locked
TMG 2010 publish ADFS 2.2 (server 2012 R2) RRS feed

  • Question

  • I was running a DC with server 2012 and ADFS 2.1 (server 2012) had an ADFS 2.1 Proxy

    I published ADFS external via TMG with a web publishing rule, this worked great (no preauth by TMG).

    Now i have a 2nd DC with server 2012 r2 and installed ADFS 2.2 (server 2012 r2) on it.
    Now in the TMG adfs publishing rule i change the TO field to the ip of  the 2nd DC.

    Now when i run the TEST RULE i get "64 - the specified network name is no longer available"


    Monday, December 16, 2013 3:05 PM

Answers

  • I am seeing the same thing in my environment, and I think you are right; this has to do with the fact that ADFS is no longer dependent on IIS in Windows Server 2012 R2: http://technet.microsoft.com/en-us/library/hh831502.aspx.

    But, what I am wondering is, is it only the "Test Rule" functionality in TMG that is broken, or does ADFS not work in general?

    Tuesday, December 17, 2013 9:35 PM
  • I can confirm that I can successfully authenticate to my O365 tenant using ADFS installed on Windows Server 2012 R2, and published through TMG. It seems its only the "Test Rule" functionality on the publishing rule that's broken, due to the fact that ADFS on Windows Server 2012 R2 no longer relies on IIS.
    Tuesday, December 17, 2013 10:44 PM
  • i also can confirm the test rule doesnt work but adfs itself does work

    unfortunately the test rule also doesnt work for  publish "web application proxy" BUT then it does not work AT ALL.

    Tuesday, December 24, 2013 1:22 PM

All replies

  • Tuesday, December 17, 2013 6:05 AM
    Moderator
  • Hi,

    I deleted the old rule and created a new rule as your first link but that didnt work. If i add /adfs/* on the paths tab i get error "503 service unavailable"

    But i found something strange when digging around.

    I run split DNS and ADFS external url is same as internal.
    So when i create the publishing rule as per your link and don't fill in the "computername or ip address" on the To tab i get an other error "404 not found". Strange i can browse to the site from TMG and nslookup shows the correct ip of the adfs server.

    When i enter the ip address of the adfs server in the "computername or ip address" field on the To tab i get the error "64 network name no longer available"

    I think it has something to do with being it a server 2012r2 server and new ADFS 3.0 that don't uses IIS anymore but cant find out what

    any suggestions? 

    Tuesday, December 17, 2013 7:23 AM
  • Hi,

    Do you configure the DNS sever on both internal and external NIC?

    I think there must be something wrong with your web listener since you can access the site from TMG server.

    Best Regards

    Quan Gu

    Tuesday, December 17, 2013 7:45 AM
    Moderator
  • Hi, dns is configured only on internal nic. Internal nic is on top in the binding order.
    Listener is configured as in your link above.

    fyi, the same rule and listener work to an server 2012 (non r2) adfs server.

    Tuesday, December 17, 2013 8:49 AM
  • I am seeing the same thing in my environment, and I think you are right; this has to do with the fact that ADFS is no longer dependent on IIS in Windows Server 2012 R2: http://technet.microsoft.com/en-us/library/hh831502.aspx.

    But, what I am wondering is, is it only the "Test Rule" functionality in TMG that is broken, or does ADFS not work in general?

    Tuesday, December 17, 2013 9:35 PM
  • I can confirm that I can successfully authenticate to my O365 tenant using ADFS installed on Windows Server 2012 R2, and published through TMG. It seems its only the "Test Rule" functionality on the publishing rule that's broken, due to the fact that ADFS on Windows Server 2012 R2 no longer relies on IIS.
    Tuesday, December 17, 2013 10:44 PM
  • i also can confirm the test rule doesnt work but adfs itself does work

    unfortunately the test rule also doesnt work for  publish "web application proxy" BUT then it does not work AT ALL.

    Tuesday, December 24, 2013 1:22 PM
  • Having just gone through the pain of trying to get ADFS on Server 2012 R2 published with TMG 2010, I will tell you how I got it to work. You have to use a non webserver publishing rule and simply publish port 443 inbound and outbound to the internal server. Once I got away from the web server rules it worked perfectly. I hope this helps anyone else out there having the Error 64 issues with this.
    Thursday, February 27, 2014 5:52 PM
  • Tks pgibbons! Helped a lot!

    It worked for me.

    Wednesday, May 28, 2014 10:30 PM
  • HI All,

       I have create the TMG  non webserver publishing rule and cannot test the  url  https://sts.domain.com.au/adfs/ls/idpinitiatedsignon.htm from the external or DMZ Server ?

    Cansome one help me to ctrate this connectivity to ADFS 2012 R2 Internal Server.

     Certificate: *.domain.com   ( use fro few application) 

     Internal Federation Identifier: sts.domain.com

     TMG server in DMZ with two Nics.


     What do i need to do to allow communication?

    I got following error from externally


    The page cannot be displayed  

    Explanation: There is a problem with the page you are trying to reach and it cannot be displayed. 


    Try the following:
    •Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion. 
    •Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped. 
    •Access from a link: If there is a link to the page you are looking for, try accessing the page from that link. 


    Technical Information (for support personnel)
    •Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202) 
     

    AS

     



    • Edited by AUSSUPPORT Wednesday, July 16, 2014 6:06 AM
    Wednesday, July 9, 2014 12:58 AM
  • Hi All,

      With Web Publishing I got error 64. and cannot test the https://sts.domain.com/adfs/ls/idpinitiatedsignon.htm  ?

      any other way to test this functionality?

    As

     

    Tuesday, July 15, 2014 8:08 AM
  • Were you able to resolve this?
    Tuesday, July 15, 2014 2:43 PM
  • HI ,

      Not with ADFS 3.0. i saw your post but i cannot use non publishing rule due to i'm using 443 for other servers. and single IP. (External)

    Description: The server publishing rule ADFS Proxy, which maps x.x.x.x:443:TCP to y.y.y.15:443 for the protocol HTTPS Server, was unable to bind a socket for the server. The server publishing rule cannot be applied. 
    The failure is due to error: You were not connected because a duplicate name exists on the network. If joining a domain, go to System in Control Panel to change the computer name and try again. If joining a workgroup, choose another workgroup name.

      So i just create ADFS 2.0 works.

    AS

    Wednesday, July 16, 2014 6:12 AM
  • OK, after pulling my hair out a lot with this (TMG 2010 and ADFS 3 (windows 2012 R2) and federated domain with Office 365), I was getting the dreaded error 64.

    the 443 non webserver rule solution previously posted worked, but I wasn't happy with that as I didn't want all port 443 requests going to my ADFS server, so persisted with the web publishing rule and got it working.

    The setting that caused the error 64 for me, is to go to the web publishing rule and the "To" tab and  if you have anything specified in the "Computer name or IP address (required if the internal site name is different or not resolvable)" box = Leave that blank, tick "forward the original host header" box and I use "requests appear to come from TMG" and then it works. (I have a HOSTS file on the TMG that points the sts name at the WAP (ADFS Proxy) internal IP.

    Big thanks go to my colleague MartinF who set me on the right path (hopefully my hair will start to grow back now).

    • Proposed as answer by MegaNuk3 Friday, May 8, 2015 3:16 PM
    Friday, May 8, 2015 3:15 PM