Tuesday, July 10, 2012

Correcting Relying Party Trusts in ADFS v. 2.0

If you are a relative newbie to using ADFS v. 2.0 (as most of us are), odds are that you won't get your configuration of ADFS v.2 .0 just right the very first time.

Fortunately, if you have a working installation of ADFS v. 2.0 but you misconfigured your Relying Party Trusts information, that is relatively easy to fix.

First of all, why might you need to re-configure your Relying Party Trust?

If you are building a development/test machine, there is a good chance that you may have configured ADFS to rely on a computer or machine name when in fact a FQDN (Fully Qualified Domain Name) is in order.  If there are mismatches between what is configured in SharePoint, IIS and ADFS, these issues will cause you all types of grief.

However, as I stated earlier, this can be easily modified as follows:


  1. Open your ADFS 2.0 Management Console
  2. Locate the Trust Relationships folder and expand it to display Relying Party Trusts
  3. Once Relying Party Trusts has been selected, you should see all of your available Relying Party Trusts
  4. Right click on the name of the Relying Party Trust you wish to modify and select Properties
  5. Once the Properties window opens, you can click on the Identifiers tab
  6. There you will be able to view all of the Identifiers you have configured for your Relying Party Trust
  7. Since there is no Edit option available, you will have to remove an existing Url and then re-add it back to the list of Relying party identifiers.
  8. For a Relying Party Trust such as SharePoint, modify the Url, but always make sure that it ends with /_trust/
  9. Now click over to the Endpoints tab
  10. Select the WS-Federation Passive Endpoint you configured and click on the Edit button
  11. Here you can modify the Url once again.  As before, if you are working with SharePoint, make sure that the Url ends with /_trust/
  12. Click the OK button to close the Edit Endpoint dialog
  13. Click OK once more to close out of the Relying Party Trust Properties dialog


NOTE: If you are working with SharePoint, make sure that your Alternate Access Mappings coincide with the Url you have configured in ADFS.  (You can check this through Central Administration-->Application Management-->Configure alternate access mappings)

If all of your changes in ADFS were applied successfully, many of the errors messages and security issues you encountered should now go away!!



2 comments:

  1. Add and remove are grayed out. How am I supposed to DO what you described.

    ReplyDelete
    Replies
    1. It's probably greyed out because the RelyingParty you chose is actively managed via the Monitoring tab.

      Doubleclick your the appropriate Relying Party Trust, Monitoring tab, and uncheck Monitor relying party, and hit Apply. Your Endpoints should be editable now.

      Delete