I was trying to add two RP's (Relying Party ) in ADFS 2.1 for the same customer. They use the same signing certificate in both the applications. But while updating in Windows Server 2012 / ADFS 2.1 I am receiving the below error.
MSIS7613: The signing certificate of the relying party trust is not
unique across all relying party trusts in AD FS configuration
This was a condition imposed on ADFS 2.0 and Rollup 3 fixed (rather subdued ) this issue. I thought ADFS 2.1 included the updates in Rollup 3. But surprisingly it did not.
This post (written in Portuguese) suggests a work around which looks a bit intricate. Is there any easier way to get around this error ?
We had the same problem. Was solved by applying this hotfix:
http://support.microsoft.com/kb/2877424
Related
This post became much longer than anticipated, TLDR: Where is my ASFS Federation Metadata located on my server? My overall task to the setup a test ADFS server in order to integrate our current application with ADFS
Hello, I'm trying to integrate our application with ADFS (it's a WPF application with a NodeJS backend), and I'm testing out Auth0 for this job (but if there are other simple solutions, I would be open to that as well - I've found no good guides so far ): espeically as a developer with no AD experience).
Regardless, I think I've set up a single server AD FS environment (locally as server1.local - with AD CS, AD DS and AD FS and that same server is the domain controller/DNS server) and set up an Auth0 relying party using this guide:
https://auth0.com/docs/connections/enterprise/adfs
In the next steps part, it says: try these quickstart guides. So I've downloaded the Angular2 quick start example project to test. But when I go to the enterprise connections and try to set up an ADFS connection, it asks for a ADFS URL
You can either provide the ADFS URL or upload the federation metadata file.
But I can't seem to find my ADFS URL. Not only that, my server is local, so it wouldn't be able to use my URL anyways right? I can just upload the metadata instead?
I've tried going to https://server1.local/federationmetadata/2007-06/federationmetadata.xml and https://127.0.0.1/FederationMetadata/2007-06/FederationMetadata.xml and https://localhost/FederationMetadata/2007-06/FederationMetadata.xml which under endpoints that's the one that shows, but ie says:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://server1.local again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
I've enabled TLS 1.0, 1.1 and 1.2 and this still doesn't seem to give me my metadata. I've also tried that URL on Chrome and it gives a generic "This site can't be reached"
How do I get my metadata?
In the ADFS configuration, look for what you configured as your federation service name.
Use this in the URL.
https://federation service name/federationmetadata/2007-06/federationmetadata.xml
BTW the federation service name should not be the FQDN of the server.
I have developed MVC application with the single sign on as an authentication (Company Azure Active Directory) and hosted on Azure as a Cloud service. It was working till now. But before few days, i got the below error in my production
No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://sts.windows.net/{TenantID}/'
Then I searched on the internet and found the below blog
WIF10201: No valid key mapping found for securityToken
Then as suggested in the blog, i have fetched the thumbprint and updated my web.config and it worked.
Now again i got the same error today and i needed to do the same steps and found that thumbprint has been changed.
So can anyone please suggest me the permanent solution as it is affecting my production environment.
It seems that the application were not supported signing key rollover automatically. To support the signing key rollover automatically from old project, it depends on how the app integrate with Azure AD.
Based on the description, it seems you were integrate the application with Azure AD for SSO. We can use the .Net OWIN OpenId connect which already has the necessary logic to handle key rollover automatically to authenticate with Azure AD. More detail about this topic, you can refer the document Signing key rollover in Azure Active Directory.
I have an asp.net mvc web app that has been running in production for about 4 years. Suddenly since about a week ago, I am getting this error being returned for all calls to 3rd-party secure API's:
System.Net.WebException: The underlying connection was closed: Could
not establish trust relationship for the SSL/TLS secure channel. --->
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
This is for calls to SendGrid for sending emails, calls to Azure Blob Storage for uploading of documents, calls to Connect.io for logging.
I have managed to resolve the Azure Blob Storage problem temporarily by changing the connection string to use http instead of https.
Clearly something has broken on my app server, and I have no idea where to start looking.
Please help.
Edit:
Turns out I was using a sample library provided by one of my (lesser-used) 3rd party API's, and this library had an override of
System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors)
which had it's own logic about what constitutes a valid certificate!!! AARGH!
