ADFS 3.0 & ldpinitiated.aspx

I realize that with ADFS 3.0, Microsoft has done away with a number of things since ADFS 2.1 including using http.sys as the basis for the ADFS "website" versus using IIS. (http://blog.auth360.net/2013/09/13/first-impressions-ad-fs-and-windows-server-2012-r2-part-i/)
With 2.1, a person could modify the ldpinitiated.aspx. In ADFS 3.0, is all the information that was in that .aspx file now in the http.sys or has it been broken down into other areas? Any information would be greatly appreciated.
Thank you.

Hi,
Any update about the issue?
Meanwhile, for this issue, i think you may ask in:
http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
Regards.
Vivian Wang

Similar Messages

ADFS Proxy on Azure

I am planning to install ADFS proxy on Azure platform what are the options available to protect it and how to achieve the same.

Hi,
If you want to deploy ADFS proxy on Azure VMs, I recommend you to create 2 VMs of ADFS proxy in an availability set for redundancy reasons.
For more detailed information, you can refer to the article below:
http://blogs.technet.com/b/abizerh/archive/2013/11/19/adfs-on-azure-vms.aspx
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Does Siebel Management Server supports multiple gtwy servers/siebelservers?

Hello,
Does Siebel Management Server supports multiple gtwy servers and siebel servers when running getservers.pl ?
Does Siebel Management Agent service run under windows 2008 OS?
Cheers
Kota

Hi,
In addition to making sure Agent Proxy on all AD FS servers is enabled, please also verify that the IIS 6 Management Compatibility and
IIS 6 Metabase Compatibility role services are installed. (Some AD FS 2.0 scripts depend on Internet Information Services (IIS) Windows Management Instrumentation (WMI) objects being installed.)
Here are two links for your reference:
Discovery Does Not Work in ADFS 2012 R2 MP
http://blogs.technet.com/b/omx/archive/2014/05/07/discovery-does-not-work-in-adfs-2012-r2-mp.aspx
http://scug.be/christopher/2012/03/07/opsmgr-scom-adfs-2-0-mp-discovery-issue/
Regards,
Yan Li
Regards, Yan Li

Using ADFS with SharePoint Foundation 2013?

We have a WSS 3.0 web site used primarily for sharing documents with business partners who do not work for our company. We plan on doing the 2 step upgrade to SharePoint Foundation 2013
Our internal users also use it but normally just use internal network file shares if they aren't planning to share the documents with external users.
Each business partner's company has a sub site within our main WSS site and documents are uploaded to that section of the site if we want to share documents with employees of that company.
Since we use AD for authentication, to make this work, we create AD user accounts for each external user and add them to a security group that gives them access to only their company's subsite on the main site.
We have to maintain their passwords, reset them and delete/disable them when that person no longer needs access. Each business partner has a limit on the number of users who can get one of our AD accounts due to limits on the number of CALs available
to them. It is messy because these users often forget their passwords since they aren't using these accounts every day.
Is there a better way to do this so that we no longer have create and maintain user accounts for external users other than having to do a domain trust with all these other domains?
I have heard of ADFS, but will it allow us to still control which sites and documents the external company users can access if we are not creating and managing the accounts and adding them to the correct security groups ourselves?
We don't want every user from the partner's domains to be able to access the site. If we use ADFS, how do we keep control of which external users have access to the site?

Yes, you would add permissions just the same way you do with users from your local Active Directory. And yes, if you chose the email address to be the user's identifier, you would simply ask for the email addresses that you wanted and input those to the
appropriate permissions on your SharePoint sites.
You'll want to take a look at this:
http://blogs.msdn.com/b/russmax/archive/2013/10/31/guide-to-sharepoint-2013-host-name-site-collections.aspx
Also another thing to keep in mind is that you'll need to have those 3rd parties set up ADFS themselves, and you'll create an ADFS Trust between you and the 3rd party.
Trevor Seward
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

