MOSS and ADFS

I know this might be a big headache waiting to happend, but I am trying to
get ADFS to work in a simple environment using MOSS as the ASP applications I
wish to access. The setup is one Web Client and one FS . I have been
working with Microsoft Support to get this running and it seems to almost be
there. The tokens are getting passed back to the webserver from the FS. The
problem is actually on webserver. I am getting the following exception
error:

Could not load file or assembly
'System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies.
The system cannot find the file specified. (c:\inetpub\wwwroot\web.config
line 124)

This is actually a line that we have added into the web.config. Prior to
adding this the webserver would not accept the token for the federation
server. The problem now seems to be it does not know what to do with it. I
have looked in the assembly directory for
"System.Web.Security.SingleSignOn.PartialTrust" but it does not exist.
myself and support have been beating ourselves up on this for the past 3 or 4
days and are not getting anywhere. As I am not much of a Sharepoint person I
was wondering if anybody here could lend a hand. I am also going to post
this in the discussion forum for MOSS.

I wanted to point out that I have gotten this work on Sharepoint 2003, the
problem somewhere lies with MOSS and ADFS authenication tokens.

Thanks,
Eric

When you say you added that line to the web.config, where did you add it?
Also, where is that assembly coming from? It isn't one of the ADFS
assemblies that comes with the normal R2 install. Does that come with some
hotfix release of ADFS or something?

If you want to go looking for the assemblies that do come with ADFS, they
are installed in the global assembly cache, not in the bin directory.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Eric" <Eric@discussions.microsoft.com> wrote in message
news:A2B5797D-A596-4D7B-9585-D844440DC1C3@microsoft.com...
>I know this might be a big headache waiting to happend, but I am trying to
> get ADFS to work in a simple environment using MOSS as the ASP
> applications I
> wish to access. The setup is one Web Client and one FS . I have been
> working with Microsoft Support to get this running and it seems to almost
> be
> there. The tokens are getting passed back to the webserver from the FS.
> The
> problem is actually on webserver. I am getting the following exception
> error:
>
> Could not load file or assembly
> 'System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its
> dependencies.
> The system cannot find the file specified. (c:\inetpub\wwwroot\web.config
> line 124)
>
> This is actually a line that we have added into the web.config. Prior to
> adding this the webserver would not accept the token for the federation
> server. The problem now seems to be it does not know what to do with it.
> I
> have looked in the assembly directory for
> "System.Web.Security.SingleSignOn.PartialTrust" but it does not exist.
> myself and support have been beating ourselves up on this for the past 3
> or 4
> days and are not getting anywhere. As I am not much of a Sharepoint
> person I
> was wondering if anybody here could lend a hand. I am also going to post
> this in the discussion forum for MOSS.
>
> I wanted to point out that I have gotten this work on Sharepoint 2003, the
> problem somewhere lies with MOSS and ADFS authenication tokens.
>
> Thanks,
> Eric

Joe,

The changes we made are listed below. These came from an MS support person
who has ADFS running with MOSS'07. The line where we create the reference to
SingleSignOnMembershipProvider2 seems to be where the errors occur. MOSS
does not have a any .dll file in the assembly that match this reference and I
am not really sure where to create. The ADFS side appears to be doing
evevything it is supposed to but MOSS is getting confused on how to handle
the token.

thanks,
Eric

* Central Admin Page:
o Click application management -> authentication providers
o Click "Windows" for the selected web application.
o Select Web Single Sign On radio button.
o Enter "SingleSignOnMembershipProvider2" in the membership provider
section.
o Enter "SingleSignOnRoleProvide2" in the role provider section.

* Change the web.config file for the admin page:
- register the membership provider and the role manager in the
web.config file for the central admin (so that the people picker on the
central admin pages can correctly resolve the users). Add the following entry
after the <authentication> section in the web.config file for the central
admin. (change fs-server to be your server name)

<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" /> <add
name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
</providers>
</roleManager>

NOTE: You may not need the "fs=https://fs-..." in the membership and role
sections when the <websso> section follows. The providers will use the
<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> setting from
<websso> (but I haven't tried it yet. You may want to try and confirm it)

- Add this section the web.config file for the central admin after the
<PeoplePickerWildcards> node.

<add key="SingleSignOnMembershipProvider2" value="" />


* Change the web.config file for the wss site.

<sectionGroup name="system.web">
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" /> </sectionGroup>
- Add this section to the <httpModules> node

<add name="Identity Federation Services Application Authentication Module"
type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />

- Add this section after the <authentication node>, change "fs-server" to
your server name. Change "your_application" to be your application URL

<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
<add name="SingleSignOnMembershipProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>

<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
<providers>
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
</providers>
</roleManager>

<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://your_application</returnurl>
</urls>
<cookies Persistent="True">
<path>/</path>
</cookies>
<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
<!-- usettp / -->
<isSharePoint />
</websso>

- Add this section to the <PeoplePickerWildcards>node.
<add key="SingleSignOnMembershipProvider2" value="" />

* Modify machine.config file (in the folder of ASP.NET V2.0). Add the
following section (red part).

