Comments for Rhys Goodwin's Weblog http://blog.rhysgoodwin.com I AM the system administrator. Who do I call? Mon, 20 Feb 2012 14:07:17 +0000 hourly 1 http://wordpress.org/?v=3.2.1 Comment on SAML WebSSO & Federation Made Easy by Oliver Wulff http://blog.rhysgoodwin.com/security/saml-websso-federation-made-easy/#comment-3077 Oliver Wulff Mon, 20 Feb 2012 14:07:17 +0000 http://blog.rhysgoodwin.com/?p=1126#comment-3077 Hi there I'm wondering what you think about the WS-Federation passive requestor profile (browser). The benefit I see is the re-use of the WS-Trust semantic and the decoupling to a specific SAML protocol version. Instead of a samlp:response you get the RSTR of the WS-Trust STS. An additional benefit is the re-use of the STS for Web Services communication. Attribute based access control can be achieved by the Claims dialect standardized by WS-Trust and WS-Federation. What do you think? Hi there
I’m wondering what you think about the WS-Federation passive requestor profile (browser). The benefit I see is the re-use of the WS-Trust semantic and the decoupling to a specific SAML protocol version.
Instead of a samlp:response you get the RSTR of the WS-Trust STS. An additional benefit is the re-use of the STS for Web Services communication. Attribute based access control can be achieved by the Claims dialect standardized by WS-Trust and WS-Federation.
What do you think?

]]> Comment on ADFS 2.0 in Forest Trust Environment by RhysGoodwin http://blog.rhysgoodwin.com/windows-admin/adfs-2-0-in-a-forest-trust-environment/#comment-3073 RhysGoodwin Fri, 03 Feb 2012 10:23:50 +0000 http://blog.rhysgoodwin.com/?p=1236#comment-3073 Hi Kjell, When you say "use an incorrect username/password" - are you using forms based authentication or is the browser prompting for a username/password? Have you done the Kerberos config and are there any firewalls between the adfs server and the domain controllers in in the worker domain? Cheers, Rhys Hi Kjell, When you say “use an incorrect username/password” – are you using forms based authentication or is the browser prompting for a username/password? Have you done the Kerberos config and are there any firewalls between the adfs server and the domain controllers in in the worker domain?

Cheers,
Rhys

]]> Comment on ADFS 2.0 in Forest Trust Environment by Kjell http://blog.rhysgoodwin.com/windows-admin/adfs-2-0-in-a-forest-trust-environment/#comment-3070 Kjell Tue, 31 Jan 2012 09:41:10 +0000 http://blog.rhysgoodwin.com/?p=1236#comment-3070 Nice blog! I have encountered a problem in an scenario not much different from this one. AD1.worker.local One way trust AD1.student.local I have an ADFS installed on the student side, and user.student.local can log in to the services without any problems. But user.worker.local can not logon. The fun part is that some traffic is going trough, If I use an incorrect password for user.worker.local it notices that the password is incorrect. But if I use an correct password I get an error. "The FA encountered an error during an attempt to connect to a LDAP server at worker.local." "Event 111, AD FS 2.0 The FA Service encountered an error while processing the WS-Trust request" Keep up the good work. Nice blog! I have encountered a problem in an scenario not much different from this one.

AD1.worker.local
One way trust
AD1.student.local

I have an ADFS installed on the student side, and user.student.local can log in to the services without any problems. But user.worker.local can not logon. The fun part is that some traffic is going trough, If I use an incorrect password for user.worker.local it notices that the password is incorrect. But if I use an correct password I get an error.

“The FA encountered an error during an attempt to connect to a LDAP server at worker.local.”

“Event 111, AD FS 2.0
The FA Service encountered an error while processing the WS-Trust request”

Keep up the good work.

]]> Comment on Print Server Power Control Hack by Milan http://blog.rhysgoodwin.com/hardware/print-server-power-control-hack/#comment-2726 Milan Mon, 26 Dec 2011 00:02:37 +0000 http://blog.rhysgoodwin.com/?p=94#comment-2726 hi, i've been cracking my brain about the setting the "1.3.6.1.4.1.11.2.4.3.13.4.0" value to 2 with an SMTP tool and I just can't figure it out :( Could someone help me with this part, step by step. (from a Windows machine). Thanks in advance. By the way: great job on the application. cheers, milan hi,
i’ve been cracking my brain about the setting the “1.3.6.1.4.1.11.2.4.3.13.4.0″ value to 2 with an SMTP tool and I just can’t figure it out :( Could someone help me with this part, step by step. (from a Windows machine). Thanks in advance.