ADFS 3.0 - Web Application Proxy configuration Issue

Hi All,
We are in the process of implementing ADFS 3.0 published to the internet for o365 Federation purposes.
The setup consists of the following
- 2 x windows 2012 R2 running ADFS 3.0 ( only one server presently installed and configured though)
- 2 x Windows 2012 R2 Running Web Application Proxy ( only one server presently installed and configured though ).
There is an F5 Big-IP load-balancer for both internal and external interfaces and it has been configured after a lot of issues with the SNI part on the F5.
So, in short the setup is now a single server hosting ADFS 3.0 using SQL and a single WAP server, however the traffic to these servers are still going through the LB.
Now the issue is that i cannot complete the installation/configuration of the Web Application Proxy server. There is a firewall in between our DMZ and the internal network. I can reach the internal services via the following url and telnet on port 443
to the federation service as well. (ports for 443 and 80) are opened to internal network on the load balancer ip . I can reach https://fs.domain.com/adfs/ls/idpinitiatedsignon.aspx and federationmetadata/2007-06/federationmetadata.xml location as well
from the Web APplication proxy server without any issues or certificate prompts at all.
When i do the configuration for WAP, i use the same account which was used as a service account for the ADFS service internally. If i use a local admin account, it errors out with another message stating the connection was closed.
The certificate on the internal server along with its private key was exported and has been imported on the WAP server . This is not internal CA, instead we are using DIGICERT SSL with SAN Names for enterprise registration and work folders. Hence the CA Chain
issue is ruled out and also this is not a wild card certificate.
When the wizard starts configuring, it does establish the trust with the federation service which is shown up in the event viewer with EventID 391 within 15 seconds i get another event id 422 which states that it cannot retrieve the proxy configuration
and eventid 276 on the Federation server which states the authentication failure. this continues until the servers stops to try configuring the wizard.
I have read all the available threads on the 3.0 WAP installation /configuraiton problem and tried all the steps possible but i am still stuck with this issue.
There is one more part that i noticed on the ADFS server, that the self signed services for the token-encrypting and token decrypting are self-signed certificates. Also, in the certificates it was showing up as not trusted. and i installed them to the TRUSTED
ROOT CERTIFICATION STORE after wich i cannot see any private key showing up when viewing the certificate which means i cannot get the MANAGE PRIVATE keys option when right clicking on the cert to assign read permissions for the ADFS service account.
Should i assign the same SSL sertificate (SAN based for enterpriseregistration & Workfolders) to the token-encrypting and token-decrypting services in ADFS console or should i leave them as self signed ? I did read that self-signed is not recommended for
production environment ? If not the same certificate what are the requirements for the certificate ?
I am not sure what I am missing in the configuration that is causing this issue. The WAP servers are not part of the domain and have also ensured the time synchronization between the domain machine as well.
The service name is fs.domain.com on both the internal and external DNS ( we have domain.com as a zone in DNS internally as well ). I am able to Authenticate inside and from the WAP server when accessing the link.
Could it be a Load Balancer Configuration ? [i will try eliminating this from the configuration]
Let me know if there are any options that i can try to resolve this and get the configuration working.
Cheers,

Does the load balancer pass the certificate session through to the ADFS server or are you offloading SSL. SSL offload does not work with WAP/ADFS integration (at least at the time of writing it does not).
Can you try through the load balancer with SSL pass through turned off please.
Also as ADFS 3.0 (Server 2012 R2) uses Server Name Indication (SNI) then any health checks that run on the load balancer must support this, so if they do not then you need to use TCP 443 checks for a listening port, as doing a standard HTTPS check will fail,
and if the load balancer fails its checks whilst you are configuring ADFS that might be a reason why it has gone offline for you (error 442 is to do with failure to swap client certificates between WAP and ADFS).
Finally, check the June update to Server 2012 R2 (http://support.microsoft.com/kb/2964735) as that has fixed some certificate issues with multiple servers for WAP and ADFS when you don't have the
2012 R2 AD schema in place.
Brian Reid
Exchange MVP and Exchange and Office 365 Certified Master
www.c7solutions.com
Brian Reid C7 Solutions Ltd (www.c7solutions.com)

ADFS 3.0 WAP and Non-Claims-Aware Relying Party Trusts

I am attempting to migrating a Windows Claims SharePoint page to ADFS 3.0 (Windows Server 2012 R2) and the WAP (Web Application Proxy) from UAG, but are running into problems when our external users attempt to authenticate. Users from our external
domain (call it Domain2.com) have been accessing our SharePoint pages via SAML tokens but when I attempted to move them to the new WAP and off of UAG, they get a http/500 error. The WAP error log gives the following:
Warning Event ID 13016 - Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because there is no UPN in the edge token or in the access cookie
Error Event ID 12027 - Web Application Proxy encountered an unexpected error while processing the request. Error: The specified username is invalid. (0x8007089a).
I presume the Error Event ID 12027 is because there is no UPN in the token and we are using KCD/Kerberos so I need to pass a UPN.
The ADFS server and WAP are joined to Domain1.com. Domain1.com is Active Directory and there is an account for every user in Domain2.com that is allowed access to our SharePoint Sites. These account contain the standard
info... UPN, Email Address, sAMAccountName, etc. The UPN, Email, and sAMAccountName do not always match the accounts with the Domain2.com accounts; however, we have been using an Active Directory Field labled employeeNumber that is synchronized
on both domains and we have been using a custom lookup based on the employeeNumber in AD.
When login's occur via Domain1.com, no problem, the UPN is pulled from the Active Directory Claim Provider Trust. When a user attempts to access from Domain2.com, we have configured ADFS to forwards them to an STS that collects the employeeNumber
from Domain2.com via a Web Auth SAML token. We are able to use the SAML token if we use the standard Claims-Aware Relying Party Trust (CARPT) and convert our SharePoint sites to use the trusted URN via powershell scripts, but we are trying to retain
functionality similar to how we are using UAG so we don't want to change every single SharePoint site to the SAML configuration, hence we are trying to use the Non-Claims-Aware Relying Party Trust (NCARPT)
Problem1: When we are using CARPT we can configure the custom translation for our employeeNumber lookup in AD. But CARPT uses SAML Tokens not Kerberos Tolkens so we cannot login when SharePoint is configured for Kerberos.
Problem2: When we are using NCARPT it works great when authenticating via local (Domain1.com) credentials and look's up the user in AD, but when we attempt to authenticate with remote (Domain2.com) credentials we are unable to configure the employeeNumber
lookup and ADFS doesn't just go out and make that correlation on its own.
Question1: Can I configure CARPT to use Kerberos?
Question2: If not, can I configure NCARPT to lookup the AD employeeNumber, match the UPN, and add the UPN to the token?
Question3: If neither option is available, am I just stuck with UAG or is there something out (not scheduled for EOL) there that can handle the translation between SAML and Kerberos Tokens?
Let me know if I left something out, I tend to ramble, but not sure of all the info that is needed...