<sectionGroup name="system.web"
type="System.Web.Configuration.SystemWebSectionGroup, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
<section name="websso"

type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />

</sectionGroup>


"Joe Kaplan" wrote:

> When you say you added that line to the web.config, where did you add it?
> Also, where is that assembly coming from? It isn't one of the ADFS
> assemblies that comes with the normal R2 install. Does that come with some
> hotfix release of ADFS or something?
>
> If you want to go looking for the assemblies that do come with ADFS, they
> are installed in the global assembly cache, not in the bin directory.
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> "Eric" <Eric@discussions.microsoft.com> wrote in message
> news:A2B5797D-A596-4D7B-9585-D844440DC1C3@microsoft.com...
> >I know this might be a big headache waiting to happend, but I am trying to
> > get ADFS to work in a simple environment using MOSS as the ASP
> > applications I
> > wish to access. The setup is one Web Client and one FS . I have been
> > working with Microsoft Support to get this running and it seems to almost
> > be
> > there. The tokens are getting passed back to the webserver from the FS.
> > The
> > problem is actually on webserver. I am getting the following exception
> > error:
> >
> > Could not load file or assembly
> > 'System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> > Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its
> > dependencies.
> > The system cannot find the file specified. (c:\inetpub\wwwroot\web.config
> > line 124)
> >
> > This is actually a line that we have added into the web.config. Prior to
> > adding this the webserver would not accept the token for the federation
> > server. The problem now seems to be it does not know what to do with it.
> > I
> > have looked in the assembly directory for
> > "System.Web.Security.SingleSignOn.PartialTrust" but it does not exist.
> > myself and support have been beating ourselves up on this for the past 3
> > or 4
> > days and are not getting anywhere. As I am not much of a Sharepoint
> > person I
> > was wondering if anybody here could lend a hand. I am also going to post
> > this in the discussion forum for MOSS.
> >
> > I wanted to point out that I have gotten this work on Sharepoint 2003, the
> > problem somewhere lies with MOSS and ADFS authenication tokens.
> >
> > Thanks,
> > Eric
>
>
>

Eric,

If you haven't tried this already,
Change your assembly name

FROM : Microsoft.SharePoint.Portal.SingleSignOn

TO : Microsoft.SharePoint.Portal.SingleSignon

Notice the small o on 'on' part at the end. That has changed recently (in
RTM i believe)



"Eric" wrote:

> Joe,
>
> The changes we made are listed below. These came from an MS support person
> who has ADFS running with MOSS'07. The line where we create the reference to
> SingleSignOnMembershipProvider2 seems to be where the errors occur. MOSS
> does not have a any .dll file in the assembly that match this reference and I
> am not really sure where to create. The ADFS side appears to be doing
> evevything it is supposed to but MOSS is getting confused on how to handle
> the token.
>
> thanks,
> Eric
>
> * Central Admin Page:
> o Click application management -> authentication providers
> o Click "Windows" for the selected web application.
> o Select Web Single Sign On radio button.
> o Enter "SingleSignOnMembershipProvider2" in the membership provider
> section.
> o Enter "SingleSignOnRoleProvide2" in the role provider section.
>
> * Change the web.config file for the admin page:
> - register the membership provider and the role manager in the
> web.config file for the central admin (so that the people picker on the
> central admin pages can correctly resolve the users). Add the following entry
> after the <authentication> section in the web.config file for the central
> admin. (change fs-server to be your server name)
>
> <membership>
> <providers>
> <add name="SingleSignOnMembershipProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </membership>
>
> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
> <providers>
> <remove name="AspNetSqlRoleProvider" /> <add
> name="SingleSignOnRoleProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </roleManager>
>
> NOTE: You may not need the "fs=https://fs-..." in the membership and role
> sections when the <websso> section follows. The providers will use the
> <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> setting from
