Hi All
I’ve just rolled out ADFS 3.0 within my company and everything is working great but now I would like to enable Client certificate authentication and this is where the fun has started.
My environment is the following:
Windows 2012 r2 Domain controller with domain/forest functional level at windows 2012 r2
One domain controller installed as a certificate authority and currently giving out client certificate which is used for client authentication through TMG
ADFS server running windows 2012 r2 which is joined to our domain
ADFS server in the DMZ which is the ADFS proxy server and it in a “WORKGROUP”
Firewall ports which have been opened are HTTP, HTTPS and tcp/49443
When I enable cert auth and try to signin on the following URL (https://sts.my domain.com/adfs/ls/IdpInitiatedSignon.aspx)
I get the following error:
An error occurred
Authentication attempt failed. Select a different sign in option or close the web browser and sign in again. Contact your administrator for more information.
Sign in with other options
Error details
Activity ID: 00000000-0000-0000-1601-0080000000f2
Error time: Wed, 10 Dec 2014 13:03:26 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
I’ve tried running this internally (Using chrome as my browser to ensure I get prompted for my users cert) to avoid firewall issues with the above result.
When I have a look at the event viewer on the ADFS server the following is logged:
Level: Error
Source: AD FS
Event ID: 364
Task Category: None
Gerneral:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
http://sts..com/adfs/services/trust
Exception details:
Microsoft.IdentityServer.AuthenticationFailedException: There is a problem with the X509Certificate provided by the client. The error code is: -2146885613
at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ProcessIntranetRequest(ProtocolContext context, WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)
I’m now at a loss as what else I should try to get this working. Can anyone advise how I should proceed or how I should be troubleshooting this problem?
Many thanks in advance
解决方案Is the UPN field on the certificate populated with the user's userPrincipalName? Are the usage flags, EKUs, CRL, and all the other bits on the cert proper and appropriate for ADFS's particular requirements?
450
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
