· C:\adfs.cer, which is the token signing certificate I copied from my ADFS server
· C:\adfsParent.cer, which is the parent certificate to my token signing certificate
all the pictures are not available:(
Not sure why that is...I'm seeing them all so I'm not sure how to troubleshoot. But you can always download the docx that is attached to the post. It's the Word doc format of this post, including pix.
Very informative and crisp. You really make claims look so simple. Thanks.
How can I map email address claim to SPUser mail so that SharePoint can send mails.
Very helpful post , I followed the steps to authenticate user from ADFS 2.0 with SharePoint 2010 web Application .
I got this problem not able to find the couse of it. I have given read permission to serviceaccount and App pool acount. still I get this error. Any suggestion is appreciated.
Server Error in '/_trust' Application.
The trusted login provider did not supply a token accepted by this farm.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ServiceModel.FaultException: The trusted login provider did not supply a token accepted by this farm.
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
[FaultException: The trusted login provider did not supply a token accepted by this farm.]
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr) +328
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustClient.Issue(RequestSecurityToken rst) +36
Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs) +19063094
Microsoft.SharePoint.SPSecurityContext.SecurityTokenForOnBehalfOfContext(Uri context, SecurityToken onBehalfOf) +54
Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnSessionSecurityTokenCreated(SessionSecurityTokenCreatedEventArgs arguments) +357
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SetPrincipalAndWriteSessionToken(SessionSecurityToken sessionToken, Boolean isSession) +92
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +360
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +247
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
Kanta - see this post, it sounds like the same thing: blogs.technet.com/.../trustedmissingidentityclaimsource-error-with-claims-auth-in-sharepoint-2010.aspx.
Do you have a similar post for MOSS 2007 and ADFS 1.0 or could you recommend a post that is this straight forward?
How do i encrypt the STS token from SharePoint WFE ?
great post. It helped me enable ADFS authentication for WP7 Office Hub SharePoint access. Although the SharePoint FBA worked too, ADFS actually enabled me to combine WIA and FBA on same web application and keep a single SharePoint user identity regardless of the authentication method chosen.
I just wish that WP7 guys actually produced a step-by-step instead of making this a somewhat obscure process. Hope it will be released in days to come.
I do have a question though. Could you please suggest how I could make a SharePoint IIS site request a specific authentication type from ADFS? Right now I can only influence this by modifying the web.config in /adfs/ls folder, and I'd like the relaying party (SharePoint) to do the choosing instead.
First a very good post. I've been experimenting with ADFS previously, and now we are trying to integrate with Sharepoint. So, this post was extremely helpful. A couple of things that happened to me:
1.) I never got a logon screen when redirected to my ADFS server, I just got logged in. In fact, I can't switch users, just logs me back in. I'm thinking it is related to my ADFS setup, but unsure - any clues?
2.) Any info on how to use claims sent back by the ADFS server. Is this where I'd need to provide custom code in Sharepoint to inspect the SP model - i'm assuming there's a Claims object?
@ Steve Kumbsky
Steve - regarding your first question, ADFS 2.0 uses Windows Integrated authentication by default. If you set this up following Steve's (:)) post you can change the authentication type used by modifying the web.config in /adfs/ls folder. The directions for
doing that can be found here:
Also ADFS 2.0 respects the wauth parameter if used in authentication request URL, and that allows you to change from default authentication type per requestor. Here's the link on wauth values that are accepted by ADFS:
Unfortunately I haven't figured out yet how to make SharePoint add the wauth parameter to the request (at least without writing my own SharePoint authentication provider). I've been looking for a way to modify the SharePoint web.config (both in root and
_trust folder) or settings of SPTrustedIdentityTokenIssuer to achieve this, but with no success. Interesting enough if you manually edit the ADFS authentication request issued by SharePoint to add wauth paramater - it works - you get the desired authentication.
I've tried to get some help on forums:
but received no answers yet. It leads me to believe that standard SharePoint CBA isn't capable of using wauth in ADFS requests.
Hi Tomislav, first thanks for the comments you've been making on the blog site. You're obviously doing a much better job than me in keeping up with questions. :-)
As for your specific question, I believe we are currently stuck here. I would have suggested that you consider writing an HttpModule and adding a wauth query string parameter with the value you want. However, in recent testing I found SharePoint to be swallowing any query string parameters I added for authentication purposes (in my case, whr). You could try it and see if it works differently for you, but I would be surprised if it is. It's something we're currently investigating.
thank you for the suggestion, I'll try tinkering with it. And sorry for hijacking your blog a bit :)
This is a much better article than most that I have found, however, I have a few quesitons-
1. Do you have to set up the cert through powershell, or can you just go to central admin, security, manage trusts, and add the cert there?
2. I can't figure out whether there is a dedicated web app for sharepoint to talk to the IP-STS, or not. Some documentation makes it seem like there is. Your article sounds like you don't need one, that you just take the web app you would normally create to hold your site collections and you point it to the IP-STS. Can you please clarify this?
3. Does it matter what the realm is, as long as both sharepoint and the IP-STS realms match?
4. I think it would be helpful to have an example using an FQDN for the web app, since I don't see the point in using federation for an intranet site- it would just make things a little more concrete.
In any case, thank you for writing this!
Can you have ADFS talk to two Domains that have no trust between them for verifying a users identity?