> <websso> (but I haven't tried it yet. You may want to try and confirm it)
>
> - Add this section the web.config file for the central admin after the
> <PeoplePickerWildcards> node.
>
> <add key="SingleSignOnMembershipProvider2" value="" />
>
>
> * Change the web.config file for the wss site.
>
> <sectionGroup name="system.web">
> <section name="websso"
> type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35, Custom=null" /> </sectionGroup>
> - Add this section to the <httpModules> node
>
> <add name="Identity Federation Services Application Authentication Module"
> type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
> System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35, Custom=null" />
>
> - Add this section after the <authentication node>, change "fs-server" to
> your server name. Change "your_application" to be your application URL
>
> <membership defaultProvider="SingleSignOnMembershipProvider2">
> <providers>
> <add name="SingleSignOnMembershipProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </membership>
>
> <roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
> <providers>
> <add name="SingleSignOnRoleProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </roleManager>
>
> <websso>
> <authenticationrequired />
> <auditlevel>55</auditlevel>
> <urls>
> <returnurl>https://your_application</returnurl>
> </urls>
> <cookies Persistent="True">
> <path>/</path>
> </cookies>
> <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
> <!-- usettp / -->
> <isSharePoint />
> </websso>
>
> - Add this section to the <PeoplePickerWildcards>node.
> <add key="SingleSignOnMembershipProvider2" value="" />
>
> * Modify machine.config file (in the folder of ASP.NET V2.0). Add the
> following section (red part).
>
> <sectionGroup name="system.web"
> type="System.Web.Configuration.SystemWebSectionGroup, System.Web,
> Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
> <section name="websso"
>
> type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35, Custom=null" />
>
> </sectionGroup>
>
>
> "Joe Kaplan" wrote:
>
> > When you say you added that line to the web.config, where did you add it?
> > Also, where is that assembly coming from? It isn't one of the ADFS
> > assemblies that comes with the normal R2 install. Does that come with some
> > hotfix release of ADFS or something?
> >
> > If you want to go looking for the assemblies that do come with ADFS, they
> > are installed in the global assembly cache, not in the bin directory.
> >
> > Joe K.
> >
> > --
> > Joe Kaplan-MS MVP Directory Services Programming
> > Co-author of "The .NET Developer's Guide to Directory Services Programming"
> > http://www.directoryprogramming.net
> > --
> > "Eric" <Eric@discussions.microsoft.com> wrote in message
> > news:A2B5797D-A596-4D7B-9585-D844440DC1C3@microsoft.com...
> > >I know this might be a big headache waiting to happend, but I am trying to
> > > get ADFS to work in a simple environment using MOSS as the ASP
> > > applications I
> > > wish to access. The setup is one Web Client and one FS . I have been
> > > working with Microsoft Support to get this running and it seems to almost
> > > be
> > > there. The tokens are getting passed back to the webserver from the FS.
> > > The
> > > problem is actually on webserver. I am getting the following exception
> > > error:
> > >
> > > Could not load file or assembly
> > > 'System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> > > Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its
> > > dependencies.
> > > The system cannot find the file specified. (c:\inetpub\wwwroot\web.config
> > > line 124)
> > >
> > > This is actually a line that we have added into the web.config. Prior to
> > > adding this the webserver would not accept the token for the federation
> > > server. The problem now seems to be it does not know what to do with it.
> > > I
> > > have looked in the assembly directory for
> > > "System.Web.Security.SingleSignOn.PartialTrust" but it does not exist.
> > > myself and support have been beating ourselves up on this for the past 3
> > > or 4
> > > days and are not getting anywhere. As I am not much of a Sharepoint
> > > person I
> > > was wondering if anybody here could lend a hand. I am also going to post
> > > this in the discussion forum for MOSS.
> > >
> > > I wanted to point out that I have gotten this work on Sharepoint 2003, the
> > > problem somewhere lies with MOSS and ADFS authenication tokens.
> > >
> > > Thanks,
> > > Eric
> >
> >
> >

