locked
ADFS 3.0 certificate based authentication, Authentication page just loads forever. ADFS+WAP RRS feed

  • Question

  • Internally and externally ADFS shows CBA is enabled

    get-adfsglobalauthenticationpolicy
    
    PrimaryIntranetAuthenticationProvider : {FormsAuthentication, WindowsAuthentication, CertificateAuthentication}
    PrimaryExtranetAuthenticationProvider : {FormsAuthentication, CertificateAuthentication}

    - I have an ADFS server in the internal LAN, and a WAP in the DMZ. 
    - Ports are open including the 49443 inbetween ADFS<->WAP as can be tested with telnet connection
    - Users are assigned client auth certificates with SubjectAltName: Other Name:Principal Name=name@ourcompany.com
    - Office365 Trusted relay setup
    - we have a federated domain in azure and SSO is working for UN and pw
    - CRL's are accessible from ADFS server and WAP server
    - Root cert is present in the ADFS server and WAP server (no duplicates)

    When a user from the inside connects to azure portal.office.com WIA just signs them in
    When a user from outside connects to azure portal.office.com a certificate popup prompts for CBA. User selects a certificate (user auth cert with the right SAN) and the Auth page loads forever.

    WAP or ADFS server dont log any errors (or i dont know where to look).

    certutil -f -urlfetch -verify <cername.cer>

    Out put the above seems valid and is the same on the WAP and or ADFS server

     ----------------  Certificate AIA  ----------------
     Wrong Issuer "Certificate (0)" Time: 0
       [0.0] ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?cACertificate?base?objectClass=certificationAut
    ority
    
     Verified "Certificate (1)" Time: 0
       [0.1] ldap:///CN=servername,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?cACertificate?base?objectClass=certificationAut
    ority
    
     Verified "Certificate (1)" Time: 0
       [1.0] http://servername.domainName.com/CertEnroll/servername.domainName.com_servername(2).crt
    
     ----------------  Certificate CDP  ----------------
     Verified "Base CRL (0bce)" Time: 0
       [0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?certificateRevocationList?base?obj
    ctClass=cRLDistributionPoint
    
     Verified "Delta CRL (0bce)" Time: 0
       [0.0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectC
    ass=cRLDistributionPoint
    
     Verified "Delta CRL (0bce)" Time: 0
       [0.0.1] http://servername.domainName.com/CertEnroll/servername(2)+.crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [0.0.2] http://crl.externalDomain.com/crl/servername(2)+.crl
    
     Verified "Base CRL (0bce)" Time: 0
       [1.0] http://servername.domainName.com/CertEnroll/servername(2).crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [1.0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectC
    ass=cRLDistributionPoint
    
     Verified "Delta CRL (0bce)" Time: 0
       [1.0.1] http://servername.domainName.com/CertEnroll/servername(2)+.crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [1.0.2] http://crl.externalDomain.com/crl/servername(2)+.crl
    
     Verified "Base CRL (0bce)" Time: 0
       [2.0] http://crl.externalDomain.com/crl/servername(2).crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [2.0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectC
    ass=cRLDistributionPoint
    
     Verified "Delta CRL (0bce)" Time: 0
       [2.0.1] http://servername.domainName.com/CertEnroll/servername(2)+.crl
    
     Verified "Delta CRL (0bce)" Time: 0
       [2.0.2] http://crl.externalDomain.com/crl/servername(2)+.crl
    
     ----------------  Base CRL CDP  ----------------
     OK "Delta CRL (0bcf)" Time: 0
       [0.0] ldap:///CN=servername(2),CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectCla
    s=cRLDistributionPoint
    
     OK "Delta CRL (0bcf)" Time: 0
       [1.0] http://servername.domainName.com/CertEnroll/servername(2)+.crl
    
     OK "Delta CRL (0bcf)" Time: 0
       [2.0] http://crl.externalDomain.com/crl/servername(2)+.crl

    I dont know where to look to move forward on my troubleshooting. Any help you guys can give would be appreciated. 


