Friday, December 05, 2014

ADFS : problems with Issuance Authorization Rules

These rules are useful if you want to allow or deny access to an application based on whether the authenticated user has a particular claim or not.

So I had a situation where there was a workflow involved and a user could not have access until they had been validated by an administrator.

So I created a claim called:


(Remember, these are URI not URL!).

Then in the Issuance Transform Rules tab, I had the normal LDAP rule to create the claim from an AD attribute and in the  Issuance Authorization Rules tab I had a rule that said that if that claim had a value of "True" than allow access. I deleted the default "Allow access to anyone" rule.

Problem was - it didn't work?

Had a chat with Mr. Google (and it was a long chat!) and eventually figured out that each tab stands on its own i.e. there is no cross-pollination between them. The fact that you have a rule in one tab means nothing in another.

You have to repeat the rules in each tab.

Then all was sweetness and light!


Tuesday, December 02, 2014

IIS : You can ping the box but can't connect to IIS

Had the problem recently.

Laptop all running smoothly - could ping it no problem and connect to it via \\name.

But no way could I http to a website on the laptop.

Did the "ipconfig /flushdns" dance - no joy.

Double-checked all the IIS settings.

Had a chat with Mr. Google and found a suggestion to:

telnet "IP address" 80

This tests if port 80 is open.

No joy - aha - so it's not IIS per se - it's the TCP/IP traffic on port 80.

Run up Windows Firewall. Yup - HTTP traffic on WWW was disabled for port 80. Allowed that - bingo - all A-OK.


Monday, November 17, 2014

ADFS : Using an AD primary key

There's a common use case where you are using some external system e.g. Facebook to authenticate and ADFS is in the pipeline as a R-STS.

Facebook only returns a GUID which doesn't mean a lot to AD so you have a registration flow where you ask the user for their details e.g. name, email address .. and then map the GUID to this.

So the next time the user logs in you have the GUID but need to use this as a "primary key" to get the rest of the details from AD.

Assume you have placed the Facebook GUID in a claim type called:

and it's stored in AD in extensionAttribute1.

So you have a normal LDAP claims rule that maps:

extensionAttribute1 -->

Then you need a custom ADFS claim rule to do the extraction based on the mapping:

c:[Type == ""]
 => issue(store = "Active Directory", types = ("", "", "", ""), query = "(&(extensionAttribute1={0})(objectClass=user));givenName,sn,mail,mobile;domain\user", param = c.Value);

So the rule searches AD for the user whose extensionAttribute1 value matches "" and then returns:


as four separate claims.


AD : Information about the domain could not be retrieved (1355)

Setting up a new system with an AD in a DC in another domain that is "sandpitted" and got this error.

"Information about the domain could not be retrieved (1355)".

Can ping the DC but the IP / Name is in my host file - it's not on the DNS.

Lots of stuff on the Internet - mainly red herrings.

The problem was the DNS "hole" - adding this DC as my alternate DNS on my Windows 7 box fixed the problem.


Wednesday, November 12, 2014

stackoverflow: Writing the perfect question

I've blogged on this before but it bears repeating.

cf Jon Skeet: Writing the perfect question.

There was a question on SO that's a perfect example.

"How do I achieve SSO with site a, site b, WIF and SAML and STS"?

Is site a /b .NET / Java / ...?

What flavour STS?

WIF and SAML are mutually incompatible, Explain.

Are site a / b in different domains? With different identity repositories? If so, what repositories are these? AD or ...?

And so on.

In my experience, the quality of the answer correlates with the quality of the question.

Yeah - I get that people are leaving out important details because they don't really understand the environment.

If so, Google other questions. What details do they supply?

If you want to be noticed in the vast list of SO questions, you have to put some effort in.

Make me want to help you by answering!


IdentityServer: two different WS-Fed endpoints

So I've been using thinktecture's IdentityServer for a project.

First off - it's a damn good product - but then you have two top class MVP's working on it!

I'm using V2.

I'm using it in two modes:

As an IDP against the SQL Server DB
As a R-STS - effectively a broker that just passes on the traffic.

Normally these are the same endpoint e.g. ADFS.

