ADFS & MOSS 2007 troubles

Hi all,
Im using ADFS in a couple of forests and have a couple of web
apps and WSS2 working quite happily.

The next step is to get is to get moss 2007 working. In the absence of
any guides (that im aware of), ive used the same methods as i did for
WSS2.

>From a client in the same domain, when opening the web page i get
redirected to the short name of the site (ie moss, instead
moss.test.com) and get a "401 unauthorised" error.

When lookingg though the various logs, and configuration
1) The adfs return path, app defined path are correct with the FQDN
(and i have verified this against the iis metsbase)
2) all the correct entries seem to be passed from the ADFS federation
server (ie, correect user name, site name etc)
3) on the moss server, i get one line in the ifsext_sharepoint.log
which i believe is the culprit, but i have no idea how to fix... as
follows...

3136.3248>wsfilt-warn: <Date> onsendresponse: get header
xADFSUserNameHdr: failed with 1413. Extension may not be configured or
user may be anonymous user. Continuing without setting cs-username.

any help much appreciated.

I'm pretty sure the issue with the plain host name is a MOSS configuration
issue, not an ADFS issue. One of my colleagues ran into it and fixed it.
If you want, I can follow up with her and see exactly what she did, but I'd
start by poking around in Central Admin.

The issue with the login might have something to do with the wildcard
application maps not being loaded or being set up in the wrong order. MOSS
uses a wildcard application map to implement most of the MOSS functionality
in .NET, and ADFS does something similar. However, ADFS needs to be the
first wildcard map in the list, not the second one.

You can see the wildcard maps by opening the web site properties in IIS
Manager and clicking the configuration button (usually on the home directory
tab for a vdir). That will show you the script maps. The wildcard maps are
in the bottom listview. If ADFS is second, move it up to first and see if
that helps.

You can also integrate MOSS at the claims/membership provider level instead
of the Windows token model (different than what you could do in WSS2), but
we are still struggling a bit to figure out exactly how to get the claims to
properly drive the sharepoint authorization model.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"verukins" <verukins@hotmail.com> wrote in message
news:1168396516.822098.320780@o58g2000hsb.googlegroups.com...
> Hi all,
> Im using ADFS in a couple of forests and have a couple of web
> apps and WSS2 working quite happily.
>
> The next step is to get is to get moss 2007 working. In the absence of
> any guides (that im aware of), ive used the same methods as i did for
> WSS2.
>
>>From a client in the same domain, when opening the web page i get
> redirected to the short name of the site (ie moss, instead
> moss.test.com) and get a "401 unauthorised" error.
>
> When lookingg though the various logs, and configuration
> 1) The adfs return path, app defined path are correct with the FQDN
> (and i have verified this against the iis metsbase)
> 2) all the correct entries seem to be passed from the ADFS federation
> server (ie, correect user name, site name etc)
> 3) on the moss server, i get one line in the ifsext_sharepoint.log
> which i believe is the culprit, but i have no idea how to fix... as
> follows...
>
> 3136.3248>wsfilt-warn: <Date> onsendresponse: get header
> xADFSUserNameHdr: failed with 1413. Extension may not be configured or
> user may be anonymous user. Continuing without setting cs-username.
>
> any help much appreciated.
>

Hey Joe,
I updated the wildcard mapping and found what i think your
colleague may have come across in central admin | operations | golbal
config | alternate access mappings.

Unfortunately now im getting an ADFS error
"The request has been rejected because it appears to be a duplicate
request from this same client broswer session within the last 20
seconds" - which its not.... but alas.... will sort that one out.

thanks again for your help - its definately getting further!

Yeah, I've seen that one too and can't remember how I fixed it, but make
sure all of your federation URLs are correct in IIS and the application URL
is correct in your trust policy and you DO NOT have any apps in your trust
policy that "overlap" in terms of URL or you will get weird stuff. For
example, don't try to have two apps like this:

https://app.company.com/sites/
https://app.company.com/sites/somethingelse/

The cookies for the first one will overlap with the second one and cause bad
things to happen. Also, make sure the cookie paths you have defined in IIS
are correct and match the path of the app so that you aren't accidentally
issuing cookies that overlap.

