.mycompany.uk/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256
    https://fs.mycompany.uk/adfs/services/trust/13/kerberosmixed
    https://fs.mycompany.uk/adfs/services/trust/13/certificatemixed
    https://fs.mycompany.uk/adfs/services/trust/13/usernamemixed
    https://fs.mycompany.uk/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256
    https://fs.mycompany.uk/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256
    net.tcp://localhost/adfs/services/trusttcp/windows
    
    SAML Artifact Resolution ServiceHost
    https://fs.mycompany.uk/adfs/services/trust/artifactresolution
    
    SAML Metadata
    https://fs.mycompany.uk/FederationMetadata/2007-06/
    
    Other endpoints
    
    https://+:443/adfs/oauth2/authorize/
    https://+:443/adfs/ls/
    https://+:443/adfs/oauth2/token/
    https://+:49443/adfs/oauth2/authorize/
    https://+:49443/adfs/ls/
    http://+:80/adfs/artifact/
    https://+:443/adfs/Proxy/EstablishTrust/
    https://+:443/adfs/backendproxytls/
    https://+:443/adfs/Proxy/
    http://+:80/adfs/Proxy/PrimaryWriter/
    https://+:49443/adfs/portal/
    https://+:443/adfs/portal/
    

    The update password endpoint isn't listed. Should it be?

    its listed in get-adfsendpoint as enabled.

    Monday, February 6, 2017 3:38 PM
  • No it should not show up in the list. Only when you ran the cmdLet.

    I understand you have something in the debug logs. But they are hardly exploitable as-is. The only way I found to repro the issue is to have a typo in the URL... Can you make sure?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 6, 2017 5:10 PM
  • I'm beginning to think it may have something to do with the authentication methods I have enabled. I tried enabling certificate authentication and device authentication, and the page changed. I have been unable to find any guidance on required authentication methods to support update password.

    An error occurred

    The device authentication failed.

    If I go to the wrong URL I get the same message I had before, so I'm definitely going to the correct URL- its the one listed in the endpoints.

    I also found another error trawling through the debug log, at the same time as a failed attempt to load the page

    Portal listener error

    Tuesday, February 7, 2017 8:32 AM
  • Ok, so this was caused by windows updates not updating the ADFS components.

    the only solution was to reload the server OS.

    Wednesday, March 1, 2017 11:00 AM