none
What is the default Federation Metadata URL

    Question

  • Hello All

    Can someone please help me with the following question.

    I am setting up ADFS 3 (Windows 2012 R2) in a LAB as follows, as I want/need to learn about ADFS

    All Server are Windows 2012 R2

    Two separate AD Forests (OrigForest.local  and NewForest.local) 

    Each forest  has a separate CS (certificate services server) e.g. Root CA

    Two ADFS Servers (one per forest) 

    Each ADFS Server trusts the CA in the other Forest

    Each AD FS Server as a PKI certificate (from the CA in its own forest) based on the WEB Server template (i.e. Server Authentication EKU). The certificate has the Subject common name (CN=) which mates the FQDN of the ADFS Server. Each certificate also has a SAN which contains the FQDN of the ADFS Server plus the *.OrigForest.local (for the AD FS Server in that forest) and *.NewForest (for the ADFS Server in that forest).

    my LAB used the 192.168.0.x address space for all Servers and the firewall rules allow any traffic in and out from/to any 192.168.0.x address (so I do not believe it is a firewall issue at this time)

    I have a DNS forwarder on each of the DNS Servers (Domain Controllers) in each forest to point to the other DNS Server in the other forest. This appears to work fine as using nslookup I can resolve the FQDN of any host in the other forest.

    Post installation,

    when I try to create my first trust (e.g. relaying party trust, on my account domain) and specify the FQDN of the ADFS Server in the resource domain I get the following error

    "An error occurred during and attempt to read the federation metadata. Verify the specified URL or hostname is a valid federation metadata endpoint

    Therefore in the first instance I want to see if I can reach the other AD FS Servers metadata URL directly in IE, what is the default URL following a default installation please?

    (I have not added any Proxy Servers at this time, should I have? as I am trying to connect directly from one AD FS Server to the other in the other forest.) I have seen a few examples of the URL in posts of the internet but the format seems to change and therefore wanted to check what I should expect the standard to be.

    any help most welcome

    Thanks

    Ernie

    Tuesday, May 03, 2016 11:32 AM

Answers

  • Every adfs farm must have its unique fqdn. The farm fqdn must not be the same as the fqdn of the fqdn of the one and only adfs server.." Yes an adfs can consist of only 1 adfs server. When thinking about an adfs service fqdn make sure it can be resolved on the internet. For testlabs using .local is fine as long as you do not want to federated with other federation systems/applications on the internet or other companies. When your service fqdn is the same as your single adfs server, stuff breaks because the adfs server computer has an spn like HOST/<adfs service fqdn>, while that spn should be on the adfs service account Therefore in your case you should: Configure the adfs service fqdn as FS.ORIGFOREST.COM and FS.NEWFOREST.COM On every service account register the corresponding spn HOST/FS.ORIGFOREST.COM and HOST/FS.NEWFOREST.COM Make sure the DNS records exist in the new zones Make sure the new certificates contain the fqdn of the service and not the servers and permissions the private keys accordingly The federation service metadata url is: Https://<adfs service/farm fqdn>/federationmetadata/2007-06/federationmetadata.xml You can also get your endpoints incl full urls through powershell using get-adfsendpoint

    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    • Marked as answer by BrantEH Thursday, May 05, 2016 11:45 AM
    Thursday, May 05, 2016 8:52 AM

All replies

  • This is the URL (ADFS servers or Proxy have the same URL). Same for previous version of ADFS actually...

    https://<FQDN OF THE FARM>/FederationMetadata/2007-06/FederationMetadata.xml

    Note that the following URLs will not work (due to SNI):

    https://<FQDN of the ADFS server>/FederationMetadata/2007-06/FederationMetadata.xml
    https://<IP ADDRESS>/FederationMetadata/2007-06/FederationMetadata.xml



    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, May 03, 2016 3:05 PM
    Owner
  • Hello Pierre

    Thanks very much for taking the time to reply.