The bottom line is that each trusting application needs to get its cookie
and ONLY its cookie, not another app's cookie. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"verukins" <verukins@hotmail.com> wrote in message
news:1168409753.423944.218780@p59g2000hsd.googlegroups.com...
> Hey Joe,
> I updated the wildcard mapping and found what i think your
> colleague may have come across in central admin | operations | golbal
> config | alternate access mappings.
>
> Unfortunately now im getting an ADFS error
> "The request has been rejected because it appears to be a duplicate
> request from this same client broswer session within the last 20
> seconds" - which its not.... but alas.... will sort that one out.
>
> thanks again for your help - its definately getting further!
>

Hey Joe,
My app paths are definately correct, but at the moment i
have a blank cookie domain and just "\" entered for the cookie path....
both servers are part of test.com (moss.test.com and sp.test.com - so
the FQDN's are different and not just using a sub-path)

Both servers are in the test.com.au domain... so entering the same
cookie path for both (which i did before reading your message) did not
work as you've said. That begs the question though, if thats the domain
for both the servers, what cookie path do i use?

I've found that if i go to sp.test.com first, then moss.test.com... it
will work.... if i try to do that in two different sessions it will
not... and if i try to directly go to moss.test.com immediately, it
also doesnt work.... the error message is the same in each case (the
one about going to the site within 20 seconds etc etc)

I also tried sp.test.com and moss.test.com as the cookie paths, but had
the same issue....

its an odd one... these are times i iwsh my background wasnt purely
core infra...

With HTTP cookies, when a domain is not specified in the Set-Cookie header,
the browser is supposed to assume that the cookie should only be sent back
to the host that it came from. So, in this case, you really do want the
domain to be null, as this helps ensure that different apps with different
host names will not get each other's cookies.

If the FQDNs are different, then path overlap should not be an issue.
Typically, you just want your cookie path to be whatever the root of the app
is. If that is the top level of the app (basically https://moss.test.com/),
then the cookie path should just be "/".

When I had issues in the past with the order of visits making a difference,
it was because I had done something like accidentally setting "test.com" as
the cookie domain for one of the apps. That will cause that app's
_WebSSOAuth cookie to get replayed to ANY host in test.com, including
moss.test.com and sp.test.com, so you don't want that, since they also both
use the same cookie path (/) and thus overlap.

I hear you with the skill set issue. ADFS is hard, because it sort of
demands a skill set that isn't too common, which is someone who knows
directory, IIS web servers, web app architecture and enough DNS and PKI to
be dangerous. It isn't that common of a combination. My background is
primarily in web app architecture, but I've done a lot of directory and PKI
development stuff in the past, so I know that stuff pretty well, and I've
also done a ton of IIS stuff working on other web SSO products, so I just
happened to have the right mix of things. I'm really weak on SharePoint
though, so I get in over my head with WSS and MOSS really quickly.

Anyway, sorry I don't know the exact answer, but keep trying. Also, the
ADFS logs are very good, so crank up all of the debugging levels and try to
see if they are telling you something useful.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"verukins" <verukins@hotmail.com> wrote in message
news:1168476294.473645.95820@i56g2000hsf.googlegroups.com...
> Hey Joe,
> My app paths are definately correct, but at the moment i
> have a blank cookie domain and just "\" entered for the cookie path....
> both servers are part of test.com (moss.test.com and sp.test.com - so
> the FQDN's are different and not just using a sub-path)
>
> Both servers are in the test.com.au domain... so entering the same
> cookie path for both (which i did before reading your message) did not
> work as you've said. That begs the question though, if thats the domain
> for both the servers, what cookie path do i use?
>
> I've found that if i go to sp.test.com first, then moss.test.com... it
> will work.... if i try to do that in two different sessions it will
> not... and if i try to directly go to moss.test.com immediately, it
> also doesnt work.... the error message is the same in each case (the
> one about going to the site within 20 seconds etc etc)
>
> I also tried sp.test.com and moss.test.com as the cookie paths, but had
> the same issue....
>
> its an odd one... these are times i iwsh my background wasnt purely
> core infra...
>

Hey Joe,
Just an FYI that its now working.

Not 100% on what the issue was.... i managed to get some help from MS
and completed a whole bunch of changes including web.config, MOSS
config and IIS changes.

Dont know what bits im allowed to share and what bits im not, so i'll
go on the safe side.

Hopefully there will be a MOSS 2007/ADFS guide sometime soon!

Hi Verukins,
I am trying to get this working as well. From your posts, it looks like
you are trying to use ADFS / MOSS2007 the same as me: we have services
mapped across multiple servers (x.test.com, y.test.com, z.test.com) and
want to share a log in amongst them. It seems as if this is at least
possible. If you are ever able to share your insider knowledge, I am
interested....
BTW, the guidance for ADFS and WSSv2 has a number of limitations, have
you found out if any of these still hold for v3/MOSS2007 (eg client
integration, alternate access mappings)?
For the record, I cannot get anything to work. I will try upping my
wildcard mapping priority and see if that makes any difference. So far,
I am just getting "unexpected error occurred", like a couple of other
posters.
Thanks
Mark


verukins wrote:
> Hey Joe,
> Just an FYI that its now working.
>
> Not 100% on what the issue was.... i managed to get some help from MS
> and completed a whole bunch of changes including web.config, MOSS
> config and IIS changes.
>
> Dont know what bits im allowed to share and what bits im not, so i'll
> go on the safe side.
>
> Hopefully there will be a MOSS 2007/ADFS guide sometime soon!