Hi,
Based on the description, is there trust between domain 1 and domain 2? If not, we can try to create trust between these two domains to see if it helps.
Regarding Event ID 13016 and Event ID 12027, the following article can be referred to for more information.
Web Application Proxy Troubleshooting
https://technet.microsoft.com/en-us/library/dn770156.aspx
Besides, for ADFS questions, in order to get more and better help, it's recommended that we ask for suggestions in the following forum.
Claim based access platform (CBA), code-named Geneva
https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

ADFS 3.0 Windows Authentication not working

I recently upgraded from ADFS 2.1 and TMG 2010 as the reverse proxy to ADFS 3.0 and Web Application Proxy as the reverse proxy. I have upgraded to ADFS 3.0 successfully and it is working without anything changing to the end users. This is still
using TMG 2010 as the reverse proxy.
When I make the changes to use WAP as the reverse proxy, I get prompted with a forms based authentication page instead of the usual windows authentication screen. This poses a problem since this creates an extra step for people when logging on to our
sites that use SSO since there's no "save password" box. I can move the traffic back to TMG and it's back to working like it should but we are looking to remove TMG very soon.
When I am on the "inside" network connecting to ADFS without the reverse proxy, it works just fine. However, ALL of our users are "outside" of the network will be using the reverse proxy. None of the computers are domain joined.
The issue seems to only be when using Web Application Proxy server to service ADFS SSO requests.....TMG servicing these requests does not have this issue.
What's the difference? How can I get this functionality back with WAP?

Hi Eric,
Based on my research, when publishing applications that use Integrated Windows authentication, the Web Application Proxy server uses Kerberos constrained delegation to authenticate users
to the published application.
To use Integrated Windows authentication, the Web Application Proxy server must be joined to an AD DS domain.
More information for you:
Web Application Proxy: Some applications are configured to perform backend authentication using Integrated Windows authentication but the server is not joined to a domain
http://technet.microsoft.com/en-us/library/dn464299.aspx
Best Regards,
Amy

ADFS- SharePoint 2013 ( Active Directory federation Services)

Can you please brief me in what scenarios we go for ADFS in SharePoint 2013.
We have external users for them we create accounts in our AD and then provide access to SP. I am not sure if external users directory is LDAP or Windows AD. Please explain in detail if ADFS can be leveraged in this scenario to provide access to external
users to our internal domain SharePoint site. Or in other words in which scenario ADFS will come into picture.
Most of the blogs talks about how to configure ADFS but not explained in what scenario and why it has been implemented.
Thanks, Ram Ch

Hi
You can use AD FS with the Windows Server 2012, Windows Server 2008, or Windows Server 2008 R2 operating systems to build a federated identity management solution that extends distributed identification,
authentication, and authorization services to web-based applications across organization and platform boundaries. By deploying AD FS, you can extend your organization’s existing identity management capabilities to the Internet.
AD FS 2.0 enables identity federation, extending the notion of above centralized authentication, authorization, and single sign-on to Web applications and services located virtually anywhere.
As previously introduced, identity federation relies on standards-based protocols to establish federation trusts between claims providers and relying parties, facilitating secure access to Web
applications and services across security boundaries.
For an organization, AD FS 2.0 provides corporate users with a rich federated experience and seamless access to resources located:
- Inside the corporate intranet;
- Outside the corporate network in a corporate perimeter network, extranet and/or in the Cloud, for example in the Microsoft Windows Azure platform, the Microsoft’s Platform as a Service (PaaS)
offering;
- At the perimeter networks of partner organizations that have made resources available to the considered organization’s users;
- In the Cloud with Software as a Service (SaaS) vendors that support federated identity
More Information:
http://blogs.technet.com/b/abizerh/archive/2013/04/11/more-information-about-sso-experience-when-authenticating-via-adfs.aspx
Please follow below mentioned article to configure ADFS for your scenario:
https://samlman.wordpress.com/2015/02/28/configuring-sharepoint-2010-and-adfs-v2-end-to-end/

Upgrade from ADFS 2.1 to ADFS 3.0 and stay on Windows Server 2012 (not R2)

Hello,
could you tell me if this is possible? We need to stay on the same OS 2012 (not R2)?
Are the 2 versions compatible, i.e if we upgrade the secondary to ADFS 3.0 will the primary on ADFS 2.1 still sync to it, and will the farm respond on either host?
Thanks,
Tim

The upgrade procedure is described here: http://blogs.technet.com/b/askpfeplat/archive/2014/03/31/how-to-build-your-adfs-lab-part4-upgrading-to-server-2012-r2.aspx
More if you ask them in this forum: https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile

ADFS SSO and SharePoint 2013 on-premise Hybrid outbound search results from SharePoint Online - does it work?

