Does ADFS server require Internet access?

Hello,
I have two Adfs 3.0  server in intranet and two adfs proxy in DMZ. For the firewall setting in two adfs 3.0 server, I set the default outbound connection as block and create a custom outbound rules allow the connection to intranet. 
When I add new relying party, ADFS can not verify the certification of the RP. The certificate of the relying party is wildcase cert and issued by DigiCert. I have already install the root CA cert in trusted root certification authorities of two ADFS server.
But ADFS still can not recognize the certification path. After I change the default outbound connection as allow in firewall setting, ADFS can verify the certificate. I continues the process and close internet access after user can successful login.
A few days later, user can not login. The following error log exit in ADFS log:
Event ID 317:
An error occurred during an attempt to build the certificate chain for the relying party trust 'https://xxxx.xxxx.xxx.xx' certificate identified by thumbprint 'xxxxxxxxx'. Possible causes are that the certificate has been revoked, the certificate chain could
not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period. 
You can use Windows PowerShell commands for AD FS to configure the revocation settings for the relying party encryption certificate. 
Relying party trust's encryption certificate revocation settings: CheckChainExcludeRoot 
The following errors occurred while building the certificate chain:  
The revocation function was unable to check revocation for the certificate.
The revocation function was unable to check revocation because the revocation server was offline.
User Action: 
Ensure that the relying party trust's encryption certificate is valid and has not been revoked. 
Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. 
Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
I reopen the firewall in outbound rule. then everything run as normal, user can login again. 
Does ADFS require internet access for certification path checking? If I really want to block the internet access, which port I need to open in order to allow ADFS check the certificate?
Thank you very much.

You can run 
Set-AdfsClaimsProviderTrust -TargetName "<IDP name>" -SigningCertificateRevocationCheck None
and see if this fixes the problem (link from the event log will tell you the same thing), As Bart describes in his topic: https://social.msdn.microsoft.com/Forums/vstudio/en-US/47345c69-7b68-4f09-907e-43ed2805cac0/adfs-30-signing-certificate-crl-check-with-http-proxy-to-the-internet?forum=Geneva

Similar Messages

  • Does acrobatupd11010.msp require internet access?

    I'm trying to install Acrobat update 11.0.10 onto Acrobat Professional 11.0.0.
    I get to 99% completion and then it rolls back.  PDApp.log shows errors about not being able to get the proxy.  Does this update require internet access to install successfully?
    I'm on Windows 7 64 bit.

    I'm able to install quarterly updates sequentially up to 11.0.6.  Starting with 11.0.7, I see errors about a proxy config url that should not exist any more.  (Was deployed by Group Policy but has been removed).  Help.

  • Does InDesign CS6 require internet access for volume license validation

    Our purchasing team supplied me with a volume licnsed version of InDesign CS6 and it requires internet access to validate the license.We operate in a VDI environment without internet access.
    If i try to use the AdobeApplicationManagerEnterpriseEdition tool to customize the app it will not recognise the serial key..? if i manually launch the Setup.exe it does..?
    Thanks
    gary

    Yes , the internet access is required to use the Adobe software but we do understand in secure enviornment it is not possible.
    Hence , you can create a deployment package using AAMEE on a internet enabled computer and then use the package to install the cs6 software on the computer without internet computer.
    Make sure you use AAMEE 3.0 as it will only work with CS6.

  • Does ML recovery require internet access?

    If I install Mountain Lion's recovery HD, assuming that's possible, onto a flash drive to take with me on the road, will I be able to restore the OS to my MacBook Pro if its disc has problems when I'm out of internet range?

    No. To create a standalone bootable installer, follow the instructions on this page:
    How to make a bootable Mountain Lion install drive

  • Why does Adobe Air Captive Runtime require Internet Access on Android?

    I am developing a children's app on Adobe Air and just learned that the Internet permission is being forced by Adobe Air. The only comment I saw on these forums was from someone stating it was so the Adobe Air App can communicate to the Adobe Air package, which doesn't make much sense-- but even still, I am bundling the Adobe Air Runtime within the App itself.
    This affects me because as a children's app, some of my customers (e.g. Parents) will see the requirement of an Internet connection as a bad sign, in that my app may be loading content from the internet, or collecting data about their child or device and sending it over the internet.
    I think Adobe should be clear as to why their platform requires internet access. Thank you.