Hi Mark,
Almost like magic, a hotfix was recently released.... to
address moss 2007/ADFS issues...

http://support.microsoft.com/kb/920764/en-us

Hey, thanks very much for the heads up.
Been having trouble getting any other authentication providers to work
here. Very frustrating. Hopefully this will help.
Mark

verukins wrote:
> Hi Mark,
> Almost like magic, a hotfix was recently released.... to
> address moss 2007/ADFS issues...
>
> http://support.microsoft.com/kb/920764/en-us

Hi,
I see you have to go through PSS to get this - have you done that?
Thanks
Mark

verukins wrote:
> Hi Mark,
> Almost like magic, a hotfix was recently released.... to
> address moss 2007/ADFS issues...
>
> http://support.microsoft.com/kb/920764/en-us

Note that published bug fixes requested from PSS don't cost you anything,
even if they initially ask you for a credit card or something. It is just a
procedure. Some bug fixes are tracked carefully by PSS and are not made
available for general download, but MS doesn't charge anyone for them.
Hopefully you aren't concerned about that. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<mah624@gmail.com> wrote in message
news:1169195561.280714.145400@11g2000cwr.googlegroups.com...
> Hi,
> I see you have to go through PSS to get this - have you done that?
> Thanks
> Mark
>
> verukins wrote:
>> Hi Mark,
>> Almost like magic, a hotfix was recently released.... to
>> address moss 2007/ADFS issues...
>>
>> http://support.microsoft.com/kb/920764/en-us
>

Hi Joe,
I'm only concerned in that getting payments made for such things in my
organisation is not straightforward ;)
We have an educational support contract as well, but from a pragmatic
point of view, I was just trying to find a way with the least
bureaucracy!
We also have a test domain that I can access to set up ADFS on a second
server. I'll try that before going through support.

BTW, you reference in other postings about a custom LDAP membership
provider. Did you say you would make the source available on request? I
am about to start down that route using Steven Fowler's stub. I would
like to use the provider to import profiles so that my FBA users can
get MySites etc. We have ActiveDirectory, but WIA is no good for us as
we have to support Macs and remote users.
Can you confirm that this possible?

Thanks

Mark

Joe Kaplan wrote:
> Note that published bug fixes requested from PSS don't cost you anything,
> even if they initially ask you for a credit card or something. It is just a
> procedure. Some bug fixes are tracked carefully by PSS and are not made
> available for general download, but MS doesn't charge anyone for them.
> Hopefully you aren't concerned about that. :)
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"
> http://www.directoryprogramming.net
> --
> <mah624@gmail.com> wrote in message
> news:1169195561.280714.145400@11g2000cwr.googlegroups.com...
> > Hi,
> > I see you have to go through PSS to get this - have you done that?
> > Thanks
> > Mark
> >
> > verukins wrote:
> >> Hi Mark,
> >> Almost like magic, a hotfix was recently released.... to
> >> address moss 2007/ADFS issues...
> >>
> >> http://support.microsoft.com/kb/920764/en-us
> >

Drop me a note offline and I'll send you the experimental
"ActiveDirectoryRoleProvider" that Ryan (my coauthor) wrote. You are
welcome to play with it if you want.

I totally understand about the not wanting to call PSS thing; it is a pain.
Unfortunately, you have no recourse unless you can convince someone to send
you the hotfix via email. I don't have it (yet), so don't ask. :)