That assembly is probably installed in the global assembly cache (GAC) and
not the bin directory. However, I don't know where it comes from. I know
it doesn't come with ADFS V1 that is distributed with R2 server. Therefore,
it must either come with MOSS or it must come as some sort of a service
pack/hotfix to ADFS V1 that you need to obtain out of band. I'm not sure
which it is.

First, I'd check in the GAC to see if the assembly
System.Web.Security.SingleSignOn.PartialTrust is in there. If not, I'd go
back to the MS support person that gave you that info and ask where they got
the assembly System.Web.Security.SingleSignOn.PartialTrust and how you are
supposed to get it. That should solve your problem.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Eric" <Eric@discussions.microsoft.com> wrote in message
news:4A5E7C3F-58B4-4487-BCF3-F51F42CAB406@microsoft.com...
> Joe,
>
> The changes we made are listed below. These came from an MS support
> person
> who has ADFS running with MOSS'07. The line where we create the reference
> to
> SingleSignOnMembershipProvider2 seems to be where the errors occur. MOSS
> does not have a any .dll file in the assembly that match this reference
> and I
> am not really sure where to create. The ADFS side appears to be doing
> evevything it is supposed to but MOSS is getting confused on how to handle
> the token.
>
> thanks,
> Eric
>
> * Central Admin Page:
> o Click application management -> authentication providers
> o Click "Windows" for the selected web application.
> o Select Web Single Sign On radio button.
> o Enter "SingleSignOnMembershipProvider2" in the membership provider
> section.
> o Enter "SingleSignOnRoleProvide2" in the role provider section.
>
> * Change the web.config file for the admin page:
> - register the membership provider and the role manager in the
> web.config file for the central admin (so that the people picker on the
> central admin pages can correctly resolve the users). Add the following
> entry
> after the <authentication> section in the web.config file for the central
> admin. (change fs-server to be your server name)
>
> <membership>
> <providers>
> <add name="SingleSignOnMembershipProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </membership>
>
> <roleManager enabled="true"
> defaultProvider="AspNetWindowsTokenRoleProvider">
> <providers>
> <remove name="AspNetSqlRoleProvider" /> <add
> name="SingleSignOnRoleProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </roleManager>
>
> NOTE: You may not need the "fs=https://fs-..." in the membership and role
> sections when the <websso> section follows. The providers will use the
> <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> setting
> from
> <websso> (but I haven't tried it yet. You may want to try and confirm it)
>
> - Add this section the web.config file for the central admin after
> the
> <PeoplePickerWildcards> node.
>
> <add key="SingleSignOnMembershipProvider2" value="" />
>
>
> * Change the web.config file for the wss site.
>
> <sectionGroup name="system.web">
> <section name="websso"
> type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35, Custom=null" /> </sectionGroup>
> - Add this section to the <httpModules> node
>
> <add name="Identity Federation Services Application Authentication Module"
> type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
> System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35, Custom=null" />
>
> - Add this section after the <authentication node>, change "fs-server" to
> your server name. Change "your_application" to be your application URL
>
> <membership defaultProvider="SingleSignOnMembershipProvider2">
> <providers>
> <add name="SingleSignOnMembershipProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </membership>
>
> <roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
> <providers>
> <add name="SingleSignOnRoleProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </roleManager>
>
> <websso>
> <authenticationrequired />
> <auditlevel>55</auditlevel>
> <urls>
> <returnurl>https://your_application</returnurl>
> </urls>
> <cookies Persistent="True">
> <path>/</path>
> </cookies>
> <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
> <!-- usettp / -->
> <isSharePoint />
> </websso>
>
> - Add this section to the <PeoplePickerWildcards>node.
> <add key="SingleSignOnMembershipProvider2" value="" />
>
> * Modify machine.config file (in the folder of ASP.NET V2.0). Add
> the
> following section (red part).
>
> <sectionGroup name="system.web"
> type="System.Web.Configuration.SystemWebSectionGroup, System.Web,
> Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
> <section name="websso"
>
> type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35, Custom=null" />
>
> </sectionGroup>
>
>
> "Joe Kaplan" wrote:
>
>> When you say you added that line to the web.config, where did you add it?
>> Also, where is that assembly coming from? It isn't one of the ADFS
>> assemblies that comes with the normal R2 install. Does that come with
>> some
>> hotfix release of ADFS or something?
>>
>> If you want to go looking for the assemblies that do come with ADFS, they
>> are installed in the global assembly cache, not in the bin directory.
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> "Eric" <Eric@discussions.microsoft.com> wrote in message
>> news:A2B5797D-A596-4D7B-9585-D844440DC1C3@microsoft.com...
>> >I know this might be a big headache waiting to happend, but I am trying
>> >to
>> > get ADFS to work in a simple environment using MOSS as the ASP
>> > applications I
>> > wish to access. The setup is one Web Client and one FS . I have been
>> > working with Microsoft Support to get this running and it seems to
>> > almost
>> > be
>> > there. The tokens are getting passed back to the webserver from the
>> > FS.
>> > The
>> > problem is actually on webserver. I am getting the following exception
>> > error:
>> >
>> > Could not load file or assembly
>> > 'System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
>> > Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its
>> > dependencies.
>> > The system cannot find the file specified.
>> > (c:\inetpub\wwwroot\web.config
>> > line 124)
>> >
>> > This is actually a line that we have added into the web.config. Prior
>> > to
>> > adding this the webserver would not accept the token for the federation
>> > server. The problem now seems to be it does not know what to do with
>> > it.
>> > I
>> > have looked in the assembly directory for
>> > "System.Web.Security.SingleSignOn.PartialTrust" but it does not exist.
>> > myself and support have been beating ourselves up on this for the past
>> > 3
>> > or 4
>> > days and are not getting anywhere. As I am not much of a Sharepoint
>> > person I
>> > was wondering if anybody here could lend a hand. I am also going to
>> > post
>> > this in the discussion forum for MOSS.
>> >
>> > I wanted to point out that I have gotten this work on Sharepoint 2003,
>> > the
>> > problem somewhere lies with MOSS and ADFS authenication tokens.
>> >
>> > Thanks,
>> > Eric
>>
>>
>>

Joe,

That assembly comes with W2K3 SP2. I've installed RC2 on my MOSS server and
have those assemblies.

Eric,

THANK YOU for posting your email from MS Support on how to get this working.
I've been struggling with this for about a month and have found very little
on the web.

I've got it up and running with the standard SSO provider that comes with R2
as well, just make sure you have the Web Agents for ADFS installed on the
server. Thant's what loads the assemblies.

If you want to see examples for both providers SSO sections go to this
link....

http://technet2.microsoft.com/Office....mspx?mfr=true

It's a subset of what you got from MS support staff that shows how to
configure both the SingleSignOnMembershipProvider and
SingleSignOnMembershipProvider2, but your post contains serveral additional
sections that are not contained in the linked examples. Specifically, the
info WebSSO section and the machine.config file were the missiing pieces in
my configuration. Once I added them it worked perfectly. Thanks much!

"Joe Kaplan" wrote:

> That assembly is probably installed in the global assembly cache (GAC) and
> not the bin directory. However, I don't know where it comes from. I know
> it doesn't come with ADFS V1 that is distributed with R2 server. Therefore,
> it must either come with MOSS or it must come as some sort of a service
> pack/hotfix to ADFS V1 that you need to obtain out of band. I'm not sure
> which it is.

Interesting. There is supposed to be a QFE release coming out that has the
PartialTrust assembly as a separate package, but it is nice to know that
there is another way to get it. Glad you were successful. I'll take note
of your documentation for future reference as I'll probably need it.

