Integrating IAG with Active Directory Federation Services seems to be getting more popular and is something I see quite a number of support calls on. If you configure everything exactly as per the guidance below then ADFS/IAG integration will work perfectly. But if you miss a step, misconfigure something, or insert a typo then you will see failures and these can often be tricky to troubleshoot.
I’ve seen a fair number of different problems with ADFS and IAG working together, so there will definitely be more posts to come in this area. This first post will hopefully help you to at least get past the initial setup stage!
First, the links to the build documentation:
ADFS:
http://www.microsoft.com/downloads/details.aspx?familyid=062F7382-A82F-4428-9BBD-A103B9F27654&displaylang=en (Windows Server 2003)
http://technet.microsoft.com/en-us/library/dd378921(WS.10).aspx (Windows Server 2008 R2)
IAG:
http://technet.microsoft.com/en-us/library/dd353186.aspx (IAG 2007 SP2)
Follow this documentation and you should end up with a working environment that lets you access IAG using ADFS Authentication. If you don’t, then read on and hopefully you’ll find a fix for whatever problem you are encountering.
In this post I’ll discuss issues that I have seen when running the IAG 2007 SP2 ADFS configuration script (ADFSConfigTool.vbs) as part of the configuration stage. In future posts I’ll go on to discuss general troubleshooting and problems you may see once the configuration is complete and you start to test functionality.
The first thing you should be aware of when running the ADFSConfigTool script is that it generates a log under ...\whale-com\e-gap\logs, named ADFS_Tool_Log.txt. Always check here if you encounter errors running the script.
There are 2 errors that you are likely to encounter if you have misconfigured something. For each of these errors I will list the causes that I have seen. There may of course be others, but hopefully this will deal with the more common misconfigurations.
First up is ‘Error 0 unable to get the portal trunk name’
ADFS_Tool_Log.txt will show:
‘GetIAGSigntures:Error -2147467259 Unable to retrieve the file from https://<IP Address:Port>/InternalSite/on-demandagent/IAG_Applications.xml’
Possible causes:
1. A WinHTTP Proxy is configured on IAG
The ADFS configuration script uses WinHTTP to make an HTTP request to the local web server on the IAG and retrieve the XML file containing the configuration. If a proxy is configured for WinHTTP then this request will fail. Note: the WinHTTP proxy is different from the WinInet proxy that might be configured in Internet Explorer, so removing any proxy settings in the browser will not fix this problem.
Check with proxycfg.exe to see if a WinHTTP proxy is configured. If a proxy is specified then use proxycfg –d to change WinHTTP to use direct access instead.
2. The ADFS Web Agent is configured on the portal website
The ADFS Web Agent must be enabled only on the Default WebSite/InternalSite/ADFS virtual directory. If it is enabled anywhere else then problems may occur. Enabling it on the portal trunk website will cause this error when the ADFS configuration script is run. To resolve this, disable the Web Agent from the ADFS Web Agent tab on the website Properties sheet, and also uninstall the ADFS Filter from the ISAPI Filters tab.
3. The Whale Portal application is not configured with an HTTPS port
By default the HTTPS port for the Whale Portal application is blank
The IAG/ADFS configuration instructions do mention that this must be set to ‘Auto’ and the ‘Application URL’ on the Portal Link tab must be changed to HTTPS://.... If this step is omitted then you will end up with the above error. ADFS_Tool_Log.txt will look slightly different in this case. You will only see ‘getTrunkName :0’ in the log
The second error you may see is ‘Error 0 unable to insert <SAR> to the IAG Configuration File’
The same error will appear in ADFS_Tool_Log.txt
1. Wrong IP address entered into the ADFS configuration tool
You must enter the IP address of the portal trunk when prompted by the ADFS configuration tool. If you specify the FS-P trunk IP address instead, you may get this error message.
Hopefully this will help you to get everything setup so that you move on and start performing some functional testing.