ADFS on W2016 idpinitiatedsignon.aspx page is by default disabled

Everytime I experience ADFS sign in problems I first test if the ADFS service itself is working through the IdpInitiatedSignon.aspx page. With this page you can test the ADFS service itself with out the dependencies from other products and their trusts or relying parties.

With the new Windows Server 2016 ADFS and WAP (Windows Azure Pack) on 2016 I experienced an issue, so I wanted to use the IdpInitiatedSignon.aspx test page. Strangely I received an error on the test page.

adfserrorie

The eventlog gave me a an error which was not really helping at first.

Read more

Windows Azure Pack Support

Since the announcements and public previews of Microsoft Azure Stack (MAS), everybody including myself  is talking about and testing with MAS. But the reality is that a lot of companies have invested in Windows Azure Pack and were a little surprised that Microsoft announced before this summer that Windows Azure Pack on Windows Server 2012 R2 is supported until July 2017.

azurepacksupport

Several weeks ago Microsoft made another announcement that they are continue to invest and support in Windows Azure Pack (WAP) next to Azure Stack for 11 years! But to use the extended support you need to bring your Azure Pack environment to Windows Server 2016. MAS release is aimed for the summer of 2017 so very likely there will be a gab between end of support of WAP on Server 2012 R2 and any public available MAS appliances from HP, Dell or Lenovo…

From several customers i received questions about the support statement and what needs to be updated. Turns out it’s not that well documented and known. As you can see in the screenshot above, it states Windows Azure Pack (on Windows Server 2012 R2) and Windows Azure Pack (on Windows Server 2016). But as we all know, Windows Azure Pack is a solution based on lots of components from the Windows and the System Center family.

What to upgrade

As i said before Windows Azure Pack leans on a lot of Windows features like a Active Directory domain, IIS and Hyper-V but also on System Center components like VMM and SPF.

Read more

ADFS HTTP 400 Bad Request with SSO/Windows Integrated Authentication

Another challenging ADFS issue came to me this week. Here the problem was that internal user were not able to authenticate. They receive a login prompt and after providing credentials they received a “HTTP 400 bad request” error message. When users were external and use FBA they were able to login successfully. Also wen internal and the users used a different browser then Internet Explorer the were also presented with FBA and were able to login. Clearly only the login with Windows Integrated Authentication failed. And of course al was working just fine and stopped working about a week ago.

In this environment the ADFS and resource servers were in a different domain than the user accounts were. For more detail see the picture below. Beware it’s only a part of the authentication process to illustrate the topology.

After some research i ruled out serveral known issue’s like:

Read more

ADFS Federations Service rename with Azure Pack as Relying Party Trust

A week ago I was confronted to an issue with ADFS with Forms Based Authentication(FBA) and Windows Azure Pack.

Problem

The environment was setup several months ago for a Proof of Concept of Windows Azure Pack and only working with ADFS and Windows Authentication because there was no requirement to used FBA and there was also no Web Application Proxy involved. All was working fine but the customer decided to setup FBA and a web application proxy. Unfortunately, the web application proxy was not working and keeps prompting the FBA login page.

After several hours of troubleshooting the issue was drilled down to a problem with the FBA on the ADFS server. But why was Windows Authentication working and FBA not. To exclude possible Windows Azure Pack/relying pary issue’s I started testing with the https://auth-azure.domain.com/adfs/ls/IdpInitiatedSignon.aspx page.

Eventually it turned out that the Federations Service FQDN had changed. From https://auth.domain.com to https://auth-azure.domain.com. The rename was not done correctly and since I had a lot of trouble figuring it out with some colleague’s i decided to write a blog about it.

Solution

So when renaming the ADFS FQDN from https://auth.domain.com to https://auth-azure.domain.com the SPN was forgotten for the ADFS Service account. The SPN was left on http/auth.domain.org and needed to be changed to http/auth-azure.domain.org.

After this was fixed, I still received logon screens on the FBA page and could not login. Next problem, the Token-Signing and Token-Decrypting certificates were incorrect. Since there are lots of blogs discussing how to update the Token Certificates in ADFS I will not discuss this but I renewed the Token-Signing en Token-Decrypting certificates. Restarted the ADFS service

Read more