Thanks!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Mike@OneNeck" <MikeOneNeck@discussions.microsoft.com> wrote in message
news:F65C8290-817B-4E50-BEC5-905DA5C01884@microsoft.com...
> Joe,
>
> That assembly comes with W2K3 SP2. I've installed RC2 on my MOSS server
> and
> have those assemblies.
>
> Eric,
>
> THANK YOU for posting your email from MS Support on how to get this
> working.
> I've been struggling with this for about a month and have found very
> little
> on the web.
>
> I've got it up and running with the standard SSO provider that comes with
> R2
> as well, just make sure you have the Web Agents for ADFS installed on the
> server. Thant's what loads the assemblies.
>
> If you want to see examples for both providers SSO sections go to this
> link....
>
> http://technet2.microsoft.com/Office....mspx?mfr=true
>
> It's a subset of what you got from MS support staff that shows how to
> configure both the SingleSignOnMembershipProvider and
> SingleSignOnMembershipProvider2, but your post contains serveral
> additional
> sections that are not contained in the linked examples. Specifically,
> the
> info WebSSO section and the machine.config file were the missiing pieces
> in
> my configuration. Once I added them it worked perfectly. Thanks much!
>
> "Joe Kaplan" wrote:
>
>> That assembly is probably installed in the global assembly cache (GAC)
>> and
>> not the bin directory. However, I don't know where it comes from. I
>> know
>> it doesn't come with ADFS V1 that is distributed with R2 server.
>> Therefore,
>> it must either come with MOSS or it must come as some sort of a service
>> pack/hotfix to ADFS V1 that you need to obtain out of band. I'm not sure
>> which it is.
>

Here's a slightly modifiied version that references both SSO Providers and
removes the color coding (hard to see in black and white ;-).

Note: This procedure assumes you have already installed the W2K3 R2 ADFS
Web agents on the server and applied W2K3 SP2 which installs the
SingleSignOnMembershipProvider2 provider. If you want to use the original
SingleSignOnMembershipProvider that ships with R2 go to
http://technet2.microsoft.com/Office....mspx?mfr=true
and change the provider based on the examples there.
--------------
These came from an MS support person who has ADFS running with MOSS'07.

* Central Admin Page:
o Click application management -> authentication providers
o Click "Windows" for the selected web application.
o Select Web Single Sign On radio button.
o Enter "SingleSignOnMembershipProvider2" in the membership provider
section.
o Enter "SingleSignOnRoleProvide2" in the role provider section.

* Change the web.config file for the central admin site:
- register the membership provider and the role manager in the
web.config file for the central admin (so that the people picker on the
central admin pages can correctly resolve the users). Add the following entry
after the <authentication> section in the web.config file for the central
admin. (change fs-server to be your server name)

<membership>
<providers>
<add name="SingleSignOnMembershipProvider2"

type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,

Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>

<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
<providers>
<remove name="AspNetSqlRoleProvider" /> <add
name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral,

PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
</providers>
</roleManager>

NOTE: You may not need the "fs=https://fs-..." in the membership and role
sections when the <websso> section follows. The providers will use the

<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> setting from
<websso> (but I haven't tried it yet. You may want to try and confirm it)

- Add this section the web.config file for the central admin after
the <PeoplePickerWildcards> node.

<add key="SingleSignOnMembershipProvider2" value="" />


* Change the web.config file for the wss site to include the following.

- Add this section to the <configSections> section

<sectionGroup name="system.web">
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0,

Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
</sectionGroup>

- Add this section to the <httpModules> node

<add name="Identity Federation Services Application Authentication Module"
type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,

System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35, Custom=null" />

- Add this section after the <authentication mode>, change "fs-server" to
your server name. Change "your_application" to be your application URL

<membership defaultProvider="SingleSignOnMembershipProvider2">
<providers>
<add name="SingleSignOnMembershipProvider2"

type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,

Culture=neutral, PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
</providers>
</membership>

<roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
<providers>
<add name="SingleSignOnRoleProvider2"
type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
Culture=neutral,

PublicKeyToken=31bf3856ad364e35"
fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
</providers>
</roleManager>

<websso>
<authenticationrequired />
<auditlevel>55</auditlevel>
<urls>
<returnurl>https://your_application</returnurl>
</urls>
<cookies Persistent="True">
<path>/</path>
</cookies>
<fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
<!-- usettp / -->
<isSharePoint />
</websso>

- Add this section to the <PeoplePickerWildcards>node.
<add key="SingleSignOnMembershipProvider2" value="" />

* Modify machine.config file (in the folder of ASP.NET V2.0). Add the
section between the ------ lines. The top and bottom parts are already in
the file.

<sectionGroup name="system.web"
type="System.Web.Configuration.SystemWebSectionGroup, System.Web,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
----------
<section name="websso"
type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
System.Web.Security.SingleSignOn, Version=1.0.0.0,

Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
----------
</sectionGroup>

Mike, can you send me you web.config for your central admin. I have not
gotten this to work yet. I think I have mucked something else up in my
infinite tinkering and I want to make sure I am place these edits in the
correct places, as I do not have section labeled Authenication in my
web.config file for central admin.

It appears that MOSS does not know what to do once it gets the auth token
back and returns me a 401 unauthorized error. my email address is
evader12@hotmail.com.