Hi,
I want to setup an outpund hybrid search for SharePoint 2013 on-premise to SharePoint Online.
But I'm not shure if this works with ADFS SSO.
Has somebody experience with this setup?
Here's my guide which I'm going to use for this installation:
Introduction
In this post I'll show you how to get search results from your SharePoint Online in your SharePoint 2013 on-premise search center.
Requirements
User synchronisation ActiveDirectory to Office 365 with DirSync
DirSync password sync or ADFS SSO
SharePoint Online
SharePoint 2013 on-premise
Enterprise Search service
SharePoint Online Management Shell
Instructions
All configuration will be done either in the Search Administration of the Central Administration or in the PowerShell console of your on-premise SharePoint 2013 server.
Set up Sever to Server Trust
Export certificates
To create a server to server trust we need two certificates.
[certificate name].pfx: In order to replace the STS certificate, the certificate is needed in Personal Information Exchange (PFX) format including the private key.
[certificate name].cer: In order to set up a trust with Office 365 and Windows Azure ACS, the certificate is needed in CER Base64 format.
First launch the Internet Information Services (IIS) Manager
Select your SharePoint web server and double-click Server Certificates
In the Actions pane, click Create Self-Signed Certificate
Enter a name for the certificate and save it with OK
To export the new certificate in the Pfx format select it and click Export in the Actions pane
Fill the fields and click OK Export to: C:\[certificate
name].pfx Password: [password]
Also we need to export the certificate in the CER Base64 format. For that purpose make a right-click on the certificate select it and click on View...
Click the Details tab and then click Copy to File
On the Welcome to the Certificate Export Wizard page, click Next
On the Export Private Key page, click Next
On the Export File Format page, click Base-64 encoded X.509 (.CER), and then click Next.
As file name enter C:\[certificate
name].cer and then click Next
Finish the export
Import the new STS (SharePoint Token Service) certificate
Let's update the certificate on the STS. Configure and run the PowerShell script below on your SharePoint server.
if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"
# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
# import it
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $PfxCert
Type Yes when prompted with the following message.
You are about to change the signing certificate for the Security Token Service. Changing the certificate to an invalid, inaccessible or non-existent certificate will cause your SharePoint installation to stop functioning. Refer
to the following article for instructions on how to change this certificate: http://go.microsoft.com/fwlink/?LinkID=178475. Are you
sure, you want to continue?
Restart IIS so STS picks up the new certificate.
& iisreset
& net stop SPTimerV4
& net start SPTimerV4
Now validate the certificate replacement by running several PowerShell commands and compare their outputs.
# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
# get the encrypted pfx certificate object
New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
# compare the output above with this output
(Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate
[/code]
## Establish the server to server trust
[code lang="ps"]
if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
Import-Module MSOnline
Import-Module MSOnlineExtended
# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"
# set the onpremise domain that you added to Office 365
$SPCN = "sharepoint.domain.com"
# your onpremise SharePoint site url
$SPSite="http://sharepoint"
# don't change this value
$SPOAppID="00000003-0000-0ff1-ce00-000000000000"
# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20
# get the raw data
$PfxCertBin = $PfxCert.GetRawCertData()
# create a new certificate object
$X64Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
# import the base 64 encoded certificate
$X64Cert.Import($X64CertPath)
# get the raw data
$X64CertBin = $X64Cert.GetRawCertData()
# save base 64 string in variable
$CredValue = [System.Convert]::ToBase64String($X64CertBin)
# connect to office 3656
Connect-MsolService
# register the on-premise STS as service principal in Office 365
# add a new service principal
New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppID -Type asymmetric -Usage Verify -Value $CredValue
$MsolServicePrincipal = Get-MsolServicePrincipal -AppPrincipalId $SPOAppID
$SPServicePrincipalNames = $MsolServicePrincipal.ServicePrincipalNames
$SPServicePrincipalNames.Add("$SPOAppID/$SPCN")
Set-MsolServicePrincipal -AppPrincipalId $SPOAppID -ServicePrincipalNames $SPServicePrincipalNames
# get the online name identifier
$MsolCompanyInformationID = (Get-MsolCompanyInformation).ObjectID
$MsolServicePrincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppID).ObjectID
$MsolNameIdentifier = "$MsolServicePrincipalID@$MsolCompanyInformationID"
# establish the trust from on-premise with ACS (Azure Control Service)
# add a new authenticatio realm
$SPSite = Get-SPSite $SPSite
$SPAppPrincipal = Register-SPAppPrincipal -site $SPSite.rootweb -nameIdentifier $MsolNameIdentifier -displayName "SharePoint Online"
Set-SPAuthenticationRealm -realm $MsolServicePrincipalID
# register the ACS application proxy and token issuer
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/metadata/json/1/" -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/metadata/json/1/" -IsTrustBroker -Name "ACS"
Add a new result source
To get search results from SharePoint Online we have to add a new result source. Run the following script in a PowerShell ISE session on your SharePoint 2013 on-premise server. Don't forget to update the settings region
if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
# region settings
$RemoteSharePointUrl = "http://[example].sharepoint.com"
$ResultSourceName = "SharePoint Online"
$QueryTransform = "{searchTerms}"
$Provier = "SharePoint-Remoteanbieter"
# region settings end
$SPEnterpriseSearchServiceApplication = Get-SPEnterpriseSearchServiceApplication
$FederationManager = New-Object Microsoft.Office.Server.Search.Administration.Query.FederationManager($SPEnterpriseSearchServiceApplication)
$SPEnterpriseSearchOwner = Get-SPEnterpriseSearchOwner -Level Ssa
$ResultSource = $FederationManager.GetSourceByName($ResultSourceName, $SPEnterpriseSearchOwner)
if(!$ResultSource){
Write-Host "Result source does not exist. Creating..."
$ResultSource = $FederationManager.CreateSource($SPEnterpriseSearchOwner)
$ResultSource.Name = $ResultSourceName
$ResultSource.ProviderId = $FederationManager.ListProviders()[$Provier].Id
$ResultSource.ConnectionUrlTemplate = $RemoteSharePointUrl
$ResultSource.CreateQueryTransform($QueryTransform)
$ResultSource.Commit()
Add a new query rule
In the Search Administration click on Query Rules
Select Local SharePoint as Result Source
Click New Query Rule
Enter a Rule name f.g. Search results from SharePoint Online
Expand the Context section
Under Query is performed on these sources click on Add Source
Select your SharePoint Online result source
In the Query Conditions section click on Remove Condition
In the Actions section click on Add Result Block
As title enter Results for "{subjectTerms}" from SharePoint Online
In the Search this Source dropdown select your SharePoint Online result source
Select 3 in the Items dropdown
Expand the Settings section and select "More" link goes to the following URL
In the box below enter this Url https://[example].sharepoint.com/search/pages/results.aspx?k={subjectTerms}
Select This block is always shown above core results and click the OK button
Save the new query rule

