G
Guest
I need to prove to my boss that ADFS will work well with WSS so that we can
have one central datastore (Active Directory) which is in a different domain
to the web server.
I have gone through the ADFS step-by-step guide and proven that I can
authenticate to the adfsresource federation server when I try to access the
WSS web server on the adfsweb server when both adfsweb and adfsresource are
in the same domain.
Both adfsweb and adfsresource are in the same domain (treyresearch.net). I
need to prove that the sharepoint accounts can be on a different server that
is not in the same domain as the web server.
Therefore I have removed adfsweb from the treyresearch.net domain (and
restarted) and edited the trust policy on the adfsresource server to allow
claims from the WSS application at the url https://adfsweb. I also created
certificates to reflect the new name of adfsweb (instead of
adfsweb.treyresearch.net).
Now, when I browse to https://adfsweb, I am able to successfully
authentication via ADFS. I know this because if I enter the credentials
correctly, I can reach the WSS application and if I don't enter them
correctly I get a IIS 403 error. When I *do* enter the credentails correctly
however I also get a WSS error telling me that I don't have access to these
Sharepoint resources (in other words, WSS does not recognise the user).
It seems that when the federation server is not in the same domain as the
web server then I can't log in. But isn't ADFS supposed to allow
authentication users located in other domains? Or is my architecture wrong?
The architecture that I currently have is as follows:
* adfsweb :
IIS with adfs web agent (not in any domain) configured as per the
step-by-step guide.
* adfsresource (this is just the name that the step-by-step guide gave for
the server storing the WSS user accounts, but for my purposes this particular
federation server is acting more like an account provider):
adfs is configured to accept token-based claims from adfsweb (as per the
step-by-step guide). adfsresource is also in the treyresearch.net domain.
Anybody have any ideas?
Many thanks
have one central datastore (Active Directory) which is in a different domain
to the web server.
I have gone through the ADFS step-by-step guide and proven that I can
authenticate to the adfsresource federation server when I try to access the
WSS web server on the adfsweb server when both adfsweb and adfsresource are
in the same domain.
Both adfsweb and adfsresource are in the same domain (treyresearch.net). I
need to prove that the sharepoint accounts can be on a different server that
is not in the same domain as the web server.
Therefore I have removed adfsweb from the treyresearch.net domain (and
restarted) and edited the trust policy on the adfsresource server to allow
claims from the WSS application at the url https://adfsweb. I also created
certificates to reflect the new name of adfsweb (instead of
adfsweb.treyresearch.net).
Now, when I browse to https://adfsweb, I am able to successfully
authentication via ADFS. I know this because if I enter the credentials
correctly, I can reach the WSS application and if I don't enter them
correctly I get a IIS 403 error. When I *do* enter the credentails correctly
however I also get a WSS error telling me that I don't have access to these
Sharepoint resources (in other words, WSS does not recognise the user).
It seems that when the federation server is not in the same domain as the
web server then I can't log in. But isn't ADFS supposed to allow
authentication users located in other domains? Or is my architecture wrong?
The architecture that I currently have is as follows:
* adfsweb :
IIS with adfs web agent (not in any domain) configured as per the
step-by-step guide.
* adfsresource (this is just the name that the step-by-step guide gave for
the server storing the WSS user accounts, but for my purposes this particular
federation server is acting more like an account provider):
adfs is configured to accept token-based claims from adfsweb (as per the
step-by-step guide). adfsresource is also in the treyresearch.net domain.
Anybody have any ideas?
Many thanks