Sunday, February 26, 2017

Windows 2012 r2 ADFS 3.0 federated with Office 365 SMTP does not work, authenticaiton error. Mac native mail client does not work. Skype for business on Windows 7 does not work.

Since our ADFS Windows 2012 R2 disable TLS1.0 cause smtp client does not work.

And the exception also not clear, all about authentication error!

So If you got same issue. Please check sever TLS setting.
Posted by at No comments:

Thursday, February 16, 2017

Confluence saml single sign on internal error

Our confluence server use below saml plugin for federated authentication with ADFS.

https://github.com/bitium/confluence-saml-plugin

After our administration change the confluence server host name, we had trouble to do federate authentication. The ADFS no exception. Confluence throw "Smal internal error"


The issue was:

The new confluence server internal mark as use explicit address like:

https://confluence.domain.com:443/

So: the smal endpoint in configuration page is : https://confluence.domain.com:443/plugins/servlet/saml/auth

And the config page there is no relying party identifier, we get it from the ADFS exception "https://confluence.domain.com/confluenceSaml"


But in saml-plugin it expected is acceptance issuer is "https://confluence.domain.com:443/confluenceSaml".


So here is the trick :

The ADFS for replying party trust if identifier is url format.

The ADFS look the address   "https://confluence.domain.com:443/confluenceSaml".
and "https://confluence.domain.com/confluenceSaml"

is Same, But in saml plugin, these two is not same!




Posted by at No comments:

ADFS 3.0 Federated to Office 365 exception "may be proxy server error"

We just try to migrate our Office 365 federated domain from A ADFS Server to B ADFS Server.
Read the document, it should be very simple and follow below steps.

 
  • Windows Azure Active Directory Module for Windows PowerShell
            Right Click and Run As Administrator
  • Set the credential variable
  •    $cred=Get-Credential  Enter a Global Administrator account from Office 365. I have a dedicated tenant (@domain.onmicrosoft.com) service account setup for AD FS and Directory Syncronization.
  • Connect to Microsoft Online Services with the credential variable set previously
           Connect-MsolService –Credential $cred
           Convert-msoldomaintostandard
  •  Set the MSOL ADFS Context server, to the ADFS server
            Set-MsolADFSContext –Computer adfs_servername.domain_name.com
  • Convert the domain to a federated domain
           Convert-MsolDomainToFederated –DomainName domain_name.com 
  • Verify federation
           Get-MsolFederationProperty –DomainName domain_name.com


We had some issues:
1: Connect-MsolService  Throw exception,   "may be proxy server error" 
     
       The case is we already configuration ADFS behide the load balance server, and the weigh is same, Fix it is turn off load balance, or set the Primary ADFS server as primary,

2:  SSL Exception.   Server TLS1.1 client is disabled. Should enable TLS1.1 TLS1.2 ssl client.

3: Everything good, but federation server did not get redirect.  
      Check the certification, grant the permission to service account , redo all steps.

 4: Can not connect to ADFS server may be the remote power shell on ADFS server not enabled.
 set up Windows PowerShell for remoting, type the following command, and then press Enter:
Enable-PSRemoting –force
Posted by at No comments:
Subscribe to: Posts (Atom)