Hi Janik,
According to your description, my understanding is that you want to display hybrid search results in SharePoint Server 2013.
For achieving your demand, please have a look at the article:
http://technet.microsoft.com/en-us/library/dn197173(v=office.15).aspx
If you are using single sign-on (SSO) authentication, it is important to test hybrid Search functionality by using federated user accounts. Native Office 365 user accounts and Active Directory Domain Services
(AD DS) accounts that are not federated are not recognized by both directory services. Therefore, they cannot authenticate using SSO, and cannot be granted permissions to resources in both deployments. For more information, see Accounts
needed for hybrid configuration and testing.
Best Regards,
Eric
Eric Tao
TechNet Community Support

Why i can't open adf.ly window?

i don't understand with my mozilla, every time i open this site "adf.ly" it didn't work. there is always a words like this appear in my mozilla window 'Firefox can't establish a connection to the server at adf.ly', so what happen with my mozilla? i already check my internet connection but there is no problem whit it. thanks before

The old version is http://v1.adf.ly/
TLD names are always case insensitive, only the appended path name is case sensitive.
You can try these steps in case of issues with web pages:
You can reload web page(s) and bypass the cache to refresh possibly outdated or corrupted files.
*Hold down the Shift key and left-click the Reload button
*Press "Ctrl + F5" or press "Ctrl + Shift + R" (Windows,Linux)
*Press "Command + Shift + R" (Mac)
Clear the cache and remove cookies only from websites that cause problems.
"Clear the Cache":
*Firefox/Tools > Options > Advanced > Network > Cached Web Content: "Clear Now"
"Remove Cookies" from sites causing problems:
*Firefox/Tools > Options > Privacy > "Use custom settings for history" > Cookies: "Show Cookies"
Start Firefox in [[Safe Mode|Safe Mode]] to check if one of the extensions (Firefox/Tools > Add-ons > Extensions) or if hardware acceleration is causing the problem.
*Switch to the DEFAULT theme: Firefox/Tools > Add-ons > Appearance
*Do NOT click the Reset button on the Safe Mode start window
*https://support.mozilla.org/kb/Safe+Mode
*https://support.mozilla.org/kb/Troubleshooting+extensions+and+themes
Do a malware check with several malware scanning programs on the Windows computer.
Please scan with all programs because each program detects different malware.
All these programs have free versions.
Make sure that you update each program to get the latest version of their databases before doing a scan.
*Malwarebytes' Anti-Malware: http://www.malwarebytes.org/mbam.php
*AdwCleaner: http://www.bleepingcomputer.com/download/adwcleaner/ http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml
*SuperAntispyware: http://www.superantispyware.com/
*Microsoft Safety Scanner: http://www.microsoft.com/security/scanner/en-us/default.aspx
*Windows Defender: http://windows.microsoft.com/en-us/windows/using-defender
*Spybot Search & Destroy: http://www.safer-networking.org/en/index.html
*Kasperky Free Security Scan: http://www.kaspersky.com/security-scan
You can also do a check for a rootkit infection with TDSSKiller.
*Anti-rootkit utility TDSSKiller: http://support.kaspersky.com/5350?el=88446
See also:
*"Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
*https://support.mozilla.org/kb/troubleshoot-firefox-issues-caused-malware

