Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Ports’ Category

(2016-07-31) Configuring ADFS To Use A Custom SQL Port

Posted by Jorge on 2016-07-31


If for whatever reason you need to change the default SQL port and you need to tell ADFS to use it, or if you need to move the DBs to another SQL server, you can use the following procedure:

Retrieving the current connection string for the configuration DB:

Execute the following commands on any ADFS Server:

$fedSvcSTS = Get-WmiObject -namespace root/ADFS -class SecurityTokenService

$fedSvcSTSConfigDBConnectionString = $fedSvcSTS.ConfigurationdatabaseConnectionstring

$fedSvcSTSConfigDBConnectionString

Setting a new connection string for the configuration DB:

Execute the following commands ON EVERY ADFS SERVER!:

$fedSvcSTSConfigDBNewConnectionString = "Data Source=SQL1.DOMAIN.COM\SQLINSTANCE,10001;Failover Partner=SQL2.DOMAIN.COM\SQLINSTANCE,10001;Initial Catalog=ADFSConfiguration;Integrated Security=True" <—example values!!!

$fedSvcSTS = Get-WmiObject -namespace root/ADFS -class SecurityTokenService

$fedSvcSTS.ConfigurationdatabaseConnectionstring = $fedSvcSTSConfigDBNewConnectionString

$fedSvcSTS.put()

Restart-Service ADFSSRV

Retrieving the current connection string for the artifact DB:

Execute the following commands on any SQL Based ADFS Server, or the primary WID based ADFS Server:

$fedSvcSTSArtifactDBConnectionString = (Get-ADFSProperties).ArtifactDbConnection

Setting a new connection string for the artifact DB:

Execute the following commands on any SQL Based ADFS Server, or the primary WID based ADFS Server:

$fedSvcSTSArtifactDBNewConnectionString = "Data Source=SQL1.DOMAIN.COM\SQLINSTANCE,10001;Failover Partner=SQL2.DOMAIN.COM\SQLINSTANCE,10001;Initial Catalog=ADFSArtifactStore;Integrated Security=True" <—example values!!!

Set-ADFSProperties -ArtifactDbConnection $fedSvcSTSArtifactDBNewConnectionString

Restart-Service ADFSSRV

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Advertisements

Posted in Active Directory Federation Services (ADFS), DB On SQL, Ports | Leave a Comment »

(2016-06-06) Required Ports For ADFS And WAP

Posted by Jorge on 2016-06-06


Ports Required For ADFS:

  • Any client on internal network – to – any ADFS server : port 443
    • due to accessing ADFS for token issuance

    Any client on external network – to – any WAP server : port 443

    • due to accessing ADFS for token issuance, using the WAP as intermediairy
  • Any connected application server on the internal (RPs/SPs) – to – any ADFS server : port 443
    • due to requests and metadata exchange
  • Any connected application server on the external (RPs/SPs) – to – any WAP server : port 443
    • due to requests and metadata exchange
  • Any connected identity provider server on the internal network (CPs/IdPs) – to – any ADFS server : port 443
    • due to requests and metadata exchange
  • Any connected identity provider server on the external network (CPs/IdPs) – to – any WAP server : port 443
    • due to requests and metadata exchange
  • Load Balancer – to – any ADFS server : port 80
    • due to probe URL for monitoring availability

    Load Balancer – to – any WAP server : port 80

    • due to probe URL for monitoring availability
  • Any WAP server – to – any ADFS server : port 443
    • due to any communication regarding the federation service
  • Any WAP server – to – any ADFS server : port 49443
    • due to certificate based authentication, only really required in ADFS 2012 R2, ADFS 2016 can also use 443 if needed
  • Any ADFS server – to – any ADFS server : port 80

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Ports | Leave a Comment »

(2016-06-02) Required Port(s) For WID Replication In ADFS To Work Properly

Posted by Jorge on 2016-06-02


If you are running ADFS with WID and you see the following event IDs, the required ports between the secondary ADFS server(s) and the primary ADFS server are not open.

image

Figure 1: First Error Regarding The WID Replication Error

There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.

Additional Data

Master Name : R1FSRWDC1.IAMTEC.NET
Endpoint Uri : http://r1fsrwdc1.iamtec.net/adfs/services/policystoretransfer
Exception details:
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http://r1fsrwdc1.iamtec.net/adfs/services/policystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.1.1.1:80
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   — End of inner exception stack trace —
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
   — End of inner exception stack trace —

Server stack trace:
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()

And you will also see:

image

Figure 2: Second Error Regarding The WID Replication Error

There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.

Additional data

Exception details:
System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http://r1fsrwdc1.iamtec.net/adfs/services/policystoretransfer that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.1.1.1:80
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
   — End of inner exception stack trace —
   at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
   at System.Net.HttpWebRequest.GetRequestStream()
   at System.ServiceModel.Channels.HttpOutput.WebRequestHttpOutput.GetOutputStream()
   — End of inner exception stack trace —

Server stack trace:
   at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)
   at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.DoSyncDirect()
   at Microsoft.IdentityServer.Service.Synchronization.SyncBackgroundTask.Run(Object context)

User Action
Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.

As you may know, by default every secondary ADFS server will pull information form the primary ADFS every 5 minutes. Any secondary ADFS server will connect to the primary ADFS server over port 80 for WID replication. See the details in the error message above. When using WID make sure that any ADFS server can contact any other ADFS server for WID replication to work. This is needed is you ever transfer the primary role to another ADFS server.

Also see:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID, Ports | Leave a Comment »

 
%d bloggers like this: