I'm trying to make ADFS 3.0 working behind my NGINX proxy in otrder to federate my local AD with my office365 accounts. All seems to be working fine but some question remain not answered: 1- There is an article (https://technet.microsoft.com/it-it/library/hh852618(v=ws.10).aspx) explaing what should be the behavior of a 3rd part adfs proxy on adfs 2.0, but i can't find the same for ADFS 3.0. In particular those article tells that "The MEX information is distinct for the extranet. To accommodate this, all external requests to the URL /adfs/services/trust/mex MUST be rerouted to /adfs/services/trust/proxymex on the back-end STS." is this still true on adfs 3.0? My nginx configuration is the following, is it enough?
upstream adfsup {
server mydc03.mydomain.local:443;
server mydc01.mydomain.local:443;
keepalive 100;
}
server {
listen 443;
server_name adfs.mypubdomain.it;
ssl on;
ssl_certificate /etc/letsencrypt/live/adfs.mypubdomain.it/cert.pem;
#ssl_certificate /ssl/adfs_mypubdomain_it.pem;
ssl_certificate_key /etc/letsencrypt/live/adfs.mypubdomain.it/privkey.pem;
#ssl_certificate_key /ssl/adfs_mypubdomain_it.key;
location / {
proxy_pass https://adfsup; # my existing apache instance
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-MS-Proxy mypubrp0v;
proxy_http_version 1.1;
#proxy_next_upstream error timeout invalid_header http_500 http_503;
proxy_next_upstream error timeout invalid_header http_503;
proxy_connect_timeout 2;
}
}
2- on the nginx log i can see a lot of 500 error: "POST /adfs/services/trust/2005/usernamemixed HTTP/1.1" 500 1025 "-" "-" "-" and on the adfs machine on the evt log that correspond to event id 342
Token validation failed.
Additional Data
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
myuser@mydomain.it-The user name or password is incorrect
Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: myuser@mydomain.it ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
I can reproduce this error supplying a wrong password on the rca test (https://www.testconnectivity.microsoft.com/?testid=SingleSignOn) but i think that is not normal that a wrong password trow an exception. BTW all my user seems to be fine and the logon trough the ADFS is working, has anyone idea of how I can correct this situation? Thanks Lorenzo
for any third party system to act as the proxy for ADFS 2012R2 (a.k.a. ADFS 3.0) for extranet access, then it has to support MS-ADFSPIP protocol. It only needs to implement the authentication sections and not the web application publishing sections.
ADFS 2012R2 requirements. https://technet.microsoft.com/en-us/library/dn554247.aspx#BKMK_extranet
MS-ADFSPIP protocol. http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-ADFSPIP].pdf