|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
ADFS and Windows Sharepoint Serviceshave one central datastore (Active Directory) which is in a different domain to the web server. I have gone through the ADFS step-by-step guide and proven that I can authenticate to the adfsresource federation server when I try to access the WSS web server on the adfsweb server when both adfsweb and adfsresource are in the same domain. Both adfsweb and adfsresource are in the same domain (treyresearch.net). I need to prove that the sharepoint accounts can be on a different server that is not in the same domain as the web server. Therefore I have removed adfsweb from the treyresearch.net domain (and restarted) and edited the trust policy on the adfsresource server to allow claims from the WSS application at the url https://adfsweb. I also created certificates to reflect the new name of adfsweb (instead of adfsweb.treyresearch.net). Now, when I browse to https://adfsweb, I am able to successfully authentication via ADFS. I know this because if I enter the credentials correctly, I can reach the WSS application and if I don't enter them correctly I get a IIS 403 error. When I *do* enter the credentails correctly however I also get a WSS error telling me that I don't have access to these Sharepoint resources (in other words, WSS does not recognise the user). It seems that when the federation server is not in the same domain as the web server then I can't log in. But isn't ADFS supposed to allow authentication users located in other domains? Or is my architecture wrong? The architecture that I currently have is as follows: * adfsweb : IIS with adfs web agent (not in any domain) configured as per the step-by-step guide. * adfsresource (this is just the name that the step-by-step guide gave for the server storing the WSS user accounts, but for my purposes this particular federation server is acting more like an account provider): adfs is configured to accept token-based claims from adfsweb (as per the step-by-step guide). adfsresource is also in the treyresearch.net domain. Anybody have any ideas? Many thanks I know for a fact that you can make a number of interesting WSS scenarios
work with ADFS, as we now have users from an ADAM store in our lab account federation server logging in to a sharepoint site that is configured as a resource app in our lab resource federation server. In this case, the sharepoint web server and the resource federation server are in the same domain. We are using the ability of ADFS to map users from an account partner to group claims associated with Windows groups in the resource domain, so we aren't doing any direct user to user mapping here. One thing that I've found helpful is creating a "straight" token-based site for testing that just dumps out the user name and groups from the resulting Windows token for a user so you can see how the Windows auth package is building the token for the user. I've also found it helpful to enable all the logging stuff. There are some tricks for doing this for token based apps documented in the operations section of the ADFS TechNet docs. Joe K. -- Show quoteJoe Kaplan-MS MVP Directory Services Programming Co-author of "The .NET Developer's Guide to Directory Services Programming" http://www.directoryprogramming.net -- "Leighton Corban" <newzealandnewguy@nospam.nospam> wrote in message news:C60311E9-C9FC-49D7-803B-44E5D2BB51F8@microsoft.com... >I need to prove to my boss that ADFS will work well with WSS so that we can > have one central datastore (Active Directory) which is in a different > domain > to the web server. > > I have gone through the ADFS step-by-step guide and proven that I can > authenticate to the adfsresource federation server when I try to access > the > WSS web server on the adfsweb server when both adfsweb and adfsresource > are > in the same domain. > > Both adfsweb and adfsresource are in the same domain (treyresearch.net). I > need to prove that the sharepoint accounts can be on a different server > that > is not in the same domain as the web server. > > Therefore I have removed adfsweb from the treyresearch.net domain (and > restarted) and edited the trust policy on the adfsresource server to allow > claims from the WSS application at the url https://adfsweb. I also created > certificates to reflect the new name of adfsweb (instead of > adfsweb.treyresearch.net). > > Now, when I browse to https://adfsweb, I am able to successfully > authentication via ADFS. I know this because if I enter the credentials > correctly, I can reach the WSS application and if I don't enter them > correctly I get a IIS 403 error. When I *do* enter the credentails > correctly > however I also get a WSS error telling me that I don't have access to > these > Sharepoint resources (in other words, WSS does not recognise the user). > > It seems that when the federation server is not in the same domain as the > web server then I can't log in. But isn't ADFS supposed to allow > authentication users located in other domains? Or is my architecture > wrong? > > The architecture that I currently have is as follows: > > * adfsweb : > > IIS with adfs web agent (not in any domain) configured as per the > step-by-step guide. > > * adfsresource (this is just the name that the step-by-step guide gave for > the server storing the WSS user accounts, but for my purposes this > particular > federation server is acting more like an account provider): > > adfs is configured to accept token-based claims from adfsweb (as per the > step-by-step guide). adfsresource is also in the treyresearch.net domain. > > Anybody have any ideas? > > Many thanks  |
|||||||||||||||||||||||
Other interesting topics