Thursday, June 7, 2012

ADFS 2.0 Default Claims Provider


In situation where you have multiple Claims Providers the HomeRealDiscovery.aspx page may confuse users.


As you can see here I have created a second claims provider called test. User may not know which one to use.


FIX 1 – Well not really a fix as much as a way to reduce this issue.

One way to help with this confusion is by setting the persistIdentityProviderInformation enabled value to true and the lifetimeInDays value to something like 30 in the web.config located at C:\inetpub\adfs\ls.  This will allow users to only have to select their claim provider every 30 days.


FIX 2 – Update your web application to allow for WHR parameter

Another way to allows users to divert the HomeRealDiscovery page is by adding functionality to your web application that allows the whr parameter to determine which claim provider will be used when doing the redirect to ADFS.  Again this code all goes into your web application and does not require any additional work on the ADFS website.

Add a reference to the Microsoft.IdentityModel in your web application


If you don’t already have a Global.asax file in your web application add a new item and select Global Application Class.

You will need to add an additional handler to the code behind of the Global.asax file.


void WSFederationAuthenticationModule_RedirectingToIdentityProvider(object sender, RedirectingToIdentityProviderEventArgs e)
      e.SignInRequestMessage.HomeRealm = Request["whr"];

What’s great is that the Identity Model already knows what to do with this method, there is no more code to write.

Now just add the ?whr=identityID parameter to your applications url and you will no longer see the HomeRealDiscovery page but be automatically directed to the authentication method.

Let’s look at two example of how to use this.  For both of these my web application will be located at:

My STS (ADFS) server will be located at:

EXAMPLE 1: Using the build in Active Directory Claims Provider

-First we will need to get the entityID of our claims provider.  To get this we will go to the FederationMetadata on the STS (ADFS) server at the following url:

NOTE: Depending on your IE Version this page may come up blank.  If you do not see the XML on the page hit the compatibility view button in IE.

The entityID for the default provider is in the first line:


Copy the value for the entity ID and add it as the value for the whr parameter in your application url.

NOTE: Make sure you copy the entityID parameter exactly, case does matter on this one so no mixing upper case and lower case letters.

EXAMPLE 2: Using a custom Claims Provider

This one is actually easier than getting the information for the default claims provider since you can access it from the ADFS 2.0 GUI. Open the properties for the Claims Provider Trust you want to access.


On the Identifiers page copy the “Claims provider identifier”


Add the value for the whr parameter in your application url.

NOTE: Make sure you copy the Claims provider identifier exactly, case does matter on this one so no mixing upper case and lower case letters.


In order to force users to a specific claims provider you can set up an IIS Redirect which will tag on the whr parameter you want to use.  That way if user go to it will auto add the whr parameter.

Wednesday, June 6, 2012

Limited Access to Program Data folder in AD for ADFS 2.0

If you work in an environment where you have no write access to the ‘Program Data’ folder in AD you can still install ADFS 2.0 but you will need to use the command prompt.

First Retrieve the Certificate Thumbprint for the Singing Cert and the Decrypt Cert.  Since this was a test machine I was using the same certificate for both, but in a production environment you will probably have separate certs for each.

To retrieve a certificate's thumbprint

  1. Open the Microsoft Management Console (MMC) snap-in for certificates. (See How to: View Certificates with the MMC Snap-in.)

  2. In the Console Root window's left pane, click Certificates (Local Computer).

  3. Click the Personal folder to expand it.

  4. Click the Certificates folder to expand it.

  5. In the list of certificates, note the Intended Purposes heading. Find a certificate that lists Client Authentication as an intended purpose.

  6. Double-click the certificate.

  7. In the Certificate dialog box, click the Details tab.

  8. Scroll through the list of fields and click Thumbprint.

  9. Copy the hexadecimal characters from the box. If this thumbprint is used in code for the X509FindType, remove the spaces between the hexadecimal numbers. For example, the thumbprint "a9 09 50 2d d8 2a e4 14 33 e6 f8 38 86 b0 0d 42 77 a3 2a 7b" should be specified as "a909502dd82ae41433e6f83886b00d4277a32a7b" in code.

Run the FSCONFIG Command to Create Farm

  1. Open a command prompt.
  2. Run the following command.
    CD “C:\Program Files\Active Directory Federation Services 2.0\”

  3. Run this command and substitute the values for your own ADFS setup.
    FSCONFIG.exe CreateFarm /ServiceAccount "domain\account" /ServiceAccountPassword Password1 /FederationServiceName /CleanConfig /SigningCertThumbprint "a909502dd82ae41433e6f83886b00d4277a32a7b" /DecryptCertThumbprint "a909502dd82ae41433e6f83886b00d4277a32a7b"