By the way: great job on the application.

cheers,
milan

]]> Comment on FindPrivateKey.exe (Pre-Compiled) by ConfigMgr Mixed Mode – Certificate Store, Export-Import Certificates, Private Key Files and Folder Details « Anoop's http://blog.rhysgoodwin.com/windows-admin/findprivatekey-exe-pre-compiled/#comment-2661 ConfigMgr Mixed Mode – Certificate Store, Export-Import Certificates, Private Key Files and Folder Details « Anoop's Wed, 21 Dec 2011 18:20:21 +0000 http://blog.rhysgoodwin.com/?p=1237#comment-2661 [...] Download FindPrivateKey.exe HERE [...] [...] Download FindPrivateKey.exe HERE [...]

]]> Comment on FindPrivateKey.exe (Pre-Compiled) by ConfigMgr Mixed Mode – Certificate Store, Export-Import Certificates, Private Key Files and Folder Details http://blog.rhysgoodwin.com/windows-admin/findprivatekey-exe-pre-compiled/#comment-2660 ConfigMgr Mixed Mode – Certificate Store, Export-Import Certificates, Private Key Files and Folder Details Wed, 21 Dec 2011 18:16:14 +0000 http://blog.rhysgoodwin.com/?p=1237#comment-2660 [...] Download FindPrivateKey.exe HERE [...] [...] Download FindPrivateKey.exe HERE [...]

]]> Comment on SalesForce SSO with ADFS 2.0 – Everything you need to Know by RhysGoodwin http://blog.rhysgoodwin.com/cloud/salesforce-sso-with-adfs-2-0-everything-you-need-to-know/#comment-2373 RhysGoodwin Tue, 13 Dec 2011 22:32:48 +0000 http://blog.rhysgoodwin.com/?p=1135#comment-2373 Hi Pradeep, Having the same username and password between orgs won't help. You have ADFS 2.0 / SSO working for org1 and now you want it to work for org2 as well. Correct? You've got several different issues here and some more which you'll discover once you solve these ones I'm sorry to say. One major problem is that ADFS 2.0 won't let you have more than one relying party with the same signing certificate which means you won't be able to have org1 and org2 set up separately with 2 separate idpinitiated urls. Only way around this that I know of is to have a separate ADFS 2.0 servers. You need to understand then and configure the kerberos SPNs. Have a look at this post for starters: http://blog.rhysgoodwin.com/windows-admin/active-directory-and-kerberos-spns-made-easy/ You need to understand IE zones and configure them via GPO if you want IE to play nicely. Have a look at this post: http://blog.rhysgoodwin.com/windows-admin/ie-gpo-zone-templates-and-the-open-file-security-warning/ Know that integrated login between IE and the ADFS server won't happen seamlessly if the ADFS server isn't part of the local intranet zone. I still don't know much about your environment. After all this I suspect that what you really need is not ADFS 2.0 but to use org1 as an Idp for org2. I don't have any experience with this but I know it's possible. Cheers, Rhys Hi Pradeep,
Having the same username and password between orgs won’t help.

You have ADFS 2.0 / SSO working for org1 and now you want it to work for org2 as well. Correct?

You’ve got several different issues here and some more which you’ll discover once you solve these ones I’m sorry to say.

One major problem is that ADFS 2.0 won’t let you have more than one relying party with the same signing certificate which means you won’t be able to have org1 and org2 set up separately with 2 separate idpinitiated urls. Only way around this that I know of is to have a separate ADFS 2.0 servers.

You need to understand then and configure the kerberos SPNs. Have a look at this post for starters:
http://blog.rhysgoodwin.com/windows-admin/active-directory-and-kerberos-spns-made-easy/

You need to understand IE zones and configure them via GPO if you want IE to play nicely.
Have a look at this post:
http://blog.rhysgoodwin.com/windows-admin/ie-gpo-zone-templates-and-the-open-file-security-warning/

Know that integrated login between IE and the ADFS server won’t happen seamlessly if the ADFS server isn’t part of the local intranet zone.

I still don’t know much about your environment.

After all this I suspect that what you really need is not ADFS 2.0 but to use org1 as an Idp for org2. I don’t have any experience with this but I know it’s possible.

