Windows Server 2012 R2 ADFS Login Page Formatting Missing

I don't know why but for some reason the ADFS login page has lost all its formatting.  Users can still enter credentials and authenticate but the page is just plain text with two text boxes for credentials.  I only ran across one solution in Google but it is for a CRM install and doesn't seem applicable to my situation.  Can someone help with this issue please?  I have attached image of what it looks like now and an example of what it is supposed to look like.

ADFS Login Page No Formatting Image
What ADFS Formatting is Supposed To Look Like
Nathan VanderwystAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Nathan VanderwystConnect With a Mentor Author Commented:
Wow, while your help didn't directly fix the problem, you gave me enough resources and suggestions to find and fix the issue.  It turns out that running "netstat -a -n -o | findstr :49443" returned the service occupying the same port.  It was the "Windows Server Essentials Storage Service", I then rebooted to see what would happen and a different service took the port before ADFS.  The second time it was Windows Server Essentials Email Service.  I then stopped it, the restarted ADFS and the started the Windows Server Essentials Email Service and all is well.

Looks like there has been some update to the Windows Server Essential services that is taking the port that didn't before.  I am not running an Essentials OS but I did install the feature for other reasons.  I'm glad it is working correctly again.  Thank you for your assistance.
0
 
bigeven2002Commented:
Hello,

Have you tried restarting the IIS service?  It seems like a CSS style is unable to load.  If you have firefox web browser available, you can install the web developer addin and check to see which css file is failing to load.
0
 
Nathan VanderwystAuthor Commented:
already tried to restart iis and also bounced whole server.  no joy.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
bigeven2002Commented:
OK thanks for the update.  After further reading, it appears the ADFS login for Server 2012 R2 no longer uses IIS.  So it has its own http.sys controller.

I am referencing this article for the steps below.

The screenshot indicates that is the default theme so try exporting it with PowerShell:
Export-AdfsWebTheme –Name default –DirectoryPath c:\custom-theme

Open in new window


Create a new theme:
New-AdfsWebTheme -Name "custom-theme" -SourceName default

Open in new window


In the exported theme folder from above, check the style.css and style,rtl.css files to see if there is actually information there and not just blank.

Then configure the styles to the custom theme:
Set-AdfsWebTheme -TargetName "custom-theme" -StyleSheet @{Locale="";path="C:\custom-theme\css\style.css"} -RTLStyleSheetPath "C:\custom-theme\css\style.rtl.css"

Open in new window


Reapply the Javscript Onload file:
Set-AdfsWebTheme -TargetName $ThemeName -AdditionalFileResource @{Uri="/adfs/portal/script/onload.js";path="C:\custom-theme\script\onload.js"}

Open in new window


Then lastly, set the new custom theme as the active theme:
Set-AdfsWebConfig -ActiveThemeName "custom-theme"

Open in new window

0
 
Nathan VanderwystAuthor Commented:
Thank you for providing a way to customize my ADFS page, but that isn't what I'm looking for.  In fact, I don't know if uploading a custom page will even fix the problem and that is something I shouldn't have to do anyway.  BUT, I used your advice above about Firefox and Web Developer Add-In and I see that the CSS sheet is getting a HTTP Error 503.  Does that help provide any additional ideas?
0
 
bigeven2002Commented:
Ok no problem, I was just thinking along the lines of if we exported the theme and reimported it, that might fix the issue if there was some sort of fault with the original theme.

HTTP error 503 means the service is unavailable typically due to overload or maintenance mode.  So the next step would be to take a look at the http.sys error log which I believe is located at:
%windir%\System32\LogFiles\HTTPERR

Open in new window

0
 
Nathan VanderwystAuthor Commented:
Well, in %windir%\System32\LogFiles\HTTPERR, I can see a bunch of 503 errors like this:

 HTTPERR.txt
0
 
bigeven2002Commented:
OK can you try Event Viewer.  Open that up and look in the application log for ADFS or ASP related warnings or errors to see if there is any insight there.

The N/A after the 503 error entry can mean one of the following:

- IIS cannot start any new worker processes because of limited system resources or because starting a new worker process would exceed the DemandStartThresholdproperty.

- Bandwidth throttling is enabled, but the filter addition fails.

- The control channel or internal configuration group for the URL is inactive.

- The send for a request that was serviced from the cache failed (typically under low memory conditions).
0
 
Nathan VanderwystAuthor Commented:
Looking at the ADFS log files I can see that for some reason on 9/15 I starting getting a 102 Event ID (pasted below) not sure if you have experience with this type of issue:

There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data
Exception details:
System.ServiceModel.AddressAlreadyInUseException: HTTP could not register URL https://+:49443/adfs/services/trust/2005/certificatetransport/ because TCP port 49443 is being used by another application. ---> System.Net.HttpListenerException: The process cannot access the file because it is being used by another process
   at System.Net.HttpListener.AddAllPrefixes()
   at System.Net.HttpListener.Start()
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.SharedHttpTransportManager.OnOpen()
   at System.ServiceModel.Channels.TransportManager.Open(TransportChannelListener channelListener)
   at System.ServiceModel.Channels.TransportManagerContainer.Open(SelectTransportManagersCallback selectTransportManagerCallback)
   at System.ServiceModel.Channels.TransportChannelListener.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.HttpChannelListener`1.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Dispatcher.ChannelDispatcher.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at Microsoft.IdentityServer.ServiceHost.STSService.StartSTSService(ServiceHostManager serviceHostManager, ServiceState serviceState)
0
 
Nathan VanderwystAuthor Commented:
I then finally see an Event ID 364 with the below with the CSS path in it:

Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/css/style.css to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
0
 
bigeven2002Commented:
I'm afraid that one is beyond me.  It sounds like it may be a separate issue.

The only other thing I can think of is to restore a prior version of http.sys.  When did the web page last look correct?  You can try using shadow copy to restore a prior working http.sys to that point in time.  Before trying below, make sure you have a current good backup.

First, navigate to C:\Windows\system32\drivers and right-click on http.sys and choose Restore previous versions.  If there is a version available that predates the last working login screen, then copy that version to the desktop.

Next, stop the IIS and ADFS services.  Rename the current http.sys to http.old.  Then copy the http.sys from desktop to the drivers folder and then restart the services.

Does that fix the issue?
0
 
bigeven2002Connect With a Mentor Commented:
Another thing I found is this from here:

Go to the ADFS Management Console and clicking on the Authentication Policies folder on the tree view on the left.  Then, under Actions on the right, click on Edit Global Primary Authentication Policy.  Set the Intranet Authentication Method to Forms Authentication (by default it is set to Windows Authentication).
0
 
Nathan VanderwystAuthor Commented:
Thanks but the http.sys file has remained unchanged since OS install this past spring.
0
 
Nathan VanderwystAuthor Commented:
Just to be clear these are the steps I preformed to resolve the issue:

      1) run this in in PS to find app/serv using port 49443
            netstat -a -n -o | findstr :49443
      2) stop or kill app/serv occupying port by using PID value from netstat to identify
      3) restart ADFS
      4) turn other service back on
1
 
bigeven2002Commented:
Ok great!  Glad you were able to get that fixed.  Sorry I never would have thought to do the net stat command.  So you taught me that :)
0
 
Nathan VanderwystAuthor Commented:
I found the actual solution myself.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.