Tuesday, October 13, 2015

ADFS : Beware IIS and ADFS

Just read this post:

2012R2 AD FS WAP proxy problem

This was to do with installing WAP with Active Directory Federation Service and getting:

"Unable to retrieve proxy configuration data from the Federation Server." 

The interesting part is the piece at the end:

"Turns out certificate binding precedence is the culprit.  While IIS is not required for 2012 R2 ADFS roles anymore, it can actually get in the way if it is on the same machine.  Binding cert to default web site in IIS will place an ip:port entry into sslcert bindings, which has a higher precedence than service:port entries that ADFS sets up.  Since the IIS entry has no Ctl Store Name, the WAP certificate is placed in a store that is filtered out when ADFS checks for its presence.

Type "netsh http show sslcert" in a terminal on your ADFS machines and look for entries higher on the list than your ADFS service name entries.  If those don't have Ctl Store Name of AdfsTrustedDevices and they can resolve to your ADFS service, the install will fail."

The point for me is that sometimes I'm having problems with ADFS in terms of connectivity. The metadata address and the IDPInitiatedSignOn only work when you have a half-decent install. Ping is disabled by default. So I install IIS just so I can check connectivity

e.g. https://server.domain.

and you should get the IIS splash screen.

So this is something to be aware of.

On a 2012 R2 server with no IIS:

PS C:\> netsh http show sslcert

SSL Certificate bindings:
-------------------------

    Hostname:port                :server.domain:443
    Certificate Hash             : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    Hostname:port                : localhost:443
    Certificate Hash             : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled

    Hostname:port                : server.domain:49443
    Certificate Hash             : e6a5e9d2358f158ae4e98f753a5cd2bcfda12005
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Enabled  

On a 2016 server with IIS:

PS C:\> netsh http show sslcert

SSL Certificate bindings:
-------------------------

    IP:port                      : 0.0.0.0:443
    Certificate Hash             : 51b70e988101c789769c9cd9487c29e88ea7225e
    Application ID               : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name       : My
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled

    IP:port                      : 0.0.0.0:5986
    Certificate Hash             : bf7db9570b805aa6771be18154e60e4decb295db
    Application ID               : {afebb9ad-9b97-4a91-9ab5-daf4d59122f6}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Disabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Disabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled

    Hostname:port                : server.domain:443
    Certificate Hash             : 26ea2faabc7764a9bea7f85db6e931b559eff126
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled

    Hostname:port                : localhost:443
    Certificate Hash             : 26ea2faabc7764a9bea7f85db6e931b559eff126
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : AdfsTrustedDevices
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections           : Disabled

    Hostname:port                : server.domain:49443
    Certificate Hash             : 26ea2faabc7764a9bea7f85db6e931b559eff126
    Application ID               : {5d89a20c-beab-4389-9447-324788eb944a}
    Certificate Store Name       : MY
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Enabled
    Reject Connections           : Disabled

Note that I didn't have this problem on this installation. I suspect it's because "and they can resolve to your ADFS service." and the IP address 0.0.0.0 ain't going anywhere!

 Enjoy!

No comments: