Showing posts from October, 2010

CryptographicException Error Connecting SharePoint 2007 and ADFS 2.0 Using Domain App Pool User with SharePoint

When attempting to connect ADFS 2.0 and SharePoint 2007 most of the documentation assumes you are using the NetworkService account to run the application pools for the SharePoint content web applications.  In a real world environment though a domain user is probably running the app pools.

Tech Specs:

SharePoint Version: 2007
ADFS Version: 2.0
Server OS: 2008R2

ADFS URL: https://lab-adfs.defenseready.local/
SharePoint 2007 URL: https://ext.defenseready.local/
SharePoint App Pool User: defenseready\spapppool

What Happens:

How to diagnose:
In order to diagnose we will need to update the web.config for the SharePoint site.

When we repeat the steps earlier and try to access the site we can now see the full error.

 How to Resolve:

In order to give the application pool the correct rights to load the certificates we need to update the application pool settings.   Specifically we need to update the Load User Profile setting to True.

 After you have updated this restart II…

Clean Up IIS and Active Directory After ADFS 2.0 Uninstall

The following is taken from the following KB article:  I have had to do this so many times though I found it easier to post it here :)

The Active Directory Federation Services 2.0(AD FS 2.0) uninstallation wizard uninstalls AD FS 2.0 from your computer. However, you may still have to manually restore or cleanup settings in either of the following situations:

When you uninstall AD FS 2.0 from a federation server or federation server proxy computer, the uninstall wizard does not restore IIS to its original state.When you uninstall AD FS 2.0 from the last added federation server in a federation server farm, the uninstall process does not delete the certificate sharing container that was created in Active Directory.Restore IIS on a federation server or federation server proxy computer

When AD FS 2.0 is installed on a computer that is configured for the federation server or federation server proxy role, it will create the /adfs and /adfs/ls virtual di…

Display ADFS 2.0 Forms Authentication Login Page Instead of Windows Authentication Prompt

After installing ADFS 2.0 for SharePoint a Windows login prompt was shown when the SharePoint site forwarded to the ADFS server instead of the ADFS Forms Authentication login screen. 

No matter what account I tried to use here I would eventually receive a 401 Not Auhorized error.

The reason for this is that the ADFS website tries to use Windows Authentication before trying to use the Forms authentication which displays the loging page below.

To fix this do the following on the ADFS server:
1. Open IIS and Explore under Default Website\adfs\ls

2. Open the web.config file with Notepad, look for the localAuthenticationTypes section.

3. Move the line for Forms above the line for Integrated and save the web.config file.  This will force the ADFS application to use the Login Page authentication before trying to use Windows Authentication.

Install XPS Viewer for Windows Server 2008R2

If you need to install the XPS viewer on Windows Server 2008R2 just follow these directions.

1. Open the Server Manager for the computer.
2. Click on Add features.
  3. Scroll down to the XPS Viewer selection and click the check box.
 4. Click the Install button.
 5. After the installation has completed click the Close button.