Hi I have been following your series of ADFS and let me tell you your explanation of the concepts and demos are superb. But a request please complete this series so that i can learn the leftover components of ADFS. Looking forward to this series being completed.
Hi I configured my ADFS setup to use certificate authentication as MFA. I also configured ADFS Proxy. But the access control policy did not work on the extranet part. When I try to sign into claims X-ray it signs in without asking for MFA.
Hello Zobair, ADFS playlist is already created in order.You can click on the below mentioned link to check the exact order. ruclips.net/p/PL8wOlV8Hv3o9uHl0XFfI6_katp6BXNVjb
Thank kundan, we really appreciate your response on all of our videos. ADFS VS Azure AD was added as a comparison, but we will be posting the claims rule video soon.
underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. i have enabled port 443 for both ADFS and ADFS proxy servers . i configured adfs proxy server as work group and in ADