Thursday, October 31, 2013

Visual Studio : Version issues

Once upon a time, we had VS 2010 and a tool called FedUtil which could be run many times to change the WIF parameters for different hosts, certificates etc.

Also, FedUtil could be run standalone so you could use it on different boxes when you promoted a build from e.g. Dev to Test.

There was no internal STS so we all used SelfSTS.

Then we had VS 2012, where FedUtil morphed to the "Identity and Access Tool" which added some capability but could no longer be run standalone. The "Identity and Access Tool" could be run many times.

It included an internal STS.

Now we have VS 2013 which has a "Change Authentication" feature invoked when you create a project.

There is no internal STS.

You cannot run it standalone and worse of all you cannot run it after the project has been created.

So what happens when I want to migrate my VS 2012 projects to VS 2013?

This SUCKS massively big time.

Is there anyone at Microsoft that actually uses these tools in the real world. Because if there was they wouldn't introduce such restrictions.

Seriously people, get your stuff together!

If you agree, vote here:

In VS 2013, allow ability to run the "Change Authentication" wizard AFTER project is created


Monday, October 07, 2013

ADFS : Could not establish trust relationship for the SSL/TLS secure channel

The full error:

System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Trying to get the Web Application Proxy on Server 2012 R2 working with the new ADFS.

Mr. Google to the rescue.

You need to export the certificate (the one behind the federation server name) and place it in the "Computer account" (not "My user account") under "Trusted Root Certification Authorities".

And while I'm on the subject:

Every time you try and install the proxy, it creates certificates under Personal called "ADFS ProxyTrust - machine name".

But if the installation fails. the old ones are not deleted.

Then I got the above error message but the thumbprint in the message was from a previous attempt not the latest.

So I uninstalled WAP and then deleted all these certificates- under "Local Computer - Personal - Certificates".

Then I went to the ADFS installation and under the Service tab - "Revoke All Proxies".

Then re-installed WAP.

Then it worked!


Friday, October 04, 2013

ADFS : Some musings on Server 2012 R2

Having been through the exercise of installing the latest invocation of both ADFS and the Web Application Proxy:

Don't use CNG certificates. And guess what?

The command


which is available on Windows 8 and Windows Server 2012 produces (you guessed it) CNG certificates.

So you need to indulge in some time travel to create older version of self-signed certificates.

And the certificate needs SAN's as per the lab.

Massive change in that neither ADFS nor the proxy is based on IIS. Rather I gather it's built on HTTP.SYS.

So how do you now find the SSL binding?


netsh http show sslcert 

So how do you customise the screens? Even something as simple as branding?

It now uses GMSA instead of service accounts which take time to replicate.

You need to plan to do this:


the day before. There is a hack as per the lab for test environments:

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

The WAP is behind the "Remote Access Management" tile.

And once you have published a web application you can't edit it. Seriously?

Also, you need to import the certificate that matches the application URL for it to appear in the drop down box.

Documentation (to be polite) is somewhat lacking. C'mon people!


Thursday, October 03, 2013

IE : There is a problem with this website's security certificate

You see this all the time with ADFS especially when setting up new Claims Provider trusts.

ADFS won't accept the metadata if the certificate isn't trusted.

Normally, you just click on the "Security Report" icon in the bar at the top of IE, then "View Certificate", then "Install Certificate".

The "Install Certificate" button won't show if you are not running as Administrator.

But in Server 2012, IE 11, I could not get the button to appear.

Mr. Google to the rescue and it turns out you have to add the site to "Trusted Sites", restart IE and then it magically appears.


Wednesday, October 02, 2013

ADFS : Problem with CNG certificates

Busy having a look at the latest ADFS 2.1 on Windows Server 2012 R2.

This is the one with the Web Application Proxy, MFA etc.

So first off, I need a self-signed certificate.

As per the lab, I need a self-signed certificate with SAN e.g.
  • Subject Name (CN):
  • Subject Alternative Name (DNS):
  • Subject Alternative Name (DNS):
Hmm - problem.

So what tools are on the box. Oh, frabjous joy - there's a PowerShell command:


which is available on Windows 8 and Windows Server 2012.

OK - so try to install ADFS and it complains that the certificate is a CNG (Certificate Next Generation) one which ADFS doesn't support.

WTF? - the new ADFS doesn't support the latest standard? Is this not a security system?

My normal way of generating self-signed certificates is to use SelfSSL7.

But this doesn't run on Server 2012 because it uses .NET 4.5 and SelfSSL7 requires .NET 3.5.

So the options are:
  • Add the .NET 3.5 role to the server
  • Download the source and recompile for .NET 4.5
  • Create on a Windows 7 box and export
  • Use another tool e.g. makecert
But there's another problem:

SelfSSL7 by default does all the IIS SSL binding and this version of ADFS does not use IIS.

So my command was:

selfssl7 /N;; /K 1024 /V 700 /T /X /F c:\xxx\cert.pfx /W password

i.e. just create a pfx file.

Then import the pfx file into the local certificate store - the same one that New-SelfSignedCertificate would have used i.e.

New-SelfSignedCertificate -DnsName, -CertStoreLocation cert:\LocalMachine\My