Friday, September 30, 2011

ADFS 2.0 WS-Federation

Just heard from a MS support engineer yesterday,
ADFS 2.0 does not support WS-federation as Idp-Initiated SSO. It has to be SP-Initiated SSO. However it supports SAML 2.0 in both modes.

Tuesday, September 27, 2011

SharePoint 2010 - Upgrade required


Installed SharePoint binaries on a new server . Ran Sharepoint configuration wizard to join server to existing farm. All goes well and no errors are reported. Admin navigates to central admin -> System settings -> Manage servers in farm. Red message that says "Upgrade required" on the recently added server.

Execute this command on the server,

PSConfig.exe -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures


Monday, September 26, 2011

Could not find Feature DataConnectionLibrary

Scenario: Trying to export/import a subsite from a SharePoint 2007 environment with enterprise features, (e.g. Data connection library) to a farm with standard license.


I have added my comments here,

Saturday, September 24, 2011

MediaTomb PS3

PS3 does not detect mediatomb hosted on ubuntu desktop even though we followed the manual here,

1. Make sure mediatomb is started correctly on ubuntu. For e.g. a sample command is "mediatomb -e wlan0" to start media tomb using wireless lan network interface.

2. Browse to the url provided in terminal and share content.

3. Make sure firestarter ( is installed and policy is added to allow inbound traffic from PS3 IP address.

4. Open PS3, under Video -> Search for media servers.

Friday, September 23, 2011

ADFS 2.0 Debugging / Tracing

Environment with customized idp login pages. ADFS redirects to Error page with a reference number. The reference number is not the be see in event viewer.


1. Which log to check ? Cannot find messages in EventViewer - Application.
Refer this link for solution:

"Open the Event Viewer. Navigate to 'Applications and Services Logs' -> 'AD FS 2.0' -> Admin. In the 'View' menu, using 'Add/Remove Columns...', add the 'Correlation Id' column. Look up the reference number 'c14bcf7c-268d-46be-82c3-7c1d873c3df2' in the 'Correlation Id' column.

(In some specific cases you get a 'Reference number' but no event in the AD FS 2.0 event log. In my experience that is mostly when customizing the sign-in pages.)"

2. Enable tracing

Excellent article to enable tracing for ADFS 2.0

Much more detailed:

The steps in the above article should help configure tracing of ADFS and enable logging to event viewer. It still does not show up anything because of customized login pages.

3. Right click on Error page and check source. Nothing. Sometimes MS loves putting the stack trace in there.

4. Fiddler to the rescue:

    a. Navigate to the inetpub (inetpub\..\ad\ls\) folder where the Error.aspx page can be found.
    b. There is just one method in there, Add   "HttpContext.Current.Response.Write(Exception.ToString())"
    c. This should present the exact stack trace.
    d. Use the same idea for the pages that were edited, e.g. idp login page and trace it using Respose.Write.
    e. If it still does not work, and it still redirects to Error page and the response.write on Error page provide a very generic message, then use fiddler and read the response of each page during the transaction and you will see the error on the pages.
(Make sure to decrypt https requests using fiddler cert.)

Thursday, September 22, 2011

ADFS Idp Initiated SSO - RelayState

AD FS 2.0 does not support specifying the RelayState in the case of IdP-initiated request. (The support for RelayState is limited to echoing back in SP-initiated requests.) The relying party must identify the target resource in its configuration.

To pass RelayState in ADFS 2.0, there is a non-supported workaround which requires some custom code (for additional information, please refer to the discussions HOW CAN I SPECIFY THE TARGET URL DIRECTLY IN THE SAML REQUEST AND HAVE AD FS 2.0 AUTOMATICALLY REDIRECT?[1] and SPECIFY RELAYSTATE URL[2].

The workaround requires two critical tweaks in the Sign-In Pages:

1. Edit the Global.asx.cs file, and add, after line 22 (HttpResponse response = HttpContext.Current.Response;) the following code:
if ( !String.IsNullOrEmpty( request.Params["SAMLResponse"] )
!String.IsNullOrEmpty( request.Params["SAMLart"] ) )
if ( !String.IsNullOrEmpty( request.Params["RelayState"] ) )
HttpCookie cookie = new HttpCookie( "rs", request.Params["RelayState"] );
cookie.Expires = DateTime.UtcNow.AddMinutes( 10 );
Response.Cookies.Add( cookie );
It basically looks for SAMLResponse/SAMLart with a RelayState, and then “stuff” the RelayState in a cookie.

1. Edit the page IdpInitiatedSignOn.aspx.cs by adding after line 56 (string rpIdentity = Context.Request.QueryString [RpIdentityQueryParameter]) the following code:

HttpCookie cookie = Context.Request.Cookies.Get( "rs" );
if ( null != cookie && !String.IsNullOrEmpty( cookie.Value ) )
rpIdentity = cookie.Value;
cookie.Expires = DateTime.UtcNow.AddDays( -1 );
cookie.Value = "";
Context.Response.Cookies.Add( cookie );

// If the query string specified a certain relying party, sign in to that relying party.
if ( !String.IsNullOrEmpty( rpIdentity ) )
string decodedIdentity = Server.UrlDecode( rpIdentity );
if ( decodedIdentity == IdpAsRpIdentifier )
decodedIdentity = String.Empty;

// If app is not in list of known RPs, assume it is a WS-Federation app and redirect to it.

bool found = false;
foreach( DataRow row in RelyingParties.Rows )
if ( row[0] == rpIdentity )
found = true;

if ( found )
SignIn( rpIdentity, new SignOnRequestParameters() );
// TODO: Fill in your own trusted WS-Federation app URLs below.
if ( rpIdentity == ""
rpIdentity == "" )
Response.Redirect( rpIdentity );
It basically extracts that cookie and uses it to start an IdP initiated sign on.