Thanks,
Eric

"Mike@OneNeck" wrote:

> Here's a slightly modifiied version that references both SSO Providers and
> removes the color coding (hard to see in black and white ;-).
>
> Note: This procedure assumes you have already installed the W2K3 R2 ADFS
> Web agents on the server and applied W2K3 SP2 which installs the
> SingleSignOnMembershipProvider2 provider. If you want to use the original
> SingleSignOnMembershipProvider that ships with R2 go to
> http://technet2.microsoft.com/Office....mspx?mfr=true
> and change the provider based on the examples there.
> --------------
> These came from an MS support person who has ADFS running with MOSS'07.
>
> * Central Admin Page:
> o Click application management -> authentication providers
> o Click "Windows" for the selected web application.
> o Select Web Single Sign On radio button.
> o Enter "SingleSignOnMembershipProvider2" in the membership provider
> section.
> o Enter "SingleSignOnRoleProvide2" in the role provider section.
>
> * Change the web.config file for the central admin site:
> - register the membership provider and the role manager in the
> web.config file for the central admin (so that the people picker on the
> central admin pages can correctly resolve the users). Add the following entry
> after the <authentication> section in the web.config file for the central
> admin. (change fs-server to be your server name)
>
> <membership>
> <providers>
> <add name="SingleSignOnMembershipProvider2"
>
> type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
>
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </membership>
>
> <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
> <providers>
> <remove name="AspNetSqlRoleProvider" /> <add
> name="SingleSignOnRoleProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral,
>
> PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </roleManager>
>
> NOTE: You may not need the "fs=https://fs-..." in the membership and role
> sections when the <websso> section follows. The providers will use the
>
> <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> setting from
> <websso> (but I haven't tried it yet. You may want to try and confirm it)
>
> - Add this section the web.config file for the central admin after
> the <PeoplePickerWildcards> node.
>
> <add key="SingleSignOnMembershipProvider2" value="" />
>
>
> * Change the web.config file for the wss site to include the following.
>
> - Add this section to the <configSections> section
>
> <sectionGroup name="system.web">
> <section name="websso"
> type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> System.Web.Security.SingleSignOn, Version=1.0.0.0,
>
> Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
> </sectionGroup>
>
> - Add this section to the <httpModules> node
>
> <add name="Identity Federation Services Application Authentication Module"
> type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
>
> System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
> PublicKeyToken=31bf3856ad364e35, Custom=null" />
>
> - Add this section after the <authentication mode>, change "fs-server" to
> your server name. Change "your_application" to be your application URL
>
> <membership defaultProvider="SingleSignOnMembershipProvider2">
> <providers>
> <add name="SingleSignOnMembershipProvider2"
>
> type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
>
> Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </membership>
>
> <roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
> <providers>
> <add name="SingleSignOnRoleProvider2"
> type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> Culture=neutral,
>
> PublicKeyToken=31bf3856ad364e35"
> fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> </providers>
> </roleManager>
>
> <websso>
> <authenticationrequired />
> <auditlevel>55</auditlevel>
> <urls>
> <returnurl>https://your_application</returnurl>
> </urls>
> <cookies Persistent="True">
> <path>/</path>
> </cookies>
> <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
> <!-- usettp / -->
> <isSharePoint />
> </websso>
>
> - Add this section to the <PeoplePickerWildcards>node.
> <add key="SingleSignOnMembershipProvider2" value="" />
>
> * Modify machine.config file (in the folder of ASP.NET V2.0). Add the
> section between the ------ lines. The top and bottom parts are already in
> the file.
>
> <sectionGroup name="system.web"
> type="System.Web.Configuration.SystemWebSectionGroup, System.Web,
> Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
> ----------
> <section name="websso"
> type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> System.Web.Security.SingleSignOn, Version=1.0.0.0,
>
> Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
> ----------
> </sectionGroup>
>

Eric,

You probably have it right. I had the same issue when I first tired to come
in via ADFS. It said access denied, but correctly listed the UPN I was
coming in with.

I found out that to allow access from auth sources other than NTLM you have
to go to central admin, select the web app, then select "Policy for Web
Application", click "Add Users" then select the zone you bound ADFS, type the
UPN of the account and grant full access. You should be able to get to the
site. Let me know.

"Eric" wrote:

