locked
https:// hostname/adfs/services/trust/mex gives back error 503 RRS feed

  • Question

  • Hi.

    Still troubleshooting nonworking RPT :) for only one service (lots of other are working fine)

    we found now that

    https:// hostname/adfs/services/trust/mex  gives back error 503

    but https:// hostname/FederationMetadata/2007-06/FederationMetadata.xml works fine.

    The other company claims that  /trust/mex must give valid response and indeed in ADFS 2.0 troubleshooting guide confirms it. We use ADFS 3.0. The certificate (Service communication) seems to be valid and i have triple checked acces to private key. There is also no other service consuming  nettcp port (which seems to be a problem on some cases with CRM)

    Strangely on Service startup still Event 102 is logged:

    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
    Additional Data
    Exception details:
    System.ArgumentException: It is likely that certificate 'CN=*.company.com, O=Name, L=Location, S=state, C=country' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail.
       at System.ServiceModel.Security.SecurityUtils.EnsureCertificateCanDoKeyExchange(X509Certificate2 certificate)
       at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateServerX509TokenProvider()
       at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateLocalSecurityTokenProvider(RecipientServiceModelSecurityTokenRequirement recipientRequirement)
       at System.ServiceModel.Security.ServiceCredentialsSecurityTokenManager.CreateSecurityTokenProvider(SecurityTokenRequirement requirement)
       at System.ServiceModel.Security.SymmetricSecurityProtocolFactory.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Security.SecurityListenerSettingsLifetimeManager.Open(TimeSpan timeout)
       at System.ServiceModel.Channels.SecurityChannelListener`1.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
       at Microsoft.IdentityServer.ServiceHost.STSService.StartSTSService(ServiceHostManager serviceHostManager, ServiceState serviceState)

    Later event 388 is loged where it confirms that

    AD FS detected that all the service certificates have appropriate access given to the AD FS service account.

    I havent found any doc specifying some special need for "have a private key that is capable of key exchange". Alos ADFS 3.0 should support wildcard certificates.

    Thursday, September 29, 2016 8:01 AM

Answers

  • Hi

    EKU is

    Server Authentication (1.3.6.1.5.5.7.3.1)
    Client Authentication (1.3.6.1.5.5.7.3.2)
    And yes i do have private key sign .


    BUT - i found solution :)

    The problem WAS indeed in keyspec type. The certificate is got from public CA in form of key and cert file  and converted with help of OpenSSL. Seems that either -keyex was not specified (or some other issue, i do not know)  but if certificate was verified with certutil (certutil -v -store MY <certnumber> )  it shows KeySpec= 2 - AT_SIGNATURE.

    After reconverting with -keyex switch and reimporting  KeySpec = 1 -- AT_KEYEXCHANGE.

    Verifying all things and restarting ADFS , success. And URL now returns XML as should be ...

    :)

    Thanks for thinking.


    • Edited by Andres P Monday, November 7, 2016 7:38 AM reformat
    • Marked as answer by Andres P Monday, November 7, 2016 7:40 AM
    Monday, November 7, 2016 7:36 AM

All replies

  • Hiya,

    CRM service account needs permissions to Read the private key of the certificate.

    ADFS service account needs permissions to Read the private key of the certificate.

    Check that and see if that helps :)

    You mentioned CRM, that is why I post it CRM :)

    https://technet.microsoft.com/en-us/library/gg188575.aspx

    Link for ADFS 2.0, it's the same for ADFS 3.0

    https://support.microsoft.com/en-us/kb/2921805

    Thursday, September 29, 2016 1:07 PM
  • No- no, i do not have CRM, just mentioned it because it has similar error, but  i do not have other services runn in related port. :)

    Thursday, September 29, 2016 2:11 PM
  • Can you run the following script on your primary node as an admin and share the output:

    $_cert_service = (Get-AdfsCertificate -CertificateType Service-Communications).Thumbprint.Toupper()
    $_cert_ssl = (Get-AdfsSslCertificate | Where-Object { $_.HostName -eq $((Get-AdfsProperties).HostName) -and $_.Portnumber -eq 443 }).CertificateHash
    If ( $_cert_service -ne $_cert_ssl )
    {
        Write-Output "The SSL cert is not the Service-Comminication cert!"
    } 
    $_get_cert = Get-ChildItem Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq $_cert_ssl }
    If ( $_get_cert -eq $null )
    {
        Write-Output "Did not find the certificate in the machine store!"
    } Else {
        $_cert_private_container_name = (Get-Item $_get_cert.PSPath).PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
        $_cert_private_container_path = $ENV:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\" + $_cert_private_container_name
        $_cert_private_key_acl = Get-Acl $_cert_private_container_path
        If ( $_cert_private_key_acl -isnot [System.Security.AccessControl.FileSystemSecurity] ) {
            Write-Output "Cannot read the ACL of the private key! Maybe try as an admin..."
        } Else {
            If ( $_cert_private_key_acl.Access.IdentityReference -notcontains "NT SERVICE\adfssrv" ) {
                Write-Output "Missing the reference for NT SERVICE\adfssrv!"
            } Else {
                $_level_access = ($_cert_private_key_acl.Access | Where-Object { $_.IdentityReference -eq "NT SERVICE\adfssrv" }).AccessControlType.ToString()
                Write-Output "NT SERVICE\adfssrv access = $_level_access"
            }
            If ( $_cert_private_key_acl.Access.IdentityReference -notcontains "NT SERVICE\drs" ) {
                Write-Output "Missing the reference for NT SERVICE\drs!"
            } Else {
                $_level_access = ($_cert_private_key_acl.Access | Where-Object { $_.IdentityReference -eq "NT SERVICE\drs" }).AccessControlType.ToString()
                Write-Output "NT SERVICE\drs access = $_level_access"
            }
        }
    }


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, October 1, 2016 3:36 AM
  • On ADFS server

    Results:

    NT SERVICE\adfssrv access = Allow
    NT SERVICE\drs access = Allow

    The AD FS service itself runs under domain groupmanaged account.

    Wednesday, October 5, 2016 2:09 PM
  • Are you using self signed certificate for token signing and token decrypting certs?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, October 19, 2016 12:04 AM
  • Yes token signing and decryption certs are managed by ADSF server, ie self signed.


    • Edited by Andres P Friday, November 4, 2016 1:17 PM
    Friday, November 4, 2016 1:17 PM
  • What is the EKU of the cert you are using?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 4, 2016 4:07 PM
  • Oh, and when you look at the Cert in the GUI, does it have the icon at the bottom showing that you have an associated private key?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 4, 2016 4:33 PM
  • Hi

    EKU is

    Server Authentication (1.3.6.1.5.5.7.3.1)
    Client Authentication (1.3.6.1.5.5.7.3.2)
    And yes i do have private key sign .


    BUT - i found solution :)

    The problem WAS indeed in keyspec type. The certificate is got from public CA in form of key and cert file  and converted with help of OpenSSL. Seems that either -keyex was not specified (or some other issue, i do not know)  but if certificate was verified with certutil (certutil -v -store MY <certnumber> )  it shows KeySpec= 2 - AT_SIGNATURE.

    After reconverting with -keyex switch and reimporting  KeySpec = 1 -- AT_KEYEXCHANGE.

    Verifying all things and restarting ADFS , success. And URL now returns XML as should be ...

    :)

    Thanks for thinking.


    • Edited by Andres P Monday, November 7, 2016 7:38 AM reformat
    • Marked as answer by Andres P Monday, November 7, 2016 7:40 AM
    Monday, November 7, 2016 7:36 AM