Setting up an ADFS lab environment - Part 1

re: Setting up an ADFS lab environment - Part 1

Max R. — Wed, 09 May 2007 21:27:14 GMT

Hello! Very interesting. Thank you.

ADFS Certificates - SSL, Token Signing, and Client Authentication Certs

ADFS Product Support Blog — Tue, 24 Jul 2007 01:56:24 GMT

We are seeing quite a few support calls relating to certificate problems. Many of these are due to a

re: Setting up an ADFS lab environment - Part 1

Franck — Fri, 12 Oct 2007 09:40:34 GMT

Thank you for this comprehensive explanation.

What about if we set up proxy servers?

Should we have 4 types of TS Certificates ?

- 1 for FS-A

- 1 for FS-AP

- 1 for FS-R

- 1 for FS-RP

Or only 2 types?

- 1 for FS-A and FS-AP

- 1 for FS-R and FS-RP

Hi Franck,

The ADFS Proxy component does not use a Token Signing Certificate. It uses a client authentication certificate. The client auth certificate is exported and placed on the trust policy of the Federation Server.

Thanks,

Jim

re: Setting up an ADFS lab environment - Part 1

ActiveDev — Tue, 19 Aug 2008 20:39:14 GMT

Can I have Web Server and Fed-R be same Virtual machine? Since I am a applicition Developer, I do not have the intimate knowlege of Setting on VM and DNS, activedirectory, "Configure DNS forwarders so both all machines can resolve adatum.com and treyresearch.net machine names" can you give it a sample?

re: Setting up an ADFS lab environment - Part 1

joelrising — Tue, 04 Nov 2008 01:34:10 GMT

I am getting the error below when trying to install the ADFS Windows components. I have run Windows updates, otherwise verified prereqs, fixed domain replications issues, double-checked certs. This machine is a DC at the forest root and also has Exchange and SQL Server on it. The error happens no matter what options I choose in the installer. This is the first ADFS component installed in this forest. Has anyone seen this error?

3352.3368> AdfsOcm-Error: Nov 03 08 22:07:56 RunExternalCommand failed for command line '"C:\WINDOWS\System32\msiexec.exe" /quiet /norestart /l*vx "C:\WINDOWS\adfsmsi.log" /i "C:\WINDOWS\adfs.msi" FRAMEWORKDIR="C:\WINDOWS\Microsoft.Net\Framework\v2.0.50727" ADDLOCAL=FS,WS,Common ADFSVDIR=adfs TARGETDIR="C:\ADFS" TRUSTPOLICYPATH="C:\ADFS\TrustPolicy.xml" THUMBPRINT=7CE0E7216E76178B6EB6298CF2F02C3272C98736 PATCH="C:\WINDOWS\adfs.msp"'

3352.3368> AdfsOcm-Error: Nov 03 08 22:07:56 ADFSOcmInstallUninstall failed with hr=0x80070654, hrFailure=0x0

Using ADFS with SharePoint

Max Yermakhanov's Blog — Fri, 24 Apr 2009 00:30:08 GMT

To configure ADFS to work with SharePoint follow these instructions: Get your certificates ready ( http://blogs.technet.com/adfs/archive/2007/02/26/setting-up-an-adfs-lab-environment-part-1.aspx

re: Setting up an ADFS lab environment - Part 1

noeldp — Tue, 02 Jun 2009 20:12:19 GMT

Thanks for the excellent detail and example.

We're starting simple - one domain. The business requirement is to enable use of 'forms based' ADFS logon pages and have ADFS generate an NT Token for the user in the same domain, so the app runs under Windows security as the logged on user (like Basic Auth). All the examples seem to assume a much more complicated requirements scenario (2 domains etc). If it's not too much trouble, we'd appreciate a quick summary of just the steps and components required to use ADFS to allow multiple logon means within the same domain (ADFS forms logon triggering an NT Token for access to NT Token-based apps). Thanks!

re: Setting up an ADFS lab environment - Part 1

Arpitha — Tue, 07 Jul 2009 11:27:15 GMT

Can the token signing cert be replaced after ADFS is fully installed? what do we need to take care of in this case?

re: Setting up an ADFS lab environment - Part 1

icts-kul — Wed, 05 Aug 2009 10:41:19 GMT

Answer for joelrising:

I was experiencing the same error.

I found out this little tool `err.exe` which you can use for looking up error codes like 0x80070654

This results in:

err.exe 0x80070654

# as an HRESULT: Severity: FAILURE (1), Facility: 0x7, Code 0x654

# for hex 0x654 / decimal 1620 :

ERROR_INSTALL_PACKAGE_INVALID winerror.h

# This installation package could not be opened. Contact the

# application vendor to verify that this is a valid Windows

# Installer package.

# 1 matches found for "0x80070654"

Therefore I concluded that the MSI file ADFS.msi I was using might be corrupt. I renamed c:\windows\adfs.msi to adfs.msi.BAK and ran the installation once more. The wizard prompted me for cd 2 of 'Windows Server 2003 r2', which contained a good version of adfs.msi.

Still haven't found out the reason why this file was corrupt.