ADFS 3.0 - Internal Server Error 500, Event ID 342

Hello all,
I have a trouble testing ADFS 3.0 (Windows Server 2012 R2) working in a clean test Azure VM environment.
First, I did a standard setup (DC and a separate ADFS server machine) with all the default settings, letting wizard to set up gMSA service account for the ADFS service. It did not quite work – details below. Then I reinstalled ADFS following this setup guide:
http://www.schmarr.com/Blog/Post/12/Installing-Windows-2012-R2-Server-ADFS-Service-
It did not help.
Here is what happens: when I try to request SAML security token calling: /adfs/services/trust/13/UsernameMixed server responds with http error 500 - internal server error while call to /FederationMetadata/2007-06/FederationMetadata.xml returns expected result.
Please advise. I have no clue what could be wrong. Log messages below.
Tomasz
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:08:41.247349800Z" />
<EventRecordID>9004</EventRecordID>
<Correlation />
<Execution ProcessID="536" ThreadID="1212" />
<Channel>Security</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-2610119604-2933780250-1221947404-1111</Data>
<Data Name="SubjectUserName">ADFSManaged$</Data>
<Data Name="SubjectDomainName">MYTESTDOMAIN</Data>
<Data Name="SubjectLogonId">0x145e9f</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">user</Data>
<Data Name="TargetDomainName" />
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc0000064</Data>
<Data Name="LogonType">3</Data>
<Data Name="LogonProcessName">W</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">MOBTSTVMADFS0</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x5cc</Data>
<Data Name="ProcessName">C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
<EventID>342</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2014-07-29T13:08:41.247349800Z" />
<EventRecordID>164</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1492" />
<Channel>AD FS/Admin</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<Data>http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</Data>
<Data>user-The user name or password is incorrect</Data>
<Data>System.IdentityModel.Tokens.SecurityTokenValidationException: user ---> System.ComponentModel.Win32Exception: The user name or password is incorrect --- End of inner exception stack trace --- at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken
token) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect</Data>
</EventData>
</Event>
</UserData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
<EventID>996</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000020000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:05:53.358232900Z" />
<EventRecordID>7136</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1524" ProcessorID="1" KernelTime="0" UserTime="5" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
<DataIndex>0</DataIndex>
<DataPageIndex>0</DataPageIndex>
<Data>Source : System.ServiceModel EventId : 131075 Data : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier><Description>Throwing
an exception.</Description><AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain><Exception><ExceptionType>System.Net.Sockets.SocketException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>An
existing connection was forcibly closed by the remote host</Message><StackTrace> at System.ServiceModel.Channels.SocketConnection.BeginReadCore(Int32 offset, Int32 size, TimeSpan timeout, WaitCallback callback, Object state) at System.ServiceModel.Channels.SocketConnection.CloseAsyncAndLinger()
at System.ServiceModel.Channels.SocketConnection.Close(TimeSpan timeout, Boolean asyncAndLinger) at System.ServiceModel.Channels.BufferedConnection.Close(TimeSpan timeout, Boolean asyncAndLinger) at System.ServiceModel.Channels.CommunicationPool`2.EndpointConnectionPool.CloseIdleConnection(TItem
connection, TimeSpan timeout) at System.ServiceModel.Channels.CommunicationPool`2.EndpointConnectionPool.TakeConnection(TimeSpan timeout) at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout) at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan
timeout) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.Se</Data>
</EventData>
</Event>
</UserData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
<EventID>996</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000020000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:05:53.358232900Z" />
<EventRecordID>7137</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1524" ProcessorID="1" KernelTime="0" UserTime="5" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
<DataIndex>0</DataIndex>
<DataPageIndex>1</DataPageIndex>
<Data>rviceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall,
ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type) at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData
filter, Int32 maxObjects, String[] propertyNames) at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory) at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.Search(Filter
filter, Int32 maxObjects, String[] propertyNames, PropertyFactoryBase propertyFactory) at Microsoft.IdentityServer.PolicyModel.Client.PolicyManager.Search(Filter filter, Int32 maxObjects, String[] propertyNames) at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataService.GetConfiguredClaims(ServiceState
state) at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataService.GenerateMetadata(ServiceState state) at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataListener.OnGetContext(IAsyncResult result) at System.Net.LazyAsyncResult.Complete(IntPtr
userToken) at System.Net.ListenerAsyncResult.IOCompleted(ListenerAsyncResult asyncResult, UInt32 errorCode, UInt32 numBytes) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
</StackTrace><ExceptionString>System.Net.Sockets.SocketException (0x80004005): An existing connection was forcibly closed by the remote host</ExceptionString><NativeErrorCode>2746</NativeErrorCode></Exception></TraceRecord>
ProcessId : 1484 ThreadId : 41</Data>
</EventData>
</Event>
</UserData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
<EventID>996</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000020000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:05:53.358232900Z" />
<EventRecordID>7138</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1524" ProcessorID="1" KernelTime="0" UserTime="5" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
<DataIndex>0</DataIndex>
<DataPageIndex>0</DataPageIndex>
<Data>Source : System.ServiceModel EventId : 262256 Data : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Channels.TcpConnectionResetError.aspx</TraceIdentifier><Description>The
socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:00.0000001'.</Description><AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain><ExtendedData
xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/MessageTraceRecord"></ExtendedData><Exception><ExceptionType>System.ServiceModel.CommunicationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>The
socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:00.0000001'.</Message><StackTrace>
at System.ServiceModel.Channels.SocketConnection.ConvertTransferException(SocketException socketException, TimeSpan timeout, Exception originalException, TransferOperation transferOperation, Boolean aborted, String timeoutErrorString, TransferOperation timeoutErrorTransferOperation,
SocketConnection socketConnection, TimeSpan remainingTime) at System.ServiceModel.Channels.SocketConnection.ConvertReceiveException(SocketException socketException, TimeSpan remainingTime) at System.ServiceModel.Channels.SocketConnection.BeginReadCore(Int32
offset, Int32 size, TimeSpan timeout, WaitCallback callback, Object state) at System.ServiceModel.Channels.SocketConnection.CloseAsyncAndLinger() at System.ServiceModel.Channels.SocketConnection.Close(TimeSpan timeout, Boolean asyncAndLinger) at System.ServiceModel.Channels.BufferedConnection.Close(TimeSpan
timeout, Boolean</Data>
</EventData>
</Event>
</UserData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
<EventID>996</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000020000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:05:53.358232900Z" />
<EventRecordID>7139</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1524" ProcessorID="1" KernelTime="0" UserTime="5" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
<DataIndex>0</DataIndex>
<DataPageIndex>1</DataPageIndex>
<Data>asyncAndLinger) at System.ServiceModel.Channels.CommunicationPool`2.EndpointConnectionPool.CloseIdleConnection(TItem connection, TimeSpan timeout) at System.ServiceModel.Channels.CommunicationPool`2.EndpointConnectionPool.TakeConnection(TimeSpan
timeout) at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout) at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan
timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan
timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs,
TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp;
msgData, Int32 type) at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData filter, Int32 maxObjects, String[] propertyNames) at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32
maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory) at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.Search(Filter filter, Int32 maxObjects, String[] propertyNames, PropertyFactoryBase propertyFactory)
at Microsoft.IdentityServer.PolicyModel.Client.PolicyManager.Searc</Data>
</EventData>
</Event>
</UserData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
<EventID>996</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000020000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:05:53.358232900Z" />
<EventRecordID>7140</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1524" ProcessorID="1" KernelTime="0" UserTime="5" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
<DataIndex>0</DataIndex>
<DataPageIndex>2</DataPageIndex>
<Data>h(Filter filter, Int32 maxObjects, String[] propertyNames) at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataService.GetConfiguredClaims(ServiceState state) at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataService.GenerateMetadata(ServiceState
state) at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataListener.OnGetContext(IAsyncResult result) at System.Net.LazyAsyncResult.Complete(IntPtr userToken) at System.Net.ListenerAsyncResult.IOCompleted(ListenerAsyncResult asyncResult, UInt32
errorCode, UInt32 numBytes) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP) </StackTrace><ExceptionString>System.ServiceModel.CommunicationException: The socket
connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:00.0000001'. ---&gt; System.Net.Sockets.SocketException:
An existing connection was forcibly closed by the remote host at System.ServiceModel.Channels.SocketConnection.BeginReadCore(Int32 offset, Int32 size, TimeSpan timeout, WaitCallback callback, Object state) --- End of inner exception stack trace ---</ExceptionString><InnerException><ExceptionType>System.Net.Sockets.SocketException,
System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>An existing connection was forcibly closed by the remote host</Message><StackTrace> at System.ServiceModel.Channels.SocketConnection.BeginReadCore(Int32
offset, Int32 size, TimeSpan timeout, WaitCallback callback, Object state)</StackTrace><ExceptionString>System.Net.Sockets.SocketException (0x80004005): An existing connection was forcibly closed by the remote host at System.ServiceModel.Channels.SocketConnection.BeginReadCore(Int32
offset, Int32 size, TimeSpan timeout, WaitCallback callback, Object state)</Exception</Data>
</EventData>
</Event>
</UserData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
<EventID>996</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000020000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:05:53.358232900Z" />
<EventRecordID>7141</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1524" ProcessorID="1" KernelTime="0" UserTime="5" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
<DataIndex>0</DataIndex>
<DataPageIndex>3</DataPageIndex>
<Data>String><NativeErrorCode>2746</NativeErrorCode></InnerException></Exception></TraceRecord> ProcessId : 1484 ThreadId : 41</Data>
</EventData>
</Event>
</UserData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
<EventID>996</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000020000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:05:53.358232900Z" />
<EventRecordID>7142</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1524" ProcessorID="1" KernelTime="0" UserTime="5" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
<DataIndex>0</DataIndex>
<DataPageIndex>0</DataPageIndex>
<Data>Source : System.ServiceModel EventId : 131075 Data : <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx</TraceIdentifier><Description>Throwing
an exception.</Description><AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain><Exception><ExceptionType>System.ServiceModel.CommunicationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>The
socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:00.0000001'.</Message><StackTrace>
at System.ServiceModel.Channels.SocketConnection.BeginReadCore(Int32 offset, Int32 size, TimeSpan timeout, WaitCallback callback, Object state) at System.ServiceModel.Channels.SocketConnection.CloseAsyncAndLinger() at System.ServiceModel.Channels.SocketConnection.Close(TimeSpan
timeout, Boolean asyncAndLinger) at System.ServiceModel.Channels.BufferedConnection.Close(TimeSpan timeout, Boolean asyncAndLinger) at System.ServiceModel.Channels.CommunicationPool`2.EndpointConnectionPool.CloseIdleConnection(TItem connection, TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationPool`2.EndpointConnectionPool.TakeConnection(TimeSpan timeout) at System.ServiceModel.Channels.ConnectionPoolHelper.TakeConnection(TimeSpan timeout) at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan
timeout) at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan
timeout) at System.ServiceMod</Data>
</EventData>
</Event>
</UserData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
<EventID>996</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000020000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:05:53.358232900Z" />
<EventRecordID>7143</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1524" ProcessorID="1" KernelTime="0" UserTime="5" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
<DataIndex>0</DataIndex>
<DataPageIndex>1</DataPageIndex>
<Data>el.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade) at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.Call(String action,
Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage
message) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type) at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData filter, Int32 maxObjects, String[] propertyNames) at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter
filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory) at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.Search(Filter filter, Int32 maxObjects, String[] propertyNames, PropertyFactoryBase
propertyFactory) at Microsoft.IdentityServer.PolicyModel.Client.PolicyManager.Search(Filter filter, Int32 maxObjects, String[] propertyNames) at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataService.GetConfiguredClaims(ServiceState state)
at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataService.GenerateMetadata(ServiceState state) at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataListener.OnGetContext(IAsyncResult result) at System.Net.LazyAsyncResult.Complete(IntPtr
userToken) at System.Net.ListenerAsyncResult.IOCompleted(ListenerAsyncResult asyncResult, UInt32 errorCode, UInt32 numBytes) at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
</StackTrace><ExceptionString>System.ServiceModel.CommunicationException: Th</Data>
</EventData>
</Event>
</UserData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS Tracing" Guid="{0457a490-4d4d-4a5b-b639-35382f1b6709}" />
<EventID>996</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000020000</Keywords>
<TimeCreated SystemTime="2014-07-29T13:05:53.358232900Z" />
<EventRecordID>7144</EventRecordID>
<Correlation />
<Execution ProcessID="1484" ThreadID="1524" ProcessorID="1" KernelTime="0" UserTime="5" />
<Channel>AD FS Tracing/Debug</Channel>
<Computer>MobTstVmAdfs0.mytestdomain.com</Computer>
<Security UserID="S-1-5-21-2610119604-2933780250-1221947404-1111" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
<DataIndex>0</DataIndex>
<DataPageIndex>2</DataPageIndex>
<Data>e socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:05:00.0000001'. ---&gt;
System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host at System.ServiceModel.Channels.SocketConnection.BeginReadCore(Int32 offset, Int32 size, TimeSpan timeout, WaitCallback callback, Object state) --- End of inner
exception stack trace ---</ExceptionString><InnerException><ExceptionType>System.Net.Sockets.SocketException, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>An existing connection
was forcibly closed by the remote host</Message><StackTrace> at System.ServiceModel.Channels.SocketConnection.BeginReadCore(Int32 offset, Int32 size, TimeSpan timeout, WaitCallback callback, Object state)</StackTrace><ExceptionString>System.Net.Sockets.SocketException
(0x80004005): An existing connection was forcibly closed by the remote host at System.ServiceModel.Channels.SocketConnection.BeginReadCore(Int32 offset, Int32 size, TimeSpan timeout, WaitCallback callback, Object state)</ExceptionString><NativeErrorCode>2746</NativeErrorCode></InnerException></Exception></TraceRecord>
ProcessId : 1484 ThreadId : 41</Data>
</EventData>
</Event>
</UserData>
</Event>

