Solved

Windows Server 2012 R2 ADFS Login Page Formatting Missing

Posted on 2016-09-24
16
285 Views
Last Modified: 2016-09-29
I don't know why but for some reason the ADFS login page has lost all its formatting.  Users can still enter credentials and authenticate but the page is just plain text with two text boxes for credentials.  I only ran across one solution in Google but it is for a CRM install and doesn't seem applicable to my situation.  Can someone help with this issue please?  I have attached image of what it looks like now and an example of what it is supposed to look like.

ADFS Login Page No Formatting Image
What ADFS Formatting is Supposed To Look Like
0
Comment
Question by:Nathan Vanderwyst
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 7
16 Comments
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41813880
Hello,

Have you tried restarting the IIS service?  It seems like a CSS style is unable to load.  If you have firefox web browser available, you can install the web developer addin and check to see which css file is failing to load.
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41813890
already tried to restart iis and also bounced whole server.  no joy.
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41813903
OK thanks for the update.  After further reading, it appears the ADFS login for Server 2012 R2 no longer uses IIS.  So it has its own http.sys controller.

I am referencing this article for the steps below.

The screenshot indicates that is the default theme so try exporting it with PowerShell:
Export-AdfsWebTheme –Name default –DirectoryPath c:\custom-theme

Open in new window


Create a new theme:
New-AdfsWebTheme -Name "custom-theme" -SourceName default

Open in new window


In the exported theme folder from above, check the style.css and style,rtl.css files to see if there is actually information there and not just blank.

Then configure the styles to the custom theme:
Set-AdfsWebTheme -TargetName "custom-theme" -StyleSheet @{Locale="";path="C:\custom-theme\css\style.css"} -RTLStyleSheetPath "C:\custom-theme\css\style.rtl.css"

Open in new window


Reapply the Javscript Onload file:
Set-AdfsWebTheme -TargetName $ThemeName -AdditionalFileResource @{Uri="/adfs/portal/script/onload.js";path="C:\custom-theme\script\onload.js"}

Open in new window


Then lastly, set the new custom theme as the active theme:
Set-AdfsWebConfig -ActiveThemeName "custom-theme"

Open in new window

0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 

Author Comment

by:Nathan Vanderwyst
ID: 41813922
Thank you for providing a way to customize my ADFS page, but that isn't what I'm looking for.  In fact, I don't know if uploading a custom page will even fix the problem and that is something I shouldn't have to do anyway.  BUT, I used your advice above about Firefox and Web Developer Add-In and I see that the CSS sheet is getting a HTTP Error 503.  Does that help provide any additional ideas?
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41813929
Ok no problem, I was just thinking along the lines of if we exported the theme and reimported it, that might fix the issue if there was some sort of fault with the original theme.

HTTP error 503 means the service is unavailable typically due to overload or maintenance mode.  So the next step would be to take a look at the http.sys error log which I believe is located at:
%windir%\System32\LogFiles\HTTPERR

Open in new window

0
 

Author Comment

by:Nathan Vanderwyst
ID: 41813945
Well, in %windir%\System32\LogFiles\HTTPERR, I can see a bunch of 503 errors like this:

 HTTPERR.txt
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41813963
OK can you try Event Viewer.  Open that up and look in the application log for ADFS or ASP related warnings or errors to see if there is any insight there.

The N/A after the 503 error entry can mean one of the following:

- IIS cannot start any new worker processes because of limited system resources or because starting a new worker process would exceed the DemandStartThresholdproperty.

- Bandwidth throttling is enabled, but the filter addition fails.

- The control channel or internal configuration group for the URL is inactive.

- The send for a request that was serviced from the cache failed (typically under low memory conditions).
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41814007
Looking at the ADFS log files I can see that for some reason on 9/15 I starting getting a 102 Event ID (pasted below) not sure if you have experience with this type of issue:

There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data
Exception details:
System.ServiceModel.AddressAlreadyInUseException: HTTP could not register URL https://+:49443/adfs/services/trust/2005/certificatetransport/ because TCP port 49443 is being used by another application. ---> System.Net.HttpListenerException: The process cannot access the file because it is being used by another process
   at System.Net.HttpListener.AddAllPrefixes()
   at System.Net.HttpListener.Start()
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
   at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
   at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.HttpChannelListener`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.IdentityServer.ServiceHost.STSService.StartSTSService(ServiceHostManager serviceHostManager, ServiceState serviceState)
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41814008
I then finally see an Event ID 364 with the below with the CSS path in it:

Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/css/style.css to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41814015
I'm afraid that one is beyond me.  It sounds like it may be a separate issue.

The only other thing I can think of is to restore a prior version of http.sys.  When did the web page last look correct?  You can try using shadow copy to restore a prior working http.sys to that point in time.  Before trying below, make sure you have a current good backup.

First, navigate to C:\Windows\system32\drivers and right-click on http.sys and choose Restore previous versions.  If there is a version available that predates the last working login screen, then copy that version to the desktop.

Next, stop the IIS and ADFS services.  Rename the current http.sys to http.old.  Then copy the http.sys from desktop to the drivers folder and then restart the services.

Does that fix the issue?
0
 
LVL 17

Assisted Solution

by:bigeven2002
bigeven2002 earned 500 total points
ID: 41814020
Another thing I found is this from here:

Go to the ADFS Management Console and clicking on the Authentication Policies folder on the tree view on the left.  Then, under Actions on the right, click on Edit Global Primary Authentication Policy.  Set the Intranet Authentication Method to Forms Authentication (by default it is set to Windows Authentication).
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41814021
Thanks but the http.sys file has remained unchanged since OS install this past spring.
0
 

Accepted Solution

by:
Nathan Vanderwyst earned 0 total points
ID: 41814069
Wow, while your help didn't directly fix the problem, you gave me enough resources and suggestions to find and fix the issue.  It turns out that running "netstat -a -n -o | findstr :49443" returned the service occupying the same port.  It was the "Windows Server Essentials Storage Service", I then rebooted to see what would happen and a different service took the port before ADFS.  The second time it was Windows Server Essentials Email Service.  I then stopped it, the restarted ADFS and the started the Windows Server Essentials Email Service and all is well.

Looks like there has been some update to the Windows Server Essential services that is taking the port that didn't before.  I am not running an Essentials OS but I did install the feature for other reasons.  I'm glad it is working correctly again.  Thank you for your assistance.
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41814071
Just to be clear these are the steps I preformed to resolve the issue:

      1) run this in in PS to find app/serv using port 49443
            netstat -a -n -o | findstr :49443
      2) stop or kill app/serv occupying port by using PID value from netstat to identify
      3) restart ADFS
      4) turn other service back on
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41814158
Ok great!  Glad you were able to get that fixed.  Sorry I never would have thought to do the net stat command.  So you taught me that :)
0
 

Author Closing Comment

by:Nathan Vanderwyst
ID: 41821345
I found the actual solution myself.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question