Active Federation for ADFS Proxy 2.0

1.3k views Asked by At

I'm trying to setup active federation for ADFS Proxy 2.0. Passive federation works fine (and therefore I expect that I have configured ADFS proxy correctly), but when I use active federation, I get the following exception: "The HTTP request was forbidden with client authentication scheme 'Anonymous'".

I'm using the following code:

var factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(
     SecurityMode.TransportWithMessageCredential, 
     HttpClientCredentialType.Digest), 
     "https://adfs-proxy/adfs/services/trust/13/usernamemixed");

factory.Credentials.UserName.UserName = username;            
factory.Credentials.UserName.Password = password;
factory.Credentials.HttpDigest.AllowedImpersonationLevel = 
    TokenImpersonationLevel.Impersonation; 
factory.TrustVersion = TrustVersion.WSTrust13;

var rst = new RequestSecurityToken {    
    RequestType = RequestTypes.Issue,     
    AppliesTo = new EndpointAddress(relyingPartyIdentifier),      
    KeyType = KeyTypes.Bearer   
};   

var channel = factory.CreateChannel();  
return channel.Issue(rst);

Fiddler displays the following response (I get the same error without Fiddler as well):

HTTP/1.1 403 Forbidden  
Transfer-Encoding: chunked  
Server: Microsoft-HTTPAPI/2.0  
Date: Mon, 01 Jun 2015 13:06:16 GMT  

0

There is the following message in ADFS trace log:

WSTrustProxyListener.ProcessRequest: Rejected front-end request to resource https://adfs-proxy:443/adfs/services/trust/13/usernamemixed/.

If I change the url to point to the original ADFS server, not proxy, the code above works fine (sending the same request to ADFS).

/adfs/services/trust/13/usernamemixed endpoint is allowed in the ADFS server for the proxy.

I have also found out that when I access the following link pointing to ADFS proxy server:

https://adfs-proxy/federationmetadata/2007-06/federationmetadata.xml

I get 403 Forbidden response as well. I see the same message in ADFS trace log:

WSTrustProxyListener.ProcessRequest: Rejected front-end request to resource https://adfs-proxy:443/FEDERATIONMETADATA/2007-06/FEDERATIONMETADATA.XML.

Wireshark shows me that there is no network request from ADFS proxy to main ADFS server.

If I specify original ADFS server (not proxy) for this link, everything is fine, the correct xml is returned. Actually, for ADFS proxy I get 403 Forbidden for any request to the following listeners (if I hit them in IE) regardless of whether they are allowed for ADFS proxy or not:

https://+:443/FederationMetadata/2007-06/   
http://+:80/adfs/services/trust/   
https://+:443/adfs/services/trust/   

I tried running ADFS Proxy service under various accounts, including Network Service and local administrator.

How can I get rid of this error and setup Active Federation for ADFS Proxy?

1

There are 1 answers

0
user4932 On

For what it's worth, I've been dealing with this issue since last night.

In particular, this error: WSTrustProxyListener.ProcessRequest: Rejected front-end request to resource https://adfs-proxy:443/FEDERATIONMETADATA/2007-06/FEDERATIONMETADATA.XML.

I would receive a 403 when trying to pull the federationmetadata.xml from the federation proxy server.

I also received this error message: The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at [adfs_server_name]. The error message is 'Error reading the C:\Program Files\Active Directory Federation Services 2.0\PT directory.'.

I modified the security settings for this c:\program files\active directory\federation services 2.0\PT folder and gave full access to it for the user that has "LogonAs" permissions for the "ADFS 2.0 Windows Service" service on the federation proxy.

At this point, I was able to pull the federation metadata successfully via https://sso.proxy.fdqn.com/federationmetadata/2007-06/federationmetadata.xml