> Mike, can you send me you web.config for your central admin. I have not
> gotten this to work yet. I think I have mucked something else up in my
> infinite tinkering and I want to make sure I am place these edits in the
> correct places, as I do not have section labeled Authenication in my
> web.config file for central admin.
>
> It appears that MOSS does not know what to do once it gets the auth token
> back and returns me a 401 unauthorized error. my email address is
> evader12@hotmail.com.
>
> Thanks,
> Eric
>
> "Mike@OneNeck" wrote:
>
> > Here's a slightly modifiied version that references both SSO Providers and
> > removes the color coding (hard to see in black and white ;-).
> >
> > Note: This procedure assumes you have already installed the W2K3 R2 ADFS
> > Web agents on the server and applied W2K3 SP2 which installs the
> > SingleSignOnMembershipProvider2 provider. If you want to use the original
> > SingleSignOnMembershipProvider that ships with R2 go to
> > http://technet2.microsoft.com/Office....mspx?mfr=true
> > and change the provider based on the examples there.
> > --------------
> > These came from an MS support person who has ADFS running with MOSS'07.
> >
> > * Central Admin Page:
> > o Click application management -> authentication providers
> > o Click "Windows" for the selected web application.
> > o Select Web Single Sign On radio button.
> > o Enter "SingleSignOnMembershipProvider2" in the membership provider
> > section.
> > o Enter "SingleSignOnRoleProvide2" in the role provider section.
> >
> > * Change the web.config file for the central admin site:
> > - register the membership provider and the role manager in the
> > web.config file for the central admin (so that the people picker on the
> > central admin pages can correctly resolve the users). Add the following entry
> > after the <authentication> section in the web.config file for the central
> > admin. (change fs-server to be your server name)
> >
> > <membership>
> > <providers>
> > <add name="SingleSignOnMembershipProvider2"
> >
> > type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> > System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> >
> > Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> > fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> > </providers>
> > </membership>
> >
> > <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
> > <providers>
> > <remove name="AspNetSqlRoleProvider" /> <add
> > name="SingleSignOnRoleProvider2"
> > type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> > System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> > Culture=neutral,
> >
> > PublicKeyToken=31bf3856ad364e35"
> > fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> > </providers>
> > </roleManager>
> >
> > NOTE: You may not need the "fs=https://fs-..." in the membership and role
> > sections when the <websso> section follows. The providers will use the
> >
> > <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> setting from
> > <websso> (but I haven't tried it yet. You may want to try and confirm it)
> >
> > - Add this section the web.config file for the central admin after
> > the <PeoplePickerWildcards> node.
> >
> > <add key="SingleSignOnMembershipProvider2" value="" />
> >
> >
> > * Change the web.config file for the wss site to include the following.
> >
> > - Add this section to the <configSections> section
> >
> > <sectionGroup name="system.web">
> > <section name="websso"
> > type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> > System.Web.Security.SingleSignOn, Version=1.0.0.0,
> >
> > Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
> > </sectionGroup>
> >
> > - Add this section to the <httpModules> node
> >
> > <add name="Identity Federation Services Application Authentication Module"
> > type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
> >
> > System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
> > PublicKeyToken=31bf3856ad364e35, Custom=null" />
> >
> > - Add this section after the <authentication mode>, change "fs-server" to
> > your server name. Change "your_application" to be your application URL
> >
> > <membership defaultProvider="SingleSignOnMembershipProvider2">
> > <providers>
> > <add name="SingleSignOnMembershipProvider2"
> >
> > type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> > System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> >
> > Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> > fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> > </providers>
> > </membership>
> >
> > <roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
> > <providers>
> > <add name="SingleSignOnRoleProvider2"
> > type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> > System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> > Culture=neutral,
> >
> > PublicKeyToken=31bf3856ad364e35"
> > fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> > </providers>
> > </roleManager>
> >
> > <websso>
> > <authenticationrequired />
> > <auditlevel>55</auditlevel>
> > <urls>
> > <returnurl>https://your_application</returnurl>
> > </urls>
> > <cookies Persistent="True">
> > <path>/</path>
> > </cookies>
> > <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
> > <!-- usettp / -->
> > <isSharePoint />
> > </websso>
> >
> > - Add this section to the <PeoplePickerWildcards>node.
> > <add key="SingleSignOnMembershipProvider2" value="" />
> >
> > * Modify machine.config file (in the folder of ASP.NET V2.0). Add the
> > section between the ------ lines. The top and bottom parts are already in
> > the file.
> >
> > <sectionGroup name="system.web"
> > type="System.Web.Configuration.SystemWebSectionGroup, System.Web,
> > Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
> > ----------
> > <section name="websso"
> > type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> > System.Web.Security.SingleSignOn, Version=1.0.0.0,
> >
> > Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
> > ----------
> > </sectionGroup>
> >

I have followed the steps outlined in your blog and have the following
questions:
First, I continue to receive Error: Access Denied in MOSS after I have
configured Central Admin/Policy for Web/Add Users. Is MOSS expecting user’s
credentials in a format that is different to what is provided in the
federation token?
Second, could you explain how you have configured MOSS site to accept ADFS
Claims? In an inbound scenario the users come from external data source and
their claim contains credentials that map to the MOSS Role. There really is
no UI that allows me to map that relationship. The section under “Central
Admin/Policy for Web/Add Users” only allows me to add users in company’s
domain but not the external users. The only logical place that comes to mind
is the site’s People & Group section but the UI again is not designed for it.

Thanks in advance!


"Mike@OneNeck" wrote:

