none
UAG & ADFS RRS feed

  • Question

  • Guys,

    trying to configure the ADFS server but cannot find the federationmetadat.xml file; it does not exist on my adfs server. Any ideas what I'm doing wrong? Have re-install ADFS 2.0.

    Cheers

    Mark.

    Wednesday, February 1, 2012 12:58 PM

Answers

All replies

  • You can usually find it on this URL: https://[ADFS FQDN]/FederationMetadata/2007-06/FederationMetadata.xml

    You have installed ADFS v2.0 from the MS download, not just added the role?

    Cheers

    JJ

    P.S. My ADFS course was great ;) 


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, February 2, 2012 12:24 PM
    Moderator
  • Hi Jason,

    glad you enjoyed it, sure you're a black belt now.

    The install was done using the download and I have v.6.1.0.0  running  on a w2008 R2 server (data center).I have re-built the server and re-installed everything (a few times actually).

    In the adfs mgt console I have a required config incomplete in the overview pane - "Required: Add a trusted relying party, but the initial setup wizard is done.

    I have the 'adfs' application under the Default web site in IIS. Under this I have 'ls' with 4 sub-folders - app_console, app_globalresource, app_themes and masterPages.

    In the adfs admin console > Services > Endpoints, I see 3 related metadata entries, one of which is /federationMetadata/2007-06/federationmetadata.xml (the file I'm looking for) <agghhhh>. I scanned the drives and can't find it.

     

    Also, I understand that at some point I'll need to add the UAG server as a relying Party Trust in this console, and this wizard also looks for the federationmetada.xml file located on the uag server - this doesn't exist on the uag server either!!

    Does the file get created on the fly after an action is performed perhaps?

    Cheers

     

    Thursday, February 2, 2012 1:11 PM
  • Hi Jason,

    glad you enjoyed it, sure you're a black belt now.

    The install was done using the download and I have v.6.1.0.0  running  on a w2008 R2 server (data center).I have re-built the server and re-installed everything (a few times actually).

    In the adfs mgt console I have a required config incomplete in the overview pane - "Required: Add a trusted relying party, but the initial setup wizard is done.

    I have the 'adfs' application under the Default web site in IIS. Under this I have 'ls' with 4 sub-folders - app_console, app_globalresource, app_themes and masterPages.

    In the adfs admin console > Services > Endpoints, I see 3 related metadata entries, one of which is /federationMetadata/2007-06/federationmetadata.xml (the file I'm looking for) <agghhhh>. I scanned the drives and can't find it.

     

    Also, I understand that at some point I'll need to add the UAG server as a relying Party Trust in this console, and this wizard also looks for the federationmetada.xml file located on the uag server - this doesn't exist on the uag server either!!

    Does the file get created on the fly after an action is performed perhaps?

    Cheers

     


    Yeah, you download it from your browser IIRC.
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, February 2, 2012 1:14 PM
    Moderator
  • is there anything wrong I'm doing from what you can see in the above?

    Cheers

    Thursday, February 2, 2012 1:22 PM
  • Sorry, thinking pure ADFS, not UAG ADFS, check this:

    http://technet.microsoft.com/en-us/library/gg274305.aspx


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, February 2, 2012 2:40 PM
    Moderator
  • yeah saw that, problem is that you need to import the federation metadata from the UAG server to complete the task...this does not exists on my UAG box either!

     

    But thanks.

    Thursday, February 2, 2012 2:44 PM
  • So, you followed all the steps here: http://technet.microsoft.com/en-us/library/gg274295.aspx???
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, February 2, 2012 2:56 PM
    Moderator
  • can't because the 1st step involves importing the federationMetadata.xml file from the ADFS server, which I do not have:

    "Before you configure the AD FS 2.0 authentication repository, make sure that your AD FS 2.0 server federation metadata is available to your Forefront UAG server. The federation metadata is normally available on the AD FS 2.0 server at the following URL: https://adfs2_server/FederationMetadata/2007-06/federationmetadata.xml."

    I've scanned the hard drive and can't find it.

    Thursday, February 2, 2012 3:11 PM
  • No, it is normally only available by browsing the URL not the file system (bit like ISA/TMG wpad.dat file)...did you try and access it from the ADFS server itself? The URL may not be available to UAG unless UAG can access the ADFS server using HTTPS...
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Mark_Robson Thursday, February 2, 2012 3:39 PM
    Thursday, February 2, 2012 3:18 PM
    Moderator
  • This walkthrough has some pictures and more detail if you pick out the relevant bits: https://blog.auth360.net/2011/06/09/federated-identities-with-uag-2010-sp1-and-office-365/

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Mark_Robson Thursday, February 2, 2012 3:38 PM
    Thursday, February 2, 2012 3:27 PM
    Moderator
  • perfecto. Yes just found out it's hosted by the serveice! That's a new one to me :-)

     

    When I browse to it from my UAG box I now get a cert mismatch error. This all ties in with a question I posted a while back, about the wildcard domain name cert not matching the domain name of the ADFS & UAG server (long story).

    Thanks JJ, I'll pop by and buy you a beer next time I'm down your neck of the woods.

    Thursday, February 2, 2012 3:31 PM