Problem:
Have a CRM application which uses client certs to grant access via AD FS 2.0. This work great
and sends our customer's through no issue. We had an edge case which exposed some issues. If the user was not in the CRM issue then ADFS should failover to the error page. This however, was not the case and the user simply was staring at a blank html page on the ADFS server.
Solution:
I wracked my brain on this and read some great info on ADFS IIS settings at microsoft. Lots of information on this configuration but not a lot of help for my particular problem. Then I ran across a reference to the AD FS Admin Log. This is a separate log file from System logs. These System logs did not show anything helpful. The AD FS Admin logs were very clear we were having issues with the FIPS compliance. I blogged this several years ago (http://fetchmytip.blogspot.com/2013/06/an-unexpected-error-has-occurred-moss.html). Once I kicked the registry and set the FIPS bit to 0, ADFS kicked over and started working.Source:
- https://msdn.microsoft.com/en-us/library/hh202806%28v=vs.110%29.aspx
- https://msdn.microsoft.com/en-us/library/hh599321.aspx
- https://support.microsoft.com/en-us/kb/3044976
- http://fetchmytip.blogspot.com/2013/06/an-unexpected-error-has-occurred-moss.html
- You are continually prompted for credentials.
- Event 111 is logged in the AD FS Admin log, as follows:
Log Name: AD FS 2.0/Admin Event ID: 111 Level: Error Keywords: AD FS Description: The Federation Service encountered an error while processing the WS-Trust request. Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue Exception details: Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019:
No comments:
Post a Comment