LuiLui77
asked on
403. Access Denied after ADFS migration
Hello all,
I have completed an ADFS migration from a WIndow server 2008 ENterprise R2 to WIndows SErver 2012 STandard. I performed an in place upgrade, restore and configure the ADFS services.
I have followed Microsoft preparation and migration instructions but it is obvious that I am missing something.
AFter migration, my users were being prompted constantly for credentials on their Outlook client. Also when trying to log into the Office 365 portal, they are unable to authenticate to it, they are instantly redirected to an access denied error as soon as they type their email address. The error is: "403 Forbidden- Access Denied. You do not have permission to view this directory or page with the credentials you provided."
It will be good to mention that before migration, when trying to log into the portal, our users were prompted by our adfs for credentials, but now it redirect us straight to the Access Denied error describe.
Any help on this will be greatly appreciated!
I have completed an ADFS migration from a WIndow server 2008 ENterprise R2 to WIndows SErver 2012 STandard. I performed an in place upgrade, restore and configure the ADFS services.
I have followed Microsoft preparation and migration instructions but it is obvious that I am missing something.
AFter migration, my users were being prompted constantly for credentials on their Outlook client. Also when trying to log into the Office 365 portal, they are unable to authenticate to it, they are instantly redirected to an access denied error as soon as they type their email address. The error is: "403 Forbidden- Access Denied. You do not have permission to view this directory or page with the credentials you provided."
It will be good to mention that before migration, when trying to log into the portal, our users were prompted by our adfs for credentials, but now it redirect us straight to the Access Denied error describe.
Any help on this will be greatly appreciated!
ASKER
Hello Vasilcho, I was able to revert to the functional ADFS. Thank God I had a DR planned. The upgraded ADFS vm is up but disconnected at the meantime we figure out this issue.
Checking on the certificates of the new ADFS I have found a discrepancy. The information for the Token-Decryption and the Token signing don't match with the certificates that I had on my original server.
Should I try to recreate and apply this certificates first before updating the trust settings?
What do you think?
Checking on the certificates of the new ADFS I have found a discrepancy. The information for the Token-Decryption and the Token signing don't match with the certificates that I had on my original server.
Should I try to recreate and apply this certificates first before updating the trust settings?
What do you think?
The cmdlet will update the trust with the correct certificate info. If you are using self signed certificates for token signing/issuing, might be a good idea to set it to auto-renew. It's explained in the article above.
If it's still not working after updating the trust, we need to check few more things.
If it's still not working after updating the trust, we need to check few more things.
ASKER
Hi Vasilcho,
I am planning my DR in case anything goes wrong. To proceed with the cmdlet I will have to turn back on my snapshot that has the upgrade to 2012 and disconnect my current 2008 DR clone (the one currently working).
Now, when issuing the cmdlet on the 2012, and assuming that things don't go too well, I am planning to turn back on my old snapshot with 2008, but since the certificates configuration will be now outdated (since I issued the update federation cmdlet in the new one), what will be my DR plan?
I believe that I will be able to resync federation again with my 2008 by issuing the same cmdlet, but correct me if i am missing something.
I also believe that trust relationship with the DC will fail, so I will have to change the machine password on my DR snapshot as well, but this is another story.
Any help on what to include in my DR plan will be great.
I am planning my DR in case anything goes wrong. To proceed with the cmdlet I will have to turn back on my snapshot that has the upgrade to 2012 and disconnect my current 2008 DR clone (the one currently working).
Now, when issuing the cmdlet on the 2012, and assuming that things don't go too well, I am planning to turn back on my old snapshot with 2008, but since the certificates configuration will be now outdated (since I issued the update federation cmdlet in the new one), what will be my DR plan?
I believe that I will be able to resync federation again with my 2008 by issuing the same cmdlet, but correct me if i am missing something.
I also believe that trust relationship with the DC will fail, so I will have to change the machine password on my DR snapshot as well, but this is another story.
Any help on what to include in my DR plan will be great.
If you are simply replacing the server, basically you are building a new farm. And the new certificates and settings you have there will result in different configuration, that you need to sync with O365.
A better approach will be to bring up additional server to the farm, verify connectivity, set it as primary, and then remove the old one. In such scenario, you will not need to update the trust settings, as the certificates and the rest of the configuration will be the same.
Of course in such scenario you will need to have at least one active ADFS server. You *should* be running at least two AD FS servers for redundancy anyway. In case of a disaster, you just bring another one to the farm. There is lot of info regarding this, for example here:
http://community.office365.com/en-us/forums/613/t/44639.aspx
A better approach will be to bring up additional server to the farm, verify connectivity, set it as primary, and then remove the old one. In such scenario, you will not need to update the trust settings, as the certificates and the rest of the configuration will be the same.
Of course in such scenario you will need to have at least one active ADFS server. You *should* be running at least two AD FS servers for redundancy anyway. In case of a disaster, you just bring another one to the farm. There is lot of info regarding this, for example here:
http://community.office365.com/en-us/forums/613/t/44639.aspx
ASKER
Yeah that's the thing.
My ultimate purpose is to create a farm between my on-premises ADFS server and my DR cloud server, the thing is that in order to create a farm, both servers will need to have the same version OS (as stated by Office 365 support, correct me if you know that this is not necessary). My cloud server is a Windows Standard 2012 and this was why I performed an in-Place upgrade of my on-premises ADFS server from 2008 R2 to 2012.
I believe that to setup and transfer over the ADFS role to a new server 2012 from scratch will be more time consuming and will involve more downtime.
With all this in mind, Do you think that my best DR option is to connect back my old snapshot and issue the same update federation cmdlet on it?
My ultimate purpose is to create a farm between my on-premises ADFS server and my DR cloud server, the thing is that in order to create a farm, both servers will need to have the same version OS (as stated by Office 365 support, correct me if you know that this is not necessary). My cloud server is a Windows Standard 2012 and this was why I performed an in-Place upgrade of my on-premises ADFS server from 2008 R2 to 2012.
I believe that to setup and transfer over the ADFS role to a new server 2012 from scratch will be more time consuming and will involve more downtime.
With all this in mind, Do you think that my best DR option is to connect back my old snapshot and issue the same update federation cmdlet on it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you Vasilcho, I will be Updating the Federation with the cmdlet.
http://support.microsoft.com/kb/2647048
If it's still not working, check if this happens for both internal and external users. Do the tests on ExRCA: https://testconnectivity.microsoft.com/