ADFS : Selecting claim that's not in the default drop down

When you want to edit the claims rules for a CP or RP in ADFS v2.0, you sometimes need to select an LDAP attribute that's not in the default drop down list.

I've always done this via a custom claim, But then I read this post: Active Directory attribute store: Require custom claim rule to access other attributes?.

The drop down actually allows free-form (not that that is obvious). In case the link disappears, this is how:

"Edit Claims Rules / Add Rule / Send LDAP Attributes as Claims".
Don't select the drop-down, just click in the white space of the grid.
If the box turns dark blue, click again.
Away you go - you can now enter any attribute you like.

This also works for the "Outgoing Claims Type" box.

Enjoy!

Stackoverflow : Another milestone

Just clocked up rep. of 6000 over on Stackoverflow !!!

My stackoverflow flair:



or overall Stack Exchange flair



Enjoy!

Windows : The “hidden” tools

 

There’s an amazing amount of tools “hidden” on your PC that you probably aren’t even aware off .

A lot of them are stored in the

C:\Program Files\Microsoft SDKs\Windows

directory. These mainly derive from the Windows SDK for Windows 7 and .NET Framework 4.

Browse through StartTools.htm located at:

C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin

There’s an amazing collection of tools there.

The actual binaries are located here:

C:\Program Files\Microsoft SDKs\Windows\v7.0A\bin

To quote:

“The Windows SDK tools are designed to make it easier for you to create, deploy, and manage applications and components that target Windows and the Internet. The Windows SDK includes tools for both the .NET 3.5 SP1 and 4 Frameworks - a managed programming model - and tools for Win32® - the native (unmanaged) programming model for Windows. Many of the Windows SDK tools are listed on this page and categorized by target audience: managed, native and "common" (tools that could be used by either managed or native developers).”

Enjoy!

PowerShell : Using an IDE

 

PowerShell is command line which means that you lose out on all the benefits that an IDE brings.

There is an in-built PowerShell IDE:

Just type “ise” from the command line

but it’s pretty basic.

Then I came across PowerGui.

It has two parts viz. an administrative console that allows you to run a collection of PowerShell scripts and a script editor that allows you to enter and run scripts. It has intellisense and a set of built in snippets. It has a debug function where you can step through the script and examine all the variables.

Very neat – and BTW it’s free.

Enjoy!

AD : Displaying the SPN

 

SPN stands for Service Principal Name – used (among others) by Kerberos.

Normally, you work with them via the Setspn tool.

e.g.

setspn –l <account name>

which lists all spns assigned to that account.

However, you can also do this by:

Start – Administrative Tools – Active Directory Users and Computers – View – Advanced Features

Then navigate to the account via the tree. Right click – Properties – Attribute Editor tab. Then scroll down to servicePrincipalName and double-click.

You can add and remove SPN’s from this window as well. (i.e. the equivalent of setspn –a … or setspn –d …).

Enjoy!

WIF : The pipe endpoint 'net.pipe://localhost/s4u/022694f3-9fbd-422b-b4b2-312e25dae2a2' could not be found on your local machine.

 

If you are using WIF and C2WTS and you get the above error, it’s probably because the C2WTS service is not yet started.

It’s this one in the Services windows (which is in the “Administrative Tools” menu):

“Claims to Windows Token Service”

and the description is:

“Service to convert claims based identities to windows identities”

Note that you must use Windows domain user accounts. These accounts must have a Universal Principal Name (UPN).

Enjoy!

ADFS : Metadata XML won’t display in IE

 

A number of people have commented on this problem with ADFS v2.0. It seems to be confined to Internet Explorer (IE).

Basically, the problem is that you want to display a site’s metadata so you browse to the URL (the https://xxxx//FederationMetadata/2007-06/FederationMetadata.xml one) and see … zip / nada / nothing / blank. WTF!

Two “solutions” that may help:

• Use Firefox
• Toggle the IE compatibility mode.

Enjoy!

ADFS : Error from “Update from Federation Metadata”

 

When you’re in ADFS v2.0 and you are trying to update the metadata of a CP or RP, you sometimes get the “An error occurred during an attempt to read the federation metadata” message.

A useful trick is to open a browser and navigate to the URL of the site whose metadata you are attempting to update. If you get any certificate errors, fix them first. ADFS does not like certificate errors. Everything has to be squeaky clean!

Enjoy!

IIS : IE missing “Install Certificate” button on “View Certificates”

 

It’s a common problem with IE. You access a site and get a certificate error and get the pink address bar when you access the site. The solution is to install the certificate into the “Trusted Root CA” certificate store.

You normally do that by clicking the padlock icon to the right of the address bar then “View Certificates” and then clicking the “Install Certificate” button. Lately, I've come across some instances where the button is missing in action. WTF?

Mr. Google to the rescue and the solution is to right-click the IE icon on the desktop and select “Run as administrator”. (In other words, IE needs to be run as Administrator).

And then there was sweetness and light and verily the button doth appear!

Enjoy!

ADFS : Accessing the Windows Internal Database

 

ADFS either uses SQL Server or an WID to store all the configuration components. I’ve tried before to access the WID with no joy but then discovered that the reason why was because of the completely non-intuitive and obtuse server name which has to be:

\\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query

Damn, why on earth didn’t I think of that?!

The easiest way to access it is via the free SQL Server Management Studio Express. Ignore all the talk of SQL Server 2005 Express Edition – it works for the WID.

When you connect, leave the “Server Type” as “Database Engine” and insert the above string as the “Server Name”.

Away you go – the two DB of interest are AdfsArtifactStore and ADFSConfiguration.

Enjoy!

Kerberos : Some useful tools

 

Needed to do some work in this area and found the following extremely useful:

KerbTray is a GUI tool used to display ticket information for a given computer running the Kerberos protocol. You can purge all the Kerberos tickets with this.

KList is a DOS prompt tool used to view and delete the Kerberos tickets granted to the current logon session. It allows you to delete selected Kerberos tickets (as opposed to KerbTray which deletes them all).

In terms of debugging, I found Wireshark to be useful to see what happens on the actual wire. You can sort the packets by using the Kerberos protocol as a filter.

The other alternative is to enable Kerberos event logging. Really simple to do – just one registry setting. Just remember to disable it when you are done.

DelegConfig is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegated Kerberos credentials. It can be really useful but has to be setup correctly. Worth running if only to read the comments and explanations.

Enjoy!

WIF : Displaying WIF trace files

 

Trace or log files are very useful to help you find problems with WIF.

I normally add the following to the end of the web.config.

<system.diagnostics>
    <sources>
      <source name="Microsoft.IdentityModel" switchValue="Verbose">
        <listeners>
          <add name="xml" type="System.Diagnostics.XmlWriterTraceListener"
               initializeData="xxx\Logs\WIF.xml" />
        </listeners>
      </source>
    </sources>
    <trace autoflush="true" />
  </system.diagnostics>

</configuration>

This produces a ton of output in XML format but it's not that easy to read it!

The trick is to use the Service Trace Viewer Tool.

See Examining WCF Diagnostic Traces Using Service Trace Viewer Tool for download instructions.

Run up the tool (you may need to run as administrator), then File / Open with the file type set to XML and you'll find it so much easier!

Enjoy!