    I have the same problem. i have tired AIRSDK 3.1 & 3.4, my app can run normal without Captive-runtime mode in my nexus s, But keep getting the message "unfortunately, (myappname) has stopped" when packed with Captive-runtime.

  • Games that require Internet access questions

    Hello,
    Okay I have a couple of questions for being able to play games that require Internet access. How do I get Internet access for my Ipod Touch? I don't know. Do I have to take it in somewhere or like can I do it from my home? And how much does it cost? It's a monthly payment fee right? Thank you very much!
    From,
    Kristy.

    Wifi is on and connection is properly established with correct log in information?  Mobile data is set to ON?  No restrictions on background data enabled?  Strong wifi or mobile data signal?

  • Where can I download a full version of Firefox that does not require internet access for installation?

    I have a computer which needs Firefox but it does not have internet access. Could I download a full stand alone version of Firefox, copy it to a USB memory stick, and install it from there?

    Yes, the Firefox download is complete - no need for a internet connection for installation.
    http://www.mozilla.com/en-US/firefox/

  • Why does it say no internet access when I connect my laptop to my personal hotspot IPhone 5S?

    Every time I try to go on a webpage it says no internet access on the Internet bars

    Hi, jon.baldauf.
    These articles will help you troubleshoot the issue that you are experiencing when attempting to connect to the iTunes Store.  Make sure after each troubleshooting steps to test the results. 
    iTunes for Windows: iTunes Store connection troubleshooting
    http://support.apple.com/kb/ht1527
    iTunes: Advanced iTunes Store troubleshooting
    http://support.apple.com/kb/ts3297
    There is a possibility that security software installed could be the cause of the issue.  You may have to process the steps in this article. 
    iTunes: Troubleshooting security software issues
    http://support.apple.com/kb/TS3125
    Cheers,
    Jason H. 

  • Does windows server 2008 internet printingwork with Iphone as I really could do with finiding this out

    I have a job on next week integrating iphone and was wondering if itwill work on windows server 2008 internet printing?
    I am a bit of a newby to iphones
    IT Support Costs
    Thanks

    This apparently would be possible if the server is running the HP ePrint Enterprise server. HP has an app that then allows an iOS device to print to it. There may be other, similar services, though I haven't found any. Perhaps someone else will know.
    This is the iPad forum, by the way.
    Regards.

  • Any app that requires internet access times out and fails

    Includes both Yahoo mail and my corproate account, along with Safari web browser. Acts as if a switch has been turned off to prevent internet access. I have backed up and restored the device. Still have phone service.  All accesses DO work via Wi-FI, just not through AT&T carrier.

    Includes both Yahoo mail and my corproate account, along with Safari web browser. Acts as if a switch has been turned off to prevent internet access. I have backed up and restored the device. Still have phone service.  All accesses DO work via Wi-FI, just not through AT&T carrier.

  • Calculator/conversion app that doesn't require internet access

    I am a canadian trucker who would rather not pay the roaming charges for internet access. Is there an iPhone calculator/conversion app that I can use when I set my phone to "airplane" mode?

    Look at this:
    https://itunes.apple.com/us/app/id650443477?mt=8

  • Does the PDF converter require Internet access?

    I often deal with sensitive data and have to go to isolated networks. If the PDF converter requires access to the Internet and the Adobe 'cloud', I can not use it.
    Bob Wilson

    Hi Robertw49066875,
    'Acrobat.com' is a cloud based service and yes it requires an internet connectivity to convert files.
    However Acrobat software can be used without requiring any internet connection. You can download a free 30 day trial using this Link : https://helpx.adobe.com/acrobat/kb/acrobat-downloads.html
    Regards,
    Rahul

  • Why does Reader require Internet access everytime?

    I am using Adobe X. Can anyone explain to me why this application must have access to the internet everytime it is opened? What are the implications if you block reader 100% of time using your firewall... other than having to do manual updates?

    Here is the link.
    http://get.adobe.com/reader/enterprise/

  • Why does File sharing require internet?

