Hi,
I'm currently setting up a test environment with Exchange 365, on one external IP address. Using 2008 r2 with the latest adfs 2.0 and rollout patch, downloaded from MS on July 1st.
I can get everything to work, when using the standard ports 443 for adfs and adfs proxy. Because I also want to run install exchange in hybrid mode (and try not to use TMG), I want to run ADFS on port 444, which seems to work with the adfs server, but not with the adfs proxy.
1st, I change the cert binding in IIS, so that it runs on port 444 for both adfs and adfs proxy.
Then run the config wizard. On the adfs server, no issue, get eventlog 100 and can open the *.xml file via a browser on port 444 https://<adfs.server>:444/FederationMetadata/2007-06/FederationMetadata.xml
On the adfs proxy, this does not work.
When I start the wizard, and do [test connection], I get an error:
"The specified Federation service could not be reached. The federation metadata endpoint may be disabled. Verify that the Federation Service Name is correct and that the federation metadata endpoint is enabled, and try again."
When I run a "netstat -n" during the test, then I see that the adfs proxy is trying to connect to the adfs server via port 443 (and not port 444, as set in the binding in IIS), causing the error!
C:\Users\Administrator>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 192.168.1.13:49167 192.168.1.12:443 SYN_SENT
It seems to me, that the wizard has the port 443 hardcoded which can't be changed (it seems to completely ignore the binding settings in IIS).
In the adfs proxy config wizard, it will not accept the federation server name <servername>:444
So I found an MS article explaining how to change the port to 444, after installing everything to port 443. This doesn't work correctly as well. http://technet.microsoft.com/en-us/library/dd807067.aspx
1st, I changed the port binding back to 443 on both servers, and run the wizards on both adfs and adfs proxy. Everything works perfectly (event 100 on adfs server, access to xml works via browser and get event 198 on the adfs proxy server).
Now I change the IIS bindings back to port 444 on both servers.
Based on the article, I now run some commands on the adfs proxy and adfs server.
I start powershell via start -> Administrative tools -> Windows Powershell Modules and enter the following commands on the adfs server:
Set-ADFSProperties -HttpsPort 444
netsh http del urlacl https://+:443/adfs/fs/federationserverservice.asmx/
netsh http del urlacl https://+:443/FederationMetadata/2007-06/
netsh http del urlacl https://+:443/adfs/services/
netsh http del urlacl https://+:444/adfs/fs/federationserverservice.asmx/
netsh http del urlacl https://+:444/FederationMetadata/2007-06/
netsh http del urlacl https://+:444/adfs/services/
netsh http add urlacl https://+:444/adfs/fs/federationserverservice.asmx/ user="NT SERVICE\adfssrv"
netsh http add urlacl https://+:444/FederationMetadata/2007-06/ user="NT SERVICE\adfssrv"
netsh http add urlacl https://+:444/adfs/services/ user="NT SERVICE\adfssrv"
net stop adfssrv
net start adfssrv
Then I run the commands on the adfs proxy server:
Set-ADFSProxyProperties -HttpsPort 444
netsh http del urlacl https://+:443/adfs/fs/federationserverservice.asmx/
netsh http del urlacl https://+:443/FederationMetadata/2007-06/
netsh http del urlacl https://+:443/adfs/services/
netsh http del urlacl https://+:444/adfs/fs/federationserverservice.asmx/
netsh http del urlacl https://+:444/FederationMetadata/2007-06/
netsh http del urlacl https://+:444/adfs/services/
netsh http add urlacl https://+:444/adfs/fs/federationserverservice.asmx/user="NT SERVICE\adfssrv"
netsh http add urlacl https://+:444/FederationMetadata/2007-06/user="NT SERVICE\adfssrv"
netsh http add urlacl https://+:444/adfs/services/user="NT SERVICE\adfssrv"
net stop adfssrv
net start adfssrv
Before I ran these commands, I checked the output on both adfs and adfs proxy servers, with "netsh http show urlacl". Based on the output, I eg. changed the service to "adfssrv" versus the service explained in the article.
Output from the adfs proxy:
Reserved URL : https://+:443/adfs/services/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL : https://+:443/FederationMetadata/2007-06/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
Reserved URL : https://+:443/adfs/fs/federationserverservice.asmx/
User: NT SERVICE\adfssrv
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)
After the services were restarted, I checked the event logs, at 1st it all looks ok.
On the adfs server: all OK (event 100),
On the adfs proxy, I 1st get an Event error 248 , then a event 198, where all is ok (???):
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 13.07.2013 14:44:18
Event ID: 248
Task Category: None
Level: Error
Keywords: AD FS
User: NETWORK SERVICE
Computer: 49adfsp
Description:
The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at adfs.4manns.de. The error message is 'Could not connect to https://adfs.4manns.de:444/adfs/services/proxytrustpolicystoretransfer. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 192.168.1.12:444. '.