    With regard to the above, I have one AD FS Server per forest, does one AD FS Server also constitute a farm? (e.g farm of 1) as I noted above you said the following will work (e.g. FQDN of Farm)

    https://<FQDN OF THE FARM>/FederationMetadata/2007-06/FederationMetadata.xml

    and this will not work (e.g FQDN of Server)

    https://<FQDN of the ADFS server>/FederationMetadata/2007-06/FederationMetadata.xml


    As far as my LAB goes I have now turned off the Windows firewall completely on both AD FS Servers.

    due to my DNS forwarders I can do a FQDN look up from either forest of the AD FS Servers A record in the other forest.

    I do not see IIS installed but then again I did read briefly that AD FS 3.x does not require IIS to be installed therefore I assume the https connection uses http.sys (or other demon) directly.  

    Using the AD FS Management Tool on the Resource forest (e.g. the ones whose metadata I am trying to retrieve) looking at Service > Endpoints  I see the following information on Metadata (see png image at the following URL)

    https://onedrive.live.com/redir?resid=5078F596186C0B1C!570&authkey=!AI9iJkU9MStBoPc&v=3&ithint=photo%2cpng

    which matches up with what you were saying above e.g. 

    /FederationMetadata/2007-06/FederationMetadata.xml

    therefore not sure why it is not working, the only error/warning I get in the AD FS log when I restart the Server is the following

    The SAML artifact resolution endpoint is not configured or it is disabled. 

    The artifact resolution service is not started. 

    User Action 
    If the artifact resolution service is required, use the AD FS Management snap-in to configure or enable the SAML artifact resolution endpoint.

    I am not sure if the above is to be expected on a new installation or represents part of my problem getting the metadata?

    Could it be a certificate problem? when I  look at the certificates in the AD FS management tool I see the following (see png at following URL)

    https://onedrive.live.com/redir?resid=5078F596186C0B1C!571&authkey=!AC7n7Jjd35cLYRE&v=3&ithint=photo%2cpng

    I guess I could export the metadata from my resource AD FS Server and import into my account AD FS Server. However this seems like giving up when the above should work, plus it is a good troubleshooting exercise to help me learn AD FS

    Any more advise, suggestions most welcome

    Thanks

    Ernie 

    Tuesday, May 03, 2016 6:28 PM
  • Every adfs farm must have its unique fqdn. The farm fqdn must not be the same as the fqdn of the fqdn of the one and only adfs server.." Yes an adfs can consist of only 1 adfs server. When thinking about an adfs service fqdn make sure it can be resolved on the internet. For testlabs using .local is fine as long as you do not want to federated with other federation systems/applications on the internet or other companies. When your service fqdn is the same as your single adfs server, stuff breaks because the adfs server computer has an spn like HOST/<adfs service fqdn>, while that spn should be on the adfs service account Therefore in your case you should: Configure the adfs service fqdn as FS.ORIGFOREST.COM and FS.NEWFOREST.COM On every service account register the corresponding spn HOST/FS.ORIGFOREST.COM and HOST/FS.NEWFOREST.COM Make sure the DNS records exist in the new zones Make sure the new certificates contain the fqdn of the service and not the servers and permissions the private keys accordingly The federation service metadata url is: Https://<adfs service/farm fqdn>/federationmetadata/2007-06/federationmetadata.xml You can also get your endpoints incl full urls through powershell using get-adfsendpoint

    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    • Marked as answer by BrantEH Thursday, May 05, 2016 11:45 AM
    Thursday, May 05, 2016 8:52 AM
  • Thanks for your reply and detailed answer/explanation I will go back and revisit my configuration.

    Thanks again for taking the time out of your day to help :)

    Ernie

    Thursday, May 05, 2016 11:44 AM
  • Hopefully this old thread is still monitored...

    I don't see any explanation of what the URL portion "/2007-06/federationmetadata.xml" has to do with anything. Why "2007-06"? 

    I am not too experienced with ADFS only having set it up twice for Office365, but I don't recall ever seeing mention of this URL (as noted in your reply).

    Is that URL what is published by default when setting up ADFS for the first time?

    Thursday, May 10, 2018 7:37 PM