    • Edited by I_Know_God Thursday, January 18, 2018 8:55 PM Spelling
    Thursday, January 18, 2018 8:53 PM

Answers

  • Hi,
    Thank you for posting questions in this forum. Since the question is more regarding to ADFS, I would suggest you post the questions in the ADFS forum:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 19, 2018 2:19 AM
  • Cross posted thank you. 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/ab79449a-780e-41fb-819d-d9c75bfa0154/adfs-30-certificate-based-authentication-authentication-page-just-loads-forever-adfswap?forum=ADFS

    Friday, January 19, 2018 2:49 PM

All replies

  • I enabled the CAPI2 log and found 4 events happen every time i attempt my CBA from an external network

    No errors seem to be inside any of these.. The certificate seems valid on the WAP and chaining seems valid. Details are hard to read though. ADFS server doesnt show any logs in the CAPI2 log when external CBA is attempted.

    Stuck here


    • Edited by I_Know_God Thursday, January 18, 2018 9:54 PM Added Information
    Thursday, January 18, 2018 9:53 PM
  • Internally and Externally on a non domain joined client with a user certificate (and associated Root) the CAPI2 log enabled I was able to get a cryptic error that confuses me greatly. 

    The errors are:
    Event ID 11: Build Chain 
    Event ID 41: Verify Revocation

    Result: The revocation function was unable to check revocation because the revocation server was offline: Value: 80092013

    I then checked my http://crl.externalDomain.com/crl/ and all my CRL's were listed and accessable from my client. 
    I then checked certutil and found something very interesting... 

    certutil -f -urlfetch -verify <cername.cer>

    See below: all the CDP locations are failed and error. as they should be ... BECAUSE the verify is referencing the wrong .crl file. Though to be fair the file being referenced exists but is for a previous chain of the root.  

    This following line: [1.0.2] http://crl.EternalDomain.com/crl/servername.crl
    Should be like this: [1.0.2] http://crl.EternalDomain.com/crl/servername(2).crl

    And

    This following line: [1.0.2] http://crl.EternalDomain.com/crl/servername+.crl
    Should be like this: [1.0.2] http://crl.EternalDomain.com/crl/servername(2)+.crl

     ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      Failed "CDP" Time: 0
        Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
      Wrong Issuer "Base CRL (0bce)" Time: 0
        [1.0] http://servername.domainName.com/CertEnroll/servername.crl
      Failed "CDP" Time: 0
        Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        [1.0.0] ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
      Wrong Issuer "Delta CRL (0bce)" Time: 0
        [1.0.1] http://servername.domainName.com/CertEnroll/servername+.crl
      Wrong Issuer "Delta CRL (0bce)" Time: 0
        [1.0.2] http://crl.EternalDomain.com/crl/servername+.crl
      Wrong Issuer "Base CRL (0bce)" Time: 0
        [2.0] http://crl.EternalDomain.com/crl/servername.crl
      Failed "CDP" Time: 0
        Error retrieving URL: The specified network resource or device is no longer available. 0x80070037 (WIN32: 55 ERROR_DEV_NOT_EXIST)
        [2.0.0] ldap:///CN=servername,CN=servername,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainName,DC=com?deltaRevocationList?base?objectClass=cRLDistributionPoint
      Wrong Issuer "Delta CRL (0bce)" Time: 0
        [2.0.1] http://servername.domainName.com/CertEnroll/servername+.crl
      Wrong Issuer "Delta CRL (0bce)" Time: 0
        [2.0.2] http://crl.EternalDomain.com/crl/servername+.crl
    

    sooo ... why? what do i do?
    IF i view the certificate it shows the right CRL file. when i verify it under the certutil it queries the wrong one. 

    Thursday, January 18, 2018 11:14 PM
  • Hi,
    Thank you for posting questions in this forum. Since the question is more regarding to ADFS, I would suggest you post the questions in the ADFS forum:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=ADFS
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 19, 2018 2:19 AM
  • Cross posted thank you. 

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/ab79449a-780e-41fb-819d-d9c75bfa0154/adfs-30-certificate-based-authentication-authentication-page-just-loads-forever-adfswap?forum=ADFS

    Friday, January 19, 2018 2:49 PM

  • Hi,

    You are welcome, if  the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Best regards,

    Wendy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 22, 2018 1:05 AM