locked
ADFS through TMG. Relying party trust certificate keeps giving me errors RRS feed

  • Question

  • Hello all,

    I'm trying to use ADFS as a brand new install to authenticate us to our webscanning provider. I have setup ADFS with a relying party trust and I can access my xml path using

    https://myserver.domain.com/adfs/ls/federationserverservice.asmx

    this displays my xml file as it should. I've got this running internally and then published through TMG in our DMZ. I've setup TMG with the correct copies of the certificate and everything seems fine. I've also followed the setup of the relying party trust to the letter. However, when I try an authentication effort using their software I get the generic 'there was a problem accessing the site. try to browse the site again, if the problem persists' etc etc.

    I take a look on my event log for ADFS and I've turned tracing on. What's happening is that the relying party trust certificate I installed (and is marked as 'this certificate is OK' is continually spitting out the following errors below.

    I do know that the certificate is actually good, but something is going strange here with the CRL. This certificate for the relying party trust was NOT imported to my TMG box at all (because I find no articles anywhere that suggests it should be). I have also not imported my token signing certificate for the same reason. The web server certificate itself of the ADFS box has been added to TMG and when I access the ADFS xml path it reports as having a signed cert, so I presume that is OK.

    A certificate used while validating the token is invalid.

    Exception details:

    MSIS3015: The signing certificate of the claims provider trust 'zscaler.net' identified by thumbprint 'FED50D8B82FBCA3F37823704BD2D46D08909D7F6' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

    followed by

    Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3015: The signing certificate of the claims provider trust 'zscaler.net' identified by thumbprint 'FED50D8B82FBCA3F37823704BD2D46D08909D7F6' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

    Any help would be great, I'm going crazy staring at this now.

    Tuesday, January 22, 2013 9:15 PM

Answers

All replies

  • I should note that in the standard ADFS Admin log I see the following after one of these faults. unsure if it's helpful or more of a general error based off the preceeding problem.

    Encountered error during federation passive request.

    Additional Data

    Exception details:

    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.

       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)

       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)

       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)

       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)

       --- End of inner exception stack trace ---

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken, WSFederationMessage incomingMessage)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSecurityToken(SecurityToken securityToken, WSFederationMessage incomingMessage)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseForProtocolRequest(FederationPassiveContext federationPassiveContext, SecurityToken securityToken)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponse(SecurityToken securityToken)

    System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.

       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)

       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)

       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)

       at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage, SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)

       at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)


    Tuesday, January 22, 2013 9:27 PM
  • I was going to suggest trying "Set-ADFSRelyingPartyTrust -TargetIdentifier soAndSo -SigningCertificateRevocationCheck None" but then noticed that ADFS is complaining about a claims provider certificate.  Normally you would not have a separate claims provider trust for a simple configuration where your on-premises ADFS needs to authenticate users to a third party.  Sure you set up the correct type of trust?


    Steve Kradel, Zetetic LLC SMS OTP for FIM | Salesforce MA for FIM

    Wednesday, January 23, 2013 12:30 AM
  • Hi Steve, thanks for the response.

    yes the connection should be setup correctly. Exactly what is happening here is we authenticate using our own active directory against an external provider for web scanning (zscaler in this case). During the setup of the relying party trust, you do setup a claim rule. this maps the attribute store (active directory in this case)against the name ID. There is a white paper I followed to the letter (even reinstalling from scratch once)

    the idea of the system is the our users go to zscaler, zscaler turns them back for authentication where they authenticate against our active directory and provide the authentication proof back to zscaler, who then allows them access to the internet, scans the traffic etc and logs activity against their credentials.

    the certificate it's complaining about is on the relying party trust, after opening the relying party trust, it's required to put this certificate into the 'signature' page. which I have done. This certificate then reports as 'OK' if I look at the chain.

    Wednesday, January 23, 2013 6:25 AM
  • Hi,

    Regarding ADFS related issue, maybe the forum below is suitable for it. We will get a better assistance there.

    Claims based access platform (CBA), code-named Geneva

    http://social.msdn.microsoft.com/Forums/en/Geneva/

    Hope this helps.

    Best Regards,

    Andy Qi

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Andy Qi
    TechNet Community Support

    • Proposed as answer by Sandesh Dubey Wednesday, January 23, 2013 4:26 PM
    • Marked as answer by Andy Qi Wednesday, January 30, 2013 3:35 AM
    Wednesday, January 23, 2013 9:27 AM