> Eric,
>
> You probably have it right. I had the same issue when I first tired to come
> in via ADFS. It said access denied, but correctly listed the UPN I was
> coming in with.
>
> I found out that to allow access from auth sources other than NTLM you have
> to go to central admin, select the web app, then select "Policy for Web
> Application", click "Add Users" then select the zone you bound ADFS, type the
> UPN of the account and grant full access. You should be able to get to the
> site. Let me know.
>
> "Eric" wrote:
>
> > Mike, can you send me you web.config for your central admin. I have not
> > gotten this to work yet. I think I have mucked something else up in my
> > infinite tinkering and I want to make sure I am place these edits in the
> > correct places, as I do not have section labeled Authenication in my
> > web.config file for central admin.
> >
> > It appears that MOSS does not know what to do once it gets the auth token
> > back and returns me a 401 unauthorized error. my email address is
> > evader12@hotmail.com.
> >
> > Thanks,
> > Eric
> >
> > "Mike@OneNeck" wrote:
> >
> > > Here's a slightly modifiied version that references both SSO Providers and
> > > removes the color coding (hard to see in black and white ;-).
> > >
> > > Note: This procedure assumes you have already installed the W2K3 R2 ADFS
> > > Web agents on the server and applied W2K3 SP2 which installs the
> > > SingleSignOnMembershipProvider2 provider. If you want to use the original
> > > SingleSignOnMembershipProvider that ships with R2 go to
> > > http://technet2.microsoft.com/Office....mspx?mfr=true
> > > and change the provider based on the examples there.
> > > --------------
> > > These came from an MS support person who has ADFS running with MOSS'07.
> > >
> > > * Central Admin Page:
> > > o Click application management -> authentication providers
> > > o Click "Windows" for the selected web application.
> > > o Select Web Single Sign On radio button.
> > > o Enter "SingleSignOnMembershipProvider2" in the membership provider
> > > section.
> > > o Enter "SingleSignOnRoleProvide2" in the role provider section.
> > >
> > > * Change the web.config file for the central admin site:
> > > - register the membership provider and the role manager in the
> > > web.config file for the central admin (so that the people picker on the
> > > central admin pages can correctly resolve the users). Add the following entry
> > > after the <authentication> section in the web.config file for the central
> > > admin. (change fs-server to be your server name)
> > >
> > > <membership>
> > > <providers>
> > > <add name="SingleSignOnMembershipProvider2"
> > >
> > > type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> > > System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> > >
> > > Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> > > fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> > > </providers>
> > > </membership>
> > >
> > > <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider">
> > > <providers>
> > > <remove name="AspNetSqlRoleProvider" /> <add
> > > name="SingleSignOnRoleProvider2"
> > > type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> > > System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> > > Culture=neutral,
> > >
> > > PublicKeyToken=31bf3856ad364e35"
> > > fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> > > </providers>
> > > </roleManager>
> > >
> > > NOTE: You may not need the "fs=https://fs-..." in the membership and role
> > > sections when the <websso> section follows. The providers will use the
> > >
> > > <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs> setting from
> > > <websso> (but I haven't tried it yet. You may want to try and confirm it)
> > >
> > > - Add this section the web.config file for the central admin after
> > > the <PeoplePickerWildcards> node.
> > >
> > > <add key="SingleSignOnMembershipProvider2" value="" />
> > >
> > >
> > > * Change the web.config file for the wss site to include the following.
> > >
> > > - Add this section to the <configSections> section
> > >
> > > <sectionGroup name="system.web">
> > > <section name="websso"
> > > type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> > > System.Web.Security.SingleSignOn, Version=1.0.0.0,
> > >
> > > Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
> > > </sectionGroup>
> > >
> > > - Add this section to the <httpModules> node
> > >
> > > <add name="Identity Federation Services Application Authentication Module"
> > > type="System.Web.Security.SingleSignOn.WebSsoAuthenticationModule,
> > >
> > > System.Web.Security.SingleSignOn, Version=1.0.0.0, Culture=neutral,
> > > PublicKeyToken=31bf3856ad364e35, Custom=null" />
> > >
> > > - Add this section after the <authentication mode>, change "fs-server" to
> > > your server name. Change "your_application" to be your application URL
> > >
> > > <membership defaultProvider="SingleSignOnMembershipProvider2">
> > > <providers>
> > > <add name="SingleSignOnMembershipProvider2"
> > >
> > > type="System.Web.Security.SingleSignOn.SingleSignOnMembershipProvider2,
> > > System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> > >
> > > Culture=neutral, PublicKeyToken=31bf3856ad364e35"
> > > fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> > > </providers>
> > > </membership>
> > >
> > > <roleManager enabled="true" defaultProvider="SingleSignOnRoleProvider2">
> > > <providers>
> > > <add name="SingleSignOnRoleProvider2"
> > > type="System.Web.Security.SingleSignOn.SingleSignOnRoleProvider2,
> > > System.Web.Security.SingleSignOn.PartialTrust, Version=1.0.0.0,
> > > Culture=neutral,
> > >
> > > PublicKeyToken=31bf3856ad364e35"
> > > fs="https://fs-server/adfs/fs/federationserverservice.asmx" />
> > > </providers>
> > > </roleManager>
> > >
> > > <websso>
> > > <authenticationrequired />
> > > <auditlevel>55</auditlevel>
> > > <urls>
> > > <returnurl>https://your_application</returnurl>
> > > </urls>
> > > <cookies Persistent="True">
> > > <path>/</path>
> > > </cookies>
> > > <fs>https://fs-server/adfs/fs/federationserverservice.asmx</fs>
> > > <!-- usettp / -->
> > > <isSharePoint />
> > > </websso>
> > >
> > > - Add this section to the <PeoplePickerWildcards>node.
> > > <add key="SingleSignOnMembershipProvider2" value="" />
> > >
> > > * Modify machine.config file (in the folder of ASP.NET V2.0). Add the
> > > section between the ------ lines. The top and bottom parts are already in
> > > the file.
> > >
> > > <sectionGroup name="system.web"
> > > type="System.Web.Configuration.SystemWebSectionGroup, System.Web,
> > > Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
> > > ----------
> > > <section name="websso"
> > > type="System.Web.Security.SingleSignOn.WebSsoConfigurationHandler,
> > > System.Web.Security.SingleSignOn, Version=1.0.0.0,
> > >
> > > Culture=neutral, PublicKeyToken=31bf3856ad364e35, Custom=null" />
> > > ----------
> > > </sectionGroup>
> > >