    I have two computers, both on Snow Leopard 10.6.8 connected to my router. If I have my WAN cable unplugged from the router or my Internet is not working, I find that when I try to access one computer from the other for Apple File Sharing (AFP), that the finder "Connect to Server function" just spins after I put in the server address of the other Mac. Plug in the Internet, and all is fine. It seems that somehow the Internet is being required. Why? And how do I fix this?
    My TCP/IP settings for each machine for the network interface used are:
    Configure IPv4: Using DHCP with manual address
    IPv4 Address: 192.168.0.[some number greater than 1]
    Subnet mask: 255.255.255.0
    Router: 192.168.0.1
    Configure IPv6: Off
    I am using fixed IP addresses on my LAN rather than DHCP.
    Thanks

    PROVEN: IT IS NOT MY ROUTER.
    Good isolation testing, and component elimination.
    In the first post you said you had been using DHCP with Manual IP address.  In the router elimination test you did not mention Manual address and I get the impression you just allowed normal DHCP assigned IP  addressing.  If my interpretation is correct, that is good.
    Stupid question, was Airport turned off during your experiments?  If it was not, it is always possible that the Macs were trying to use WiFi instead of the Ethernet cables.   By default Mac OS X gives priority to Ethernet, however, it is possible that your System Preferences -> Network interface ordering was changed to give Airport a higher preferences over Ethernet.  You would use the Gear icon next to the [+][-][*] icons under your list of interfaces to see/set the interface order.  Ethernet should be 1st in the list.
    I think that when you open System Preferences -> Network, the interface list is displayed with the current active interface highlighted, but I never did a riggerous experiment to prove this.
    This should work. So I'm going to suggest, as an experiment, you start by booting each Mac into "Safe Mode".  Boot holding the "Shift" key.  This will eliminate any 3rd party extensions from loading, just in case there is a bit of 3rd party software that is interfering.
    As a diagnostic experiment please get a copy of "Bonjour Browser" and "WakeOnLan".  Both of these utilities probe the network and give execellent lists of network devices they find on the local LAN.
    <http://www.macupdate.com/app/mac/13388/bonjour-browser>
    <http://www.macupdate.com/info.php/id/15779/wakeonlan>
    You should be able to see the other Mac from the output of each of these utilities.  Bonjour Browser should be able to show you they Apple File Sharing services being offered, and you should see both your Macs listed.  If not then something is blocking the protocol, or for some reason the Mac is not advertising the service.
    If you use Applications -> Utilities -> Network Utility you should be able to find out if port 548 is open on the other computer using the port scan option.  It should be, but the question is whether Network Utility can see it through your router.
    I have run out of experiments to try.  Hopefully this will shake something loose and allow you to move forward towards a solution.

  • Web dynpro abap application on Portal does not work via internet access.

    Dear All,
    I have created a web dynpro abap application and deployed the same on Portal.
    The issue I am facing is that the webdynpro application works fine when the end user logs into Portal from Local Network,
    However when the Portal is accessed from outside the local N/W via Internet, Portal is working fine for other applications like ESS
    but the web dynpro application dont work.
    Is this some configuration issue on the portal / abap development or any workaround is possible.
    Regards
    Abhinav Dagar

    Hi
    Please try to use the [HTTP Watch 5.0 Basic |http://www.httpwatch.com/download/] tool to trace that WD Application link from the portal and you can easily find out the problem.
    Regards
    Prakash T

Maybe you are looking for

  • Are queries thread-safe?  (read on)

    I have a singleton class in a multithreaded environment. This singleton has a single private instance for each database query being used. For parameterized queries, the argument vector is passed into the session.executeQuery() call when a thread exec

  • Tolerance check

    Dear All, Is it possible to restrict during goods receipt the number times a over or under delivery tolerance can be accepted. We are having a scenario where in the client want to accept over delivery tolerance for a given material only 3 times and n

  • Problem with my facebook Apps

    I have problem with my facebook Apps,the application not working cause net_rim_bb_lib uncaught and its terminated? How to solved its?

  • I want interactive report

    i want interactive report (ALV"S)  to display customer header details in basic list and item list in secondary list by USING ALV"S Arjun marati

  • Do I have to deploy plugin module?

    Hi, All. I setup EM12cR3 and will discover exadata&db. so I've deployed agent on db node. now, I will try discover exadata and db. so do i have to deploy xd&db plugin module on agent? thanks in advance. Regards,.