eastms
asked on
ADFS 3.0 503 errors for metadata
So, I'm trying to setup Shibboleth on a windows 2012 server to work with our adfs 3.0 server. This was working over the past year until recently.. I figured it was the recent renewed certificates for signing / decryption. So i stood up a new shibboleth server since the previous was 'temporary' and the new server is also throwing 500 service errors.
Looking through the shibboleth native logs i spot this:
ERROR Shibboleth.ISAPI [4080] isapi_shib: Unable to locate metadata for identity provider (http://adfs.mydomain.com/adfs/services/trust)
so i browse to "http://adfs.mydomain.com/adfs/services/trust" in chrome and receive a 503 error.
pretty sure this worked in the past or none of my other RP's would work. is this related to new certs, and whats the solution? I havent seen much for adfs 3.0 out there to help guide me
Thanks in advance!!!
Looking through the shibboleth native logs i spot this:
ERROR Shibboleth.ISAPI [4080] isapi_shib: Unable to locate metadata for identity provider (http://adfs.mydomain.com/adfs/services/trust)
so i browse to "http://adfs.mydomain.com/adfs/services/trust" in chrome and receive a 503 error.
pretty sure this worked in the past or none of my other RP's would work. is this related to new certs, and whats the solution? I havent seen much for adfs 3.0 out there to help guide me
Thanks in advance!!!
Shreedhar Ette
Please share the output of get-adfsproperties.
ASKER
Here you go, thanks
AcceptableIdentifiers : {}
AddProxyAuthorizationRules : exists([Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value
== "S-1-5-32-544", Issuer =~ "^AD AUTHORITY$"]) => issue(Type =
"http://schemas.microsoft.com/authorization/claims/permit", Value =
"true");
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^AD AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http://schemas.micr
osoft.com/authorization/claims/permit"),query="isProxyTrustManagerSid({0})
", param=c.Value );
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/proxytrustid",
Issuer =~ "^SELF AUTHORITY$" ]
=> issue(store="_ProxyCredentialStore",types=("http://schemas.micr
osoft.com/authorization/claims/permit"),query="isProxyTrustProvisioned({0}
)", param=c.Value );
ArtifactDbConnection : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial
Catalog=AdfsArtifactStore;Integrated Security=True
AuthenticationContextOrder : {urn:oasis:names:tc:SAML:2.0:ac:classes:Password,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport,
urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient,
urn:oasis:names:tc:SAML:2.0:ac:classes:X509...}
AuditLevel : {Basic}
AutoCertificateRollover : True
CertificateCriticalThreshold : 2
CertificateDuration : 365
CertificateGenerationThreshold : 20
CertificatePromotionThreshold : 5
CertificateRolloverInterval : 720
CertificateSharingContainer : CN=8d8ceba7-a1e9-4043-89d8-66c7e2b303d7,CN=ADFS,CN=Microsoft,CN=Program
Data,DC=mydomain,DC=com
CertificateThresholdMultiplier : 1440
ClientCertRevocationCheck : None
ContactPerson : Microsoft.IdentityServer.Management.Resources.ContactPerson
DisplayName : mydomain Authentication
IntranetUseLocalClaimsProvider : False
ExtendedProtectionTokenCheck : None
FarmRoles : Microsoft.IdentityServer.PolicyModel.Configuration.FarmRolesConfiguration
FederationPassiveAddress : /adfs/ls/
HostName : adfs.mydomain.com
HttpPort : 80
HttpsPort : 443
TlsClientPort : 49443
Identifier : http://adfs.mydomain.com/adfs/services/trust
IdTokenIssuer : https://adfs.mydomain.com/adfs
InstalledLanguage : en-US
LogLevel : {Errors, FailureAudits, Information, Verbose...}
MonitoringInterval : 1440
NetTcpPort : 1501
NtlmOnlySupportedClientAtProxy : False
OrganizationInfo :
PreventTokenReplays : False
ProxyTrustTokenLifetime : 21600
ReplayCacheExpirationInterval : 60
SignedSamlRequestsRequired : False
SamlMessageDeliveryWindow : 5
SignSamlAuthnRequests : False
SsoLifetime : 480
PersistentSsoLifetimeMins : 129600
KmsiLifetimeMins : 1440
PersistentSsoEnabled : True
PersistentSsoCutoffTime : 1/1/0001 12:00:00 AM
KmsiEnabled : False
LoopDetectionEnabled : True
LoopDetectionTimeIntervalInSeconds : 20
LoopDetectionMaximumTokensIssuedInInterval : 5
PasswordValidationDelayInMinutes : 60
SendClientRequestIdAsQueryStringParameter : False
WIASupportedUserAgents : {MSIE 6.0, MSIE 7.0, MSIE 8.0, MSIE 9.0...}
BrowserSsoSupportedUserAgents : {Windows NT 1, Windows Phone 1}
ExtranetLockoutThreshold : 8
ExtranetLockoutMode : ADFSSmartLockoutEnforce
BannedIpList : {}
ExtranetLockoutEnabled : True
ExtranetObservationWindow : 00:30:00
GlobalRelyingPartyClaimsIssuancePolicy : c:[Type == "http://schemas.microsoft.com/2012/01/devicecontext/claims/isre
gistereduser"] => issue(claim = c);c:[Type ==
"http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier"]
=> issue(claim = c);
ExtranetLockoutRequirePDC : True
LocalAuthenticationTypesEnabled : True
RelayStateForIdpInitiatedSignOnEnabled : True
BrowserSsoEnabled : True
DelegateServiceAdministration :
AllowSystemServiceAdministration : False
AllowLocalAdminsServiceAdministration : True
CurrentFarmBehavior : 3
DeviceUsageWindowInDays : 14
EnableIdpInitiatedSignonPage : True
IgnoreTokenBinding : False
EnableOauthLogout : True
EnableOauthDeviceFlow : False
PromptLoginFederation : FallbackToProtocolSpecificParameters
PromptLoginFallbackAuthenticationType : urn:oasis:names:tc:SAML:1.0:am:passwordASKER
I've been sorting through logs and the first errors i can find about metadata inaccessible was a couple of days after enabling extranet lockout
ASKER
just made a post at technet, to avoid double posting see here, it may be a little easier to understand:
https://social.technet.microsoft.com/Forums/en-US/76a019dc-8695-4329-8aac-3c31bb99860a/adfs-2016-error-404-503?forum=ADFS
https://social.technet.microsoft.com/Forums/en-US/76a019dc-8695-4329-8aac-3c31bb99860a/adfs-2016-error-404-503?forum=ADFS
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.