Hello,
please use the forum listed in
http://social.technet.microsoft.com/Forums/windowsserver/en-US/195399e6-b5dd-46cf-a351-228bd62b24d8/adfs-specific-question-post-on-the-adfs-forum?forum=winserverDS
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:

Remove Web Application Proxy from ADFS 3.0

We have two Web Application Proxies deployed with ADFS 3.0, however we'd like to remove one. We uninstalled the role from the server, however on the other Web Application Proxy it still shows the uninstalled server under Clustered Servers on the Remote
Management mmc. How can I get this completely removed from ADFS?

Hi,
According to your description, are these two web application proxy servers clustered?
By “on the other Web Application Proxy it still shows the uninstalled server under Clustered Servers”, do you mean that the uninstalled proxy server still shows as a node of cluster?
If that’s the case, then it is normal, because uninstalling web application proxy role doesn’t remove its role as a node of cluster.
More information for you:
How to Evict a Node from a Windows Server 2008 Failover Cluster
http://technet.microsoft.com/en-us/library/bb676524(v=EXCHG.80).aspx
Best Regards,
Amy Wang

ADFS single sign-on with office 365 and multiple forests

I have 2 forests with one of them (Forest A) only running Exchange / Office 365 in hybrid mode. The other forest (Forest B) has my AD accounts for everyday user login and work. Is there a way to set up ADFS between these 2 forests in order for Forest B
to achieve single sign-on to office 365? Today users have to login with separate office 365 accounts in order to access email and sharepoint. Short of migrating Forest A into Forest B and getting down to one forest / domain, is there anything else we can do
to achieve single sign-on?

Hi,
Based on my research, we can have one ADFS farm servicing multiple forests, here are some related articles below for your references:
Multi-forest and Multi-tenant scenarios with Office 365
http://blogs.technet.com/b/educloud/archive/2013/08/02/multi-forest-and-multi-tenant-scenarios-with-office-365.aspx
Hybrid Deployment Prerequisites
http://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx
SupportMultipleDomain switch, when managing SSO to Office 365
http://blogs.technet.com/b/abizerh/archive/2013/02/06/supportmultipledomain-switch-when-managing-sso-to-office-365.aspx
For more information about Office 365, I suggest you refer to Office 365 community below:
http://community.office365.com/en-us/f/default.aspx
Best Regards,
Amy

ADFS 3.0 & ldpinitiated.aspx

Similar Messages

Maybe you are looking for