29 April 2013 CI Team

 

I was working with ADFS 2.0 (“Active Directory Federation Services”) for a while when this simple question crossed my mind: How can I figure out if the connection between ADFS and AD “works”? Here is a simple test…

What is ADFS?

If you need some “position of trusts” beneath the AD-boarders you choose an Active Directory Service in the world of Microsoft. They are communicating between the dispatcher (own company-AD) and receiver (another AD or a big “center” like for example the Windows Azure Access Control Service) and issues claims for the registered user. Maybe this isn’t 100% accurate and maybe my choice of words doesn’t fit 100% but that’s how I understand the system Zwinkerndes Smiley

So, how do I test the functionality of the ADFS?

The ADFS uses the IIS to host his own end points. There is also a simple Login-page that every user can use:

https://{ADFS-FQDN}/adfs/ls/IdpInitiatedSignon.aspx

Afterwards a simple „Login-Page“ appears – after one click on „login“ you should see something:

image

If this site appears without username/Password the login works over Kerberos – otherwise you should use NTLM.

If everything goes wrong (or the configuration database is “broken”) you will receive an error message like this:

image

What you can test with it

With that you just make sure that the configuration/connection between ADFS and your own AD “works” – not more – but it is possible that the problems appear already at this point. If the “opposite site” woks or not is another question.

I have an ADFS proxy running – what’s next?

Basically you test the “main” ADFS first and later you have a look from a different machine which is only looking at the Proxy to make sure the Login works. Afterwards it goes on until the “customer”.

In this blogpost you will find a better description (and I think that’s also where I found the advice): How to test if ADFS in functioning

Troubleshooting

I had some problems with the ADFS which are not totally solved but I still found some links which might be helpful for someone:

AD FS 2.0: How to Change the Local Authentication Type

AD FS 2.0: How to Configure the SPN (servicePrincipalName) for the Service Account