Solved

Windows Server 2012 R2 ADFS Login Page Formatting Missing

Posted on 2016-09-24
16
68 Views
Last Modified: 2016-09-29
I don't know why but for some reason the ADFS login page has lost all its formatting.  Users can still enter credentials and authenticate but the page is just plain text with two text boxes for credentials.  I only ran across one solution in Google but it is for a CRM install and doesn't seem applicable to my situation.  Can someone help with this issue please?  I have attached image of what it looks like now and an example of what it is supposed to look like.

ADFS Login Page No Formatting Image
What ADFS Formatting is Supposed To Look Like
0
Comment
Question by:Nathan Vanderwyst
  • 9
  • 7
16 Comments
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41813880
Hello,

Have you tried restarting the IIS service?  It seems like a CSS style is unable to load.  If you have firefox web browser available, you can install the web developer addin and check to see which css file is failing to load.
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41813890
already tried to restart iis and also bounced whole server.  no joy.
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41813903
OK thanks for the update.  After further reading, it appears the ADFS login for Server 2012 R2 no longer uses IIS.  So it has its own http.sys controller.

I am referencing this article for the steps below.

The screenshot indicates that is the default theme so try exporting it with PowerShell:
Export-AdfsWebTheme –Name default –DirectoryPath c:\custom-theme

Open in new window


Create a new theme:
New-AdfsWebTheme -Name "custom-theme" -SourceName default

Open in new window


In the exported theme folder from above, check the style.css and style,rtl.css files to see if there is actually information there and not just blank.

Then configure the styles to the custom theme:
Set-AdfsWebTheme -TargetName "custom-theme" -StyleSheet @{Locale="";path="C:\custom-theme\css\style.css"} -RTLStyleSheetPath "C:\custom-theme\css\style.rtl.css"

Open in new window


Reapply the Javscript Onload file:
Set-AdfsWebTheme -TargetName $ThemeName -AdditionalFileResource @{Uri="/adfs/portal/script/onload.js";path="C:\custom-theme\script\onload.js"}

Open in new window


Then lastly, set the new custom theme as the active theme:
Set-AdfsWebConfig -ActiveThemeName "custom-theme"

Open in new window

0
 

Author Comment

by:Nathan Vanderwyst
ID: 41813922
Thank you for providing a way to customize my ADFS page, but that isn't what I'm looking for.  In fact, I don't know if uploading a custom page will even fix the problem and that is something I shouldn't have to do anyway.  BUT, I used your advice above about Firefox and Web Developer Add-In and I see that the CSS sheet is getting a HTTP Error 503.  Does that help provide any additional ideas?
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41813929
Ok no problem, I was just thinking along the lines of if we exported the theme and reimported it, that might fix the issue if there was some sort of fault with the original theme.

HTTP error 503 means the service is unavailable typically due to overload or maintenance mode.  So the next step would be to take a look at the http.sys error log which I believe is located at:
%windir%\System32\LogFiles\HTTPERR

Open in new window

0
 

Author Comment

by:Nathan Vanderwyst
ID: 41813945
Well, in %windir%\System32\LogFiles\HTTPERR, I can see a bunch of 503 errors like this:

 HTTPERR.txt
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41813963
OK can you try Event Viewer.  Open that up and look in the application log for ADFS or ASP related warnings or errors to see if there is any insight there.

The N/A after the 503 error entry can mean one of the following:

- IIS cannot start any new worker processes because of limited system resources or because starting a new worker process would exceed the DemandStartThresholdproperty.

- Bandwidth throttling is enabled, but the filter addition fails.

- The control channel or internal configuration group for the URL is inactive.

- The send for a request that was serviced from the cache failed (typically under low memory conditions).
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41814007
Looking at the ADFS log files I can see that for some reason on 9/15 I starting getting a 102 Event ID (pasted below) not sure if you have experience with this type of issue:

There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data
Exception details:
System.ServiceModel.AddressAlreadyInUseException: HTTP could not register URL https://+:49443/adfs/services/trust/2005/certificatetransport/ because TCP port 49443 is being used by another application. ---> System.Net.HttpListenerException: The process cannot access the file because it is being used by another process
   at System.Net.HttpListener.AddAllPrefixes()
   at System.Net.HttpListener.Start()
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
   at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
   at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.HttpChannelListener`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.IdentityServer.ServiceHost.STSService.StartSTSService(ServiceHostManager serviceHostManager, ServiceState serviceState)
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41814008
I then finally see an Event ID 364 with the below with the CSS path in it:

Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/css/style.css to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41814015
I'm afraid that one is beyond me.  It sounds like it may be a separate issue.

The only other thing I can think of is to restore a prior version of http.sys.  When did the web page last look correct?  You can try using shadow copy to restore a prior working http.sys to that point in time.  Before trying below, make sure you have a current good backup.

First, navigate to C:\Windows\system32\drivers and right-click on http.sys and choose Restore previous versions.  If there is a version available that predates the last working login screen, then copy that version to the desktop.

Next, stop the IIS and ADFS services.  Rename the current http.sys to http.old.  Then copy the http.sys from desktop to the drivers folder and then restart the services.

Does that fix the issue?
0
 
LVL 17

Assisted Solution

by:bigeven2002
bigeven2002 earned 500 total points
ID: 41814020
Another thing I found is this from here:

Go to the ADFS Management Console and clicking on the Authentication Policies folder on the tree view on the left.  Then, under Actions on the right, click on Edit Global Primary Authentication Policy.  Set the Intranet Authentication Method to Forms Authentication (by default it is set to Windows Authentication).
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41814021
Thanks but the http.sys file has remained unchanged since OS install this past spring.
0
 

Accepted Solution

by:
Nathan Vanderwyst earned 0 total points
ID: 41814069
Wow, while your help didn't directly fix the problem, you gave me enough resources and suggestions to find and fix the issue.  It turns out that running "netstat -a -n -o | findstr :49443" returned the service occupying the same port.  It was the "Windows Server Essentials Storage Service", I then rebooted to see what would happen and a different service took the port before ADFS.  The second time it was Windows Server Essentials Email Service.  I then stopped it, the restarted ADFS and the started the Windows Server Essentials Email Service and all is well.

Looks like there has been some update to the Windows Server Essential services that is taking the port that didn't before.  I am not running an Essentials OS but I did install the feature for other reasons.  I'm glad it is working correctly again.  Thank you for your assistance.
0
 

Author Comment

by:Nathan Vanderwyst
ID: 41814071
Just to be clear these are the steps I preformed to resolve the issue:

      1) run this in in PS to find app/serv using port 49443
            netstat -a -n -o | findstr :49443
      2) stop or kill app/serv occupying port by using PID value from netstat to identify
      3) restart ADFS
      4) turn other service back on
0
 
LVL 17

Expert Comment

by:bigeven2002
ID: 41814158
Ok great!  Glad you were able to get that fixed.  Sorry I never would have thought to do the net stat command.  So you taught me that :)
0
 

Author Closing Comment

by:Nathan Vanderwyst
ID: 41821345
I found the actual solution myself.
0

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now