Cheers,
Rhys

]]> Comment on SalesForce SSO with ADFS 2.0 – Everything you need to Know by RhysGoodwin http://blog.rhysgoodwin.com/cloud/salesforce-sso-with-adfs-2-0-everything-you-need-to-know/#comment-2368 RhysGoodwin Tue, 13 Dec 2011 20:55:20 +0000 http://blog.rhysgoodwin.com/?p=1135#comment-2368 Hi Tim, from memory I tested this and had it confirmed by SalesForce at the time. so I think this must be a new development. Thanks for pointing it out. I've updated the post. We actually ended up implementing our own JIT provisioning solution. Users first hit an in-house app that checks if they already have an account and if they don't it will create one for them using the SFDC API. The reason we did this is because we needed to take the user through a few steps to make sure that the details we had for them were correct before we created an account for them. Also email is an mandatory field for creating accounts but we don't have email addresses for all our users in AD so this method allows us to gather that information from the user. Cheers, Rhys Hi Tim, from memory I tested this and had it confirmed by SalesForce at the time. so I think this must be a new development. Thanks for pointing it out. I’ve updated the post.

We actually ended up implementing our own JIT provisioning solution. Users first hit an in-house app that checks if they already have an account and if they don’t it will create one for them using the SFDC API. The reason we did this is because we needed to take the user through a few steps to make sure that the details we had for them were correct before we created an account for them. Also email is an mandatory field for creating accounts but we don’t have email addresses for all our users in AD so this method allows us to gather that information from the user.

Cheers,
Rhys

]]> Comment on SalesForce SSO with ADFS 2.0 – Everything you need to Know by Pradeep Kumar http://blog.rhysgoodwin.com/cloud/salesforce-sso-with-adfs-2-0-everything-you-need-to-know/#comment-2355 Pradeep Kumar Tue, 13 Dec 2011 13:58:54 +0000 http://blog.rhysgoodwin.com/?p=1135#comment-2355 Hi Rhys, Thanks for the reply. My actual requirement Org1 should have a link .By click on that link Org2's sites should open a new window and the Org1's standard user should logged in on org2's sites.Because Org1's user have the same username as it in Org2's user object field like identifier. I have used your blog to do ADFS server to Org2's Sites. But ADFS Server and Org2's sites takes authentication when we click on link in Org1. I used domain name of Org2 as a link in Org1. ADFS server ask for the Username and password first time only. I want ADFS server and Sites should not ask for the Login as Org1's Username same with Org2's User Identifier Field. Can I use ADFS Server proxy for Forms Authentication on ADFS Server ? I used Org2 is metadata File in Relying party trust. What types of settings i should done? I did not do anything kerberos configuration. Please suggest me the best way to do this. Thanks in advance Pradeep kumar Hi Rhys,
Thanks for the reply.
My actual requirement Org1 should have a link .By click on that link Org2′s sites should open a new window and the Org1′s standard user should logged in on org2′s sites.Because Org1′s user have the same username as it in Org2′s user object field like identifier.
I have used your blog to do ADFS server to Org2′s Sites.
But ADFS Server and Org2′s sites takes authentication when we click on link in Org1. I used domain name of Org2 as a link in Org1. ADFS server ask for the Username and password first time only.
I want ADFS server and Sites should not ask for the Login as Org1′s Username same with Org2′s User Identifier Field.
Can I use ADFS Server proxy for Forms Authentication on ADFS Server ?
I used Org2 is metadata File in Relying party trust.
What types of settings i should done?
I did not do anything kerberos configuration.
Please suggest me the best way to do this.
Thanks in advance
Pradeep kumar

]]> Comment on SalesForce SSO with ADFS 2.0 – Everything you need to Know by RhysGoodwin http://blog.rhysgoodwin.com/cloud/salesforce-sso-with-adfs-2-0-everything-you-need-to-know/#comment-2332 RhysGoodwin Mon, 12 Dec 2011 23:50:32 +0000 http://blog.rhysgoodwin.com/?p=1135#comment-2332 Hi Pradeep, are you using ADFS 2.0 for the SSO on to org1? I have a feeling that you're not going to be able to do what you need using ADFS 2.0. If you are using internet explorer you shouldn't be prompted ADFS for a username/password. There are a number of things that could cause this. Have you done kerberos configuration? Also the ADFS server needs to be classified in the local intranet zone to send your credentials. All of this about sending your domain credentials using Kerberos NOT send a username and password which was entered at a salesforce login page. I might be able to give you more advice but you'd need to give me more of an overview of your environment. Cheers, Rhys Hi Pradeep, are you using ADFS 2.0 for the SSO on to org1? I have a feeling that you’re not going to be able to do what you need using ADFS 2.0.

If you are using internet explorer you shouldn’t be prompted ADFS for a username/password. There are a number of things that could cause this. Have you done kerberos configuration?

Also the ADFS server needs to be classified in the local intranet zone to send your credentials. All of this about sending your domain credentials using Kerberos NOT send a username and password which was entered at a salesforce login page. I might be able to give you more advice but you’d need to give me more of an overview of your environment.

Cheers,
Rhys

]]>