ADFS 2.0 - Fixing Broken FederationMetadata

Problem:
Active Directory Federation Services's FederationMetadata once failed to be published.
Just out of the blue. Whether it was updates or anything but A is A.
The usual URL like "https://adfs.server.com:443/FederationMetadata/2007-06/FederationMetadata.xml"
was not working so any federated partner will fail to get any changes from local ADFS automatically.

After brief search, the reason was found: the Access Control List for FederationMetadata/2007-06/ was removed, hence IIS was redirecting the request to the static file, and not to the adfs service endpoint:

>> netsh http show urlacl
    Reserved URL            : http://+:80/adfs/services/
        User: NT SERVICE\adfssrv
            Listen: Yes
            Delegate: Yes
            SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

    Reserved URL            : https://+:443/adfs/services/
        User: NT SERVICE\adfssrv
            Listen: Yes
            Delegate: Yes
            SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

    Reserved URL            : https://+:443/adfs/fs/federationserverservice.asmx/
        User: NT SERVICE\adfssrv
            Listen: Yes
            Delegate: Yes
            SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

In this case, solution was pretty simple - add the missing ACL to the list:

>> netsh http add urlacl url="https://+:443/FederationMetadata/2007-06/" user="NT SERVICE\adfssrv" listen=yes delegate=yes sddl="D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)"

Problem solved!

P.S. Sometimes, ADFS endpoint like "/adfs/services/trust/13/windows" failed to work as well. Re-enabling them solved the problem.

Comments

Post a Comment

Popular posts from this blog

DXGI fast screen capture

Task at hand was capturing desktop or monitor contents under Windows really fast. Actually, the faster is better because the real contents of the buffer I am writing to will be displayed/rendered in real time. There are several options of screen capture in Windows. The oldest and the easiest one is using GDI. The minus of it is that it's really slow. The second way of performing capture is DirectX Graphics Infrastructure - you command video card to store the whole screen or one/several monitors's contents inside separate part of its memory (surface). After that, you can either command video card to draw it somewhere else (for example, on texture). Or lock this surface and copy its contents to the main memory. Looks a lot more promising, huh? Of course I chose the DXGI way! To keep the actual DXGI-based implementation away from the main sources, I had created DXGIManager object incapsulating the actual capture stuff and opened up only a few basic methods: HRESULT SetCapt
Read more

Kubuntu 16.04 and Dell Inspiron 7559

Problem: Recently, I was more and more than fascinated by development convenience under the modern Linux distributions, not in the last place because I started to use Ubuntu on daily basis at work. So I decided to try Linux on my home laptop (Dell 7559). Options were: Install it as a virtual machine Dual boot At first, I tried installing Ubuntu/Kubuntu inside VM but it turned out to be a bad decision because of the 4K display of the laptop - interface was too slow for the normal usage. I tried both VMWare Player 12 and VirtualBox, tried even setting the scaling of the display in the latter to 200% so Ubuntu will have only 1080p virtual screen but it lagged even more. No go. Then I decided to try the dual boot approach. Luckily, when moving my system to SSD, I had to shrink the Windows partition and had about 200 Gb of the free place in the end of the disk where I decided to put the Kubuntu 16.04. Why Kubuntu? When trying out Ubuntu and Kubuntu inside VM, I found the scal
Read more

Getting POSIX TZ strings from Olson tzdata

Problem at hand: we are having IOT device which does not have the IANA/Olson tzdata package but we would like users to be able to select their time zones from the list, but not enter the TZ string in form of PST8PDT... After a lot of searching, I could not discover the way of obtaining any sort of the TZ string database which would work for most of the cases. The closest I got was the momentjs  JSON data generated from the old good Olson tzdata but, alas, it was still missing the simple TZ strings. Now it was pretty much evident that solution should still somehow include the Olson database but I did not know how. Final step had come up when I actually have taken a look at the tzinfo file format and discovered that in the current version (v2), the TZ string lies right in the end of each file, conveniently separated by the new line symbols at start and in the end! So the final solution for now is: download latest tzdata build it with zone info compiler (or just zic) process t
Read more