Moreover, if the RelayState doesn’t map on to a known SAML 2.0-based relying party, there is a place in the code to enter a list of known WS-Federation URIs to have AD FS 2.0 redirect to.

For 90% of cases (including SharePoint 2007/2010 and, more generally, WIF 1.0-based applications), this will kick off an SP-initiated sign in and “it just works”.

Tuesday, September 20, 2011

ADFS - SAML 2.0 for Idp Initiated SSO

Scenario: My first experience setting up an ADFS environment to enable federation between ADFS and PingFederate. This is strictly Idp Initiated SSO scenario, where ADFS is the Idp.

1. Send federation xml to relying party / SP (PingFederate user). This should include SSL certificate information and chain certificate information.
2. Receive xml from relying party
3. Extract certificate information from xml and save as .cert file. (This is done by extracting text content from relying party xml between the tags,
4. Store .cert file in AD or local server Trusted Root certificate store
5. Create a relying party connection in ADFS by uploading relying party xml from step 2.
6. Edit and setup claim rules, for e.g. map employee ID from AD (i.e. LDAP) to Name ID claim type.
7. Load certificate from relying party into relying party encryption configuration in ADFS.

*These steps should ideally be enough to setup the federation. The client needs to have his application point to Idp ADFS. The Url would look something like this,

where RPIdentityName is the name of the Relying Party Identifier name.

Troubleshooting tips:
1. Many a time security is an issue. Hence we need to run some powershell scripts to disable encryption.
e.g. Set-ADFSRelyingPartyTrust

2. Use Fiddler to track SAML traffic,

Critical Issue:


"AD FS 2.0 does not support the declaration of a Target or RelayState parameter when it acts as the IdP during IdP-initiated SSO. Therefore, successful use of the third link (IdP-initiated SSO)—which does not state the target application explicitly—requires the SP to use the Default URL feature in PingFederate (which is already configured in this lab). The setting is available on the Main Menu under My SP Configuration\Application Integration Settings\Default URLs."

In our situation, the relying party had PingFederate and had a dummy url as its default url which was causing issues during federation.

Solution: (Read right to the end) ADFS and RelayState issues

Update (9/23/2011):

None of the above code options worked for us since our RelyingParty is PingFederate.

This final solution which should work in this scenario is to a SP-Initiated SSO as mentioned in this link, 
and confimed by MSFT here,

Visual Studio 2010 Ultimate - Performance Testing

Scenario: Installed Visual Studio 2010 Ultimate and Visual Studio Agents 2010 to prepare a Load test environment for web performance testing. Installed controller and agent and configured them. Open Visual Studio 2010 Ultimate and navigated to Test -> Manage Controllers. Next to Controller you get the message "Local No Controller".

Type the FQDN of the current machine and hit enter.

Monday, September 19, 2011

Site Collection Deleted - Get Database Name

Scenario: Site collection admin deletes root web from a site collection, thereby deleting the entire site collection. Now they want it restored. If you have clearly documented mapping between site collection and content db (assuming you have large number of content db's) you can easily restore the content db and get the site collection restored.

Solution: For all those who do not have it documented. SharePoint config db has a table called "SiteMap" which store site collection to database mapping.

1. Do a SQL backup/restore of SharePoint config database from a time before the deletion occurred. (Remember this is just a SQL restore not SharePoint)

2. Check the dbo.SiteMap table for database information.

Friday, September 16, 2011

IIS Blank - Cannot find sites

When you open IIS Server Manager to browse SharePoint web sites you get a blank screen. When you try to connect to local host, you get the message, "Path specified cannot be used at this time"

Stop SharePoint Timer service
Stop WWW Publishing service
Stop SMTP service
Stop HTTP SSL service
Stop IIS Admin service

Start all of the above in the same order.

Permanent fix: 

Tuesday, September 13, 2011

Request for security token failed

Request for security token failed with exception: System.ServiceModel.FaultException: The server was unable to process the request due to an internal error.

Microsoft Project Server 2010
Microsoft SharePoint Server 2010

1. Start "Claims to Windows Token Service " on all servers in the farm.
2. IISRESET on all servers.

Prevent person.aspx redirect from userdisp.aspx

A SharePoint environment is newly built with its dedicated domain controller (DC) and has migrated content from another SP environment with a seperate DC. The migrated content has existing users which needs to be migrated to the new domain. Used stsadm -o migrateuser command to achieve the same. When user clicks on the new converted user name in the site collection user groups page, the user is now redirected to person.aspx rather than userdisp.aspx

This behaviour is expected because,
a. MySite feature is enabled on the farm which embedds a redirectcontrol in the userdispform.aspx page which causes the redirect.
b. The user has a profile in SSP.

We uninstalled the Mysite feature from farm features using stsadm. Remember it is a hidden feature.

Friday, September 9, 2011

Windows Server RDP cannot see local drives

After RDP to a Windows Server, you cannot find your local drives mapped on the remote server. This is annoying especially if you want to copy files over to the server.


Wednesday, September 7, 2011

Find Windows Server last reboot

Scenario: I need to find out when was the last time one of our Windows server rebooted.

1. Open command prompt
2. type "net statistics server"
3. It will display statistics from the last reboot time.