But I was battling until I realised that there are actually TWO WS-Fed endpoints.

My bad - it's obvious when you see the metadata list.

So /issue/wsfed works for the IDP and /issue/hrd works for the R-STS. As the name implies, this brings up the HRD screen.

If you look at the two controllers, the code (as you would expect) is pretty similar and they both share the same WSFederationResult.


Thursday, November 06, 2014

Windows Server: Where's the drive mapping?

Needed to map a drive on Server 2012 R2 to load some media so:

Start - right click "This PC" - check "Map network drive"

Than map to G: e.g.

Into command prompt with run as administrator set - type "G:" - no such drive - WTF? - I can see the mapping in File Explorer!

Turns out you have to do an extra step i.e.

net use g: \\"mapping path" password /user:domain\user /p:no

g: = drive to map
mapping path = path to media
password = your password
/user:domain\user = your domain and user
/p:no = don't persist mapping across logins

Job done.

I suspect this will work on Windows 8 as well.


Wednesday, October 01, 2014

ADFS : ADFS 3.0 - no web.config

I've blogged before about the changes in ADFS 3.0 on Server 2012 R2.

No IIS so no web.config.

Hang on - what about things like:

<context hidden="true" />
<error page="Error.aspx" />
<acceptedFederationProtocols saml="true" wsFederation="true" />
<homeRealmDiscovery page="HomeRealmDiscovery.aspx" />
<persistIdentityProviderInformation enabled="true" lifetimeInDays="30" /> 

They are no longer there.

The trick is to use PowerShell: (Thanks @paullem!)



Set-AdfsWebConfig -ContextCookieEnabled $True -HRDCookieEnabled $True -HRDCookieLifetime 30


Wednesday, September 24, 2014

Misc : Popular posts

There is a little widget that's supposed to do this but here are the actual statistics.

Notice the number of ADFS hits!


Misc : GitHub for Windows - Clone in Desktop

GitHub for Windows is a neat tool but suffers from a severe lack of documentation.

I find a project I like, click "Clone in Desktop" on the RHS and it takes me to a screen saying "Download GitHub for Windows" even though I have the damn thing already installed.

So ^^%$$% frustrating.

Mr. Google to the rescue and after a number of false starts (Google sucks more and more at delivering useful search results) I discovered that you need to log-in first on the GitHub site.

Then all is OK.

Going by the number of hits I found on this, 99% of this would be avoided if GitHub put a notice to that effect on the page e.g.

"You must first Login".


Tuesday, September 23, 2014

ADFS : The joys of hidden context

Playing around with ADFS 3.0 on Server 2012 R2 and found yet another difference with ADFS 2.x.

Imagine you have a number of .NET applications going via ADFS as a RP-STS going to another IP-STS.

Now on the IP-STS you want to know which RP the authentication request is coming from.

All the ADFS requests are coming through one channel so parameters like "Referer: " are useless.

In your RP web.config you can add a parameter like wreply or wtrealm as per wsFederation.

You'll see these in the URL going to ADFS in the &wctx section. But there's nothing going to the IP-STS. ADFS "removes" them. Instead there is a &wctx which is a GUID.

And there is a cookie on the way which looks like:


where xxxyyy is Base64 encoded.

In ADFS 2.0, there was an entry in the web.config which told ADFS not to encode this information in a cookie but to send it as part of the query string - which makes for a lll-oon-nnn-ggg query string!

This entry was:

context hidden="true"
But in ADFS 3.0 there is no actual web.config, You have to look in:


and there's a file called:


but it has no such entry.

The trick is to use PowerShell:

 Set-AdfsWebConfig -ContextCookieEnabled $False


Friday, August 08, 2014

ADFS : Certificate details in the metadata

Common problem - you get sent some metadata that contains certificate info. and then get an error when you try and import it.

Would be really useful to see the actual certificate, right?

Good news is that help is at hand.

In the metadata file, you'll see something like:

<KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="">

Then there's the actual certificate info. which is in Base64.

Copy it - the stuff between the open and closing ds:X509Certificate tag.

Now paste that into an editor - Notepad++ is my poison of choice.

Then save that as a .cer file.

Now double-click on the file in Explorer.

Job done!