Friday, July 24, 2015

Misc : Just because something is there doesn't mean you have to use it.

I came across a situation recently that made me smile!

For various reasons, this company uses ADFS and IdentityServer 2.0.

They then had a requirement to secute a Web API.

Web API's require a JWT token and they knew that IdentityServer allows you to convert token types for RP i.e.

So the path is Web API --> IS --> ADFS and then return the SAML token and convert to JWT.

It works fine but if they had taken a step back and asked "What is the correct way to do this" and not been sidetracked by the JWT issue, then they would have found a much better solution which is also supported by IS viz. OAuth2.

As it transpired, they needed to authenticate against AD which IS doesn't do and ADFS 3.0 has limited OAuth functionality but when ADFS vNext on Server 2016 comes out, hopefully they will convert the above and use OAuth2!


Tuesday, July 21, 2015

ADFS : Problems when restarting

This is with Active Directory Federation Services / ADFS / "AD FS" 2012 R2.

Server sometimes hangs during restart.

What I find is that the server is up but the ADFS wizard will not start. It says that the ADFS service is not running. So restart the ADFS service.

Bad idea! Service just sits there saying "Starting". Can't Stop / Restart etc.

So reset the server. Takes a while to come up.

Before starting the ADFS service, start the Microsoft Key Distribution Service” and then start the ADFS service and then start the ADFS wizard.

Some more possibly useful information here.

All OK.