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<mah624@gmail.com> wrote in message
news:1169221227.501515.265970@38g2000cwa.googlegroups.com...
> Hi Joe,
> I'm only concerned in that getting payments made for such things in my
> organisation is not straightforward ;)
> We have an educational support contract as well, but from a pragmatic
> point of view, I was just trying to find a way with the least
> bureaucracy!
> We also have a test domain that I can access to set up ADFS on a second
> server. I'll try that before going through support.
>
> BTW, you reference in other postings about a custom LDAP membership
> provider. Did you say you would make the source available on request? I
> am about to start down that route using Steven Fowler's stub. I would
> like to use the provider to import profiles so that my FBA users can
> get MySites etc. We have ActiveDirectory, but WIA is no good for us as
> we have to support Macs and remote users.
> Can you confirm that this possible?
>
> Thanks
>
> Mark
>
> Joe Kaplan wrote:
>> Note that published bug fixes requested from PSS don't cost you anything,
>> even if they initially ask you for a credit card or something. It is
>> just a
>> procedure. Some bug fixes are tracked carefully by PSS and are not made
>> available for general download, but MS doesn't charge anyone for them.
>> Hopefully you aren't concerned about that. :)
>>
>> Joe K.
>>
>> --
>> Joe Kaplan-MS MVP Directory Services Programming
>> Co-author of "The .NET Developer's Guide to Directory Services
>> Programming"
>> http://www.directoryprogramming.net
>> --
>> <mah624@gmail.com> wrote in message
>> news:1169195561.280714.145400@11g2000cwr.googlegroups.com...
>> > Hi,
>> > I see you have to go through PSS to get this - have you done that?
>> > Thanks
>> > Mark
>> >
>> > verukins wrote:
>> >> Hi Mark,
>> >> Almost like magic, a hotfix was recently released.... to
>> >> address moss 2007/ADFS issues...
>> >>
>> >> http://support.microsoft.com/kb/920764/en-us
>> >
>

Hi Joe,
I have the hotfix now and the ADFS part of the system is now working.
However, I am getting the 401 problem now. I guess from the above that
its a cookie overlap problem. I will check everything thoroughly one
more time...
Thanks for the offer of the provider. I think that once we have
finished looking at the OOB FBA providers, we will call it a day. Too
many problems and the main issue for us is client integration. We
pretty much sold MOSS to our organisation based on that, and having
tested it myself I don't think we can move forward with FBA.
We are primarily looking at FBA/ADFS as a way of defeating multiple
logins. I am gonna have a chat with the version 3 guys and see what
they can offer.

Thanks again

Mark


On Jan 19, 5:18 pm, "Joe Kaplan"
<joseph.e.kap...@removethis.accenture.com> wrote:
> Drop me a note offline and I'll send you the experimental
> "ActiveDirectoryRoleProvider" that Ryan (my coauthor) wrote. You are
> welcome to play with it if you want.
>
> I totally understand about the not wanting to call PSS thing; it is a pain.
> Unfortunately, you have no recourse unless you can convince someone to send
> you the hotfix via email. I don't have it (yet), so don't ask. :)
>
> Joe K.
>
> --
> Joe Kaplan-MS MVP Directory Services Programming
> Co-author of "The .NET Developer's Guide to Directory Services Programming"http://www.directoryprogramming.net
> --<mah...@gmail.com> wrote in message
>
> news:1169221227.501515.265970@38g2000cwa.googlegroups.com...
>
> > Hi Joe,
> > I'm only concerned in that getting payments made for such things in my
> > organisation is not straightforward ;)
> > We have an educational support contract as well, but from a pragmatic
> > point of view, I was just trying to find a way with the least
> > bureaucracy!
> > We also have a test domain that I can access to set upADFSon a second
> > server. I'll try that before going through support.
>
> > BTW, you reference in other postings about a custom LDAP membership
> > provider. Did you say you would make the source available on request? I
> > am about to start down that route using Steven Fowler's stub. I would
> > like to use the provider to import profiles so that my FBA users can
> > get MySites etc. We have ActiveDirectory, but WIA is no good for us as
> > we have to support Macs and remote users.
> > Can you confirm that this possible?
>
> > Thanks
>
> > Mark
>
> > Joe Kaplan wrote:
> >> Note that published bug fixes requested from PSS don't cost you anything,
> >> even if they initially ask you for a credit card or something. It is
> >> just a
> >> procedure. Some bug fixes are tracked carefully by PSS and are not made
> >> available for general download, but MS doesn't charge anyone for them.
> >> Hopefully you aren't concerned about that. :)
>
> >> Joe K.
>
> >> --
> >> Joe Kaplan-MS MVP Directory Services Programming
> >> Co-author of "The .NET Developer's Guide to Directory Services
> >> Programming"
> >>http://www.directoryprogramming.net
> >> --
> >> <mah...@gmail.com> wrote in message
> >>news:1169195561.280714.145400@11g2000cwr.googlegroups.com...
> >> > Hi,
> >> > I see you have to go through PSS to get this - have you done that?
> >> > Thanks
> >> > Mark
>
> >> > verukins wrote:
> >> >> Hi Mark,
> >> >> Almost like magic, a hotfix was recently released.... to
> >> >> addressmoss2007/ADFSissues...
>
> >> >>http://support.microsoft.com/kb/920764/en-us