This part become key information for your problem:
I am getting this error being returned for all calls to 3rd-party
secure API's
According to MSDN blog:
This error message is caused because the process is not being able to
validate the Server Certificate supplied by the Server during an HTTPS
(SSL) request. The very first troubleshooting step should be to see
if the server supplied certificate and every certificate in the chain
is trouble free.
Because it seems that one or more third party certificates are rejected, you may configure Trusted Roots part of your certificate trust lists to include all required third party CA as part of chain to work with secure APIs from trusted sources, including reissued certificates if any.
Further details: https://technet.microsoft.com/en-us/library/dn265983.aspx
NB (Optional):
As temporary measure, you can implement this certificate validation handler in WebRole.cs until all related third-party certificates has reissued (remember this setting will trust all issued certificates, hence it's not recommended for long term usage):
System.Net.ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
Additional reference: http://robertgreiner.com/2013/03/could-not-establish-trust-relationship-for-the-ssl-tls-secure-channel/
Similar thing happened in our system. Our problem was TLS version. The SSL offload appliance was configured to accept only TLS 1.2. One week ago this configuration accepted all TLS versions 1.0 to 1.2.
We had to reconfigure .NET's SecurityProtocol settings like:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls12;
You can use this site to test which TLS version you are using: https://www.ssllabs.com/ssltest/index.html
Try to get some information about the certificate of the servers and see if you need to install any specific certs.
The server(s) may had a cert signed by a 3rd party CA which you hadn't trusted yet. The solution is to add that CA to the Trusted Root CA list.
I am using ADAL SDK(https://github.com/AzureAD/azure-activedirectory-library-for-objc) for integration my iOS app with ADFS for SSO implementation. I run demo code provide with above link.
As per as demo it's asking for following components to SOS implementation :-
clientId
Redirect URI
ResourceId
Authority Path
According to ADAL SDK ,I need to register my app to ADFS as per as this tutorial (https://blog.kloud.com.au/2014/12/02/implementing-azure-active-directory-sso-single-sign-on-in-xamarin-ios-apps/).
But i am not able to figured out how will register my app to ADFS.
I also tried to figure out with this link (loggin into an iOS app using a system with ADFS).
So the following question:-
Am i on right page?
If Yes, how to register and configure my app with ADFS
if No, please help to figure out this
Any help much appreciated.
After R&D, I am able to figure out how to get all points With ADFS.
Client Id :- it's a GUID.You can generate Online as well as , Generate GUID(http://www.guidgen.com/)
Redirect URI :- it's something related with Bundle Identifier(com.compName.MyTestApp), So after adding urn, Redirect URI is looking like this. Ex. #"urn:com.compName.MyTestApp".
ResourceId :- it's same as redirect uri in my case.
Authority Path :- it's ADFS login path url basically to authenticate with ADFS and get Access token. EX #"https.//myServer.com/adfs";
Note :- Please change URL Types as per as you bundle identifier in Info.plist file.
Some Link which helped me :-
https://msdn.microsoft.com/en-us/library/dn531010.aspx
SSO from ADAL in WPF Client to ADFS 3.0 on Windows Server 2012 R2
Hope it will help.
ADFS is a very different beast to Azure AD.
ADFS 2.0 has no OAuth support. ADFS 3.0 has some OAuth support (No OpenID Connect, Web API only) and you have to use PowerShell.
Refer: Securing a Web API with ADFS on WS2012 R2 Got Even Easier for an example. (Not iOS though - not aware of any iOS example.).
ADFS 4.0 (Server 2016 in preview) has much better support.
I'm trying to add a web reference to an asmx web service with ssl. I'm getting this error:
Error getting response stream:(Write: The authentication or decryption has failed.)SendFailure
I have self a signed certificate.
Is there a solution to this problem? Thanks.
It's a trust issue. Your application depends on Mono and the iOS certificate stores to deice if an TLS/SSL connection is acceptable. By default self-signed certificates are not (because they are unknown to both Mono and iOS).
Like mentioned in the comments, using System.Net.ServicePointManager.ServerCertificateValidationCallback is likely the easiest solution - but blindly returning true is not :-)
There's a wiki article on the Mono-project web site that describe several options:
http://www.mono-project.com/UsingTrustedRootsRespectfully