User Action
Make sure that the Federation Service is running. Troubleshoot network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the Federation Server Proxy Configuration Wizard again.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
<EventID>248</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="7/13/2013T12:44:18.529954700Z" />
<EventRecordID>6</EventRecordID>
<Correlation />
<Execution ProcessID="1088" ThreadID="1496" />
<Channel>AD FS 2.0/Admin</Channel>
<Computer>49adfsp</Computer>
<Security UserID="S-1-5-20" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<Data>adfs.4manns.de</Data>
<Data>Could not connect to https://adfs.4manns.de:444/adfs/services/proxytrustpolicystoretransfer. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 192.168.1.12:444. </Data>
</EventData>
</Event>
</UserData>
</Event>
After this, Event 198 on the proxy server reads like this, where all seems to be OK (after the Event error 248 ):
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 13.07.2013 14:44:18
Event ID: 198
Task Category: None
Level: Information
Keywords: AD FS
User: NETWORK SERVICE
Computer: 49adfsp
Description:
The federation server proxy started successfully. The following proxy listeners have been added:
https://+:444/FederationMetadata/2007-06/
http://+:80/adfs/services/trust/
https://+:444/adfs/services/trust/
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS 2.0" Guid="{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}" />
<EventID>198</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="7/13/2013T12:44:18.592354900Z" />
<EventRecordID>7</EventRecordID>
<Correlation />
<Execution ProcessID="1088" ThreadID="1496" />
<Channel>AD FS 2.0/Admin</Channel>
<Computer>49adfsp</Computer>
<Security UserID="S-1-5-20" />
</System>
<UserData>
<Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<Data>
https://+:444/FederationMetadata/2007-06/
http://+:80/adfs/services/trust/
https://+:444/adfs/services/trust/
</Data>
</EventData>
</Event>
</UserData>
</Event>
What is wrong ?
All seems to be OK.
Netstat -n shows a connection via port 444 between both ADFS and adfs proxy servers (after adding a rule in the firewall for port 444).
I fixed the ferderation trust by running the "Update-MsolFederatedDomain -domainname:4manns.de "command,
All seems to be ok (until I run the exchange connection test)
PS C:\Users\administrator.TEST> Get-MsolFederationProperty -domain 4manns.de
Source : ADFS Server
ActiveClientSignInUrl : https://adfs.4manns.de:444/adfs/services/trust/2005/usernamemixed
FederationServiceDisplayName : adfs.4manns.de
FederationServiceIdentifier : http://adfs.4manns.de/adfs/services/trust
FederationMetadataUrl : https://adfs.4manns.de:444/adfs/services/trust/mex
PassiveClientSignInUrl : https://adfs.4manns.de:444/adfs/ls/
PassiveClientSignOutUrl : https://adfs.4manns.de:444/adfs/ls/
TokenSigningCertificate : [Subject]
CN=ADFS Signing - adfs.4manns.de
[Issuer]
CN=ADFS Signing - adfs.4manns.de
[Serial Number]
369F1A529ADDA99C4B4D8AE434327057
[Not Before]
13.07.2013 14:36:57
[Not After]
13.07.2014 14:36:57
[Thumbprint]
207DF3FA7DF5C39163B03B41B482B94911A5D3FC
NextTokenSigningCertificate :
PreferredAuthenticationProtocol :
Source : Microsoft Office 365
ActiveClientSignInUrl : https://adfs.4manns.de:444/adfs/services/trust/2005/usernamemixed
FederationServiceDisplayName : adfs.4manns.de
FederationServiceIdentifier : http://adfs.4manns.de/adfs/services/trust
FederationMetadataUrl : https://adfs.4manns.de:444/adfs/services/trust/mex
PassiveClientSignInUrl : https://adfs.4manns.de:444/adfs/ls/
PassiveClientSignOutUrl : https://adfs.4manns.de:444/adfs/ls/
TokenSigningCertificate : [Subject]
CN=ADFS Signing - adfs.4manns.de
[Issuer]
CN=ADFS Signing - adfs.4manns.de
[Serial Number]
369F1A529ADDA99C4B4D8AE434327057
[Not Before]
13.07.2013 14:36:57
[Not After]
13.07.2014 14:36:57
[Thumbprint]
207DF3FA7DF5C39163B03B41B482B94911A5D3FC
NextTokenSigningCertificate :
PreferredAuthenticationProtocol : WsFed
I goto https://www.testexchangeconnectivity.com/ and run the single sign on test which then throws an error:
Testing TCP port 443 on host adfs.4manns.de to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
A network error occurred while communicating with the remote host.
This is all strange.
Ports 443 and 444 are open on my external firewall.
I know someone, who was able to get it to work on a different port.
What do I need to do, so that ADFS will run on port 444?
or is this maybe not possible, by design (all though the MS article exists, explaining how to change the port ?)
Justin.