Solved

ADFS 2.0 migration from 2008 R2 to 2012

Posted on 2014-02-07
5
773 Views
Last Modified: 2014-02-13
Hello all, This one I have posted before but here we go again:

I have completed an ADFS migration from a WIndow server 2008 ENterprise R2 to WIndows SErver 2012 STandard. I performed an in place upgrade, restore and configure the ADFS services.

I have followed Microsoft preparation and migration instructions but it is obvious that I am missing something.

AFter migration, my users were being prompted constantly for credentials on their Outlook client. Also when trying to log into the Office 365 portal, they are unable to authenticate to it, they are instantly redirected to an access denied error as soon as they type their email address. The error is: "403 Forbidden- Access Denied. You do not have permission to view this directory or page with the credentials you provided."

I have updated trust successfully by issuing cmdlet: Update-MsolFederatedDomain -DomainName Domain.com. Checked on the logs and everything seems to have updated properly.

Any other advises on what to check next?
0
Comment
Question by:LuiLui77
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 

Author Comment

by:LuiLui77
ID: 39843629
OK, in IIS i have changed the ADFSAppPool from .NETFramwork v4.0 to v2.0. Now when I try to sign into the portal, a popup for credentials is prompted, which is a good sign, but after 3 retries with my known good password, it redirects me to the same error.

Any thoughts?
0
 

Author Comment

by:LuiLui77
ID: 39843638
Sorry error message is now:

401 - Unauthorized: Access is denied due to invalid credentials

Thank you.
0
 
LVL 42

Accepted Solution

by:
Vasil Michev (MVP) earned 500 total points
ID: 39843820
Check your auth methods on IIS, make sure anonymous is enabled on both /adfs and /ls.

Can you login locally using AD FS? The url should be something like: https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx
0
 

Assisted Solution

by:LuiLui77
LuiLui77 earned 0 total points
ID: 39844147
Hi Vasilcho, I checked on the IIS authentication method and changed them to anonymous.

Also I installed Microsoft updates and when restarting the machine, "Trust between the machine and DC failed". Must have been related to a snapshot of the VM at some point.
I reset the machine password with netdom, restart again and everything started working.

ADFS is now up and running the way it should be.

Thank you for help Vasilcho!
0
 

Author Closing Comment

by:LuiLui77
ID: 39855698
Also I installed Microsoft updates and when restarting the machine, "Trust between the machine and DC failed". Must have been related to a snapshot of the VM at some point.
I reset the machine password with netdom, restart again and everything started working.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question