I'm trying to set up a claims-aware web app development environment. I am new to ADFS 2.0 and ultimately, I want to be able to authenticate against two different domains. I think I am very close but I'm getting a certificate error from one of the ADFS servers.
During processing of the Federation Service configuration, the element 'serviceIdentityToken' was found to have invalid data. The private key for the certificate that was configured could not be accessed.
This error is recorded in the ADFS server event log on domain #1 after I enter credentials in the web app. Even with working credentials, I get passed to a 401 unauthorized access page.
The user account running the ADFS service has permissions to the private key of the certificate so I am not sure why I am getting this error.
What I have done so far:
- Created a server on domain #1 and installed ADFS 2.0
- Created a server on domain #2 and installed ADFS 2.0
- Created a third development server with VS 2010 on domain #1
- Built a simple application on the dev server and made it federation aware (as per http://msdn.microsoft.com/en-us/library/bb897402.aspx); in the web.config, the federation server is set to the server on domain #1
I also haven't set up a Relying Party Trust on either of the ADFS servers. Is this necessary? I can't seem to find any good documentation explaining how this is supposed to work.
I have followed this ( http://blogs.msdn.com/b/alextch/archive/2011/06/27/building-a-test-claims-aware-asp-net-application-and-integrating-it-with-adfs-2-0-security-token-service-sts.aspx ) guide in setting this up, but I feel like there is probably a simple step I have missed somewhere.
To summarize:
- Why might I get that certificate error above?
- Am I missing any steps in setting up ADFS so that I can authenticate against both domains? (I am probably missing a step to link the two ADFS servers together)
Thanks in advance for any help on this. Someone who is familiar with ADFS could probably set this up in matter of minutes!
It looks like what you are trying to do is have a dev server federated with adfs from domain 1 and then have the adfs from domain1 to accept tokens from adfs in domain2 using a claims provider trust. This way, users from domain1 and domain2 will be able to logon and access the dev server's app provided the claims rules are configured correctly.
So the answer to your 2nd question is to configure a claims provider trust on the adfs in domain1 to point to adfs in domain 2 and claims rules to transform/passthrough claims received from adfs in domain1. Then the adfs in domain 2 will also need a relying party trust configured to point to adfs 1 where you choose what claims to gather and send on.
as for question1, it definitely looks like the private key for the service communications certificate in adfs is inaccessible. If you installed the adfs as a farm, you will have a domain based service account. if you built it as a standalone adfs it will be using the builtin network service account. This choice decides how you configure permissions on the cert.
you mention adfs role and adfs 2.0 so i am not sure if you are using adfs 2 on both servers or the inbuilt role shipped with windows 2008/R2. Please clarify.
these step by step guides should help.
http://technet.microsoft.com/en-us/library/adfs2-federation-wif-application-step-by-step-guide(v=ws.10).aspx
for all things adfs please see
http://social.technet.microsoft.com/wiki/contents/articles/2735.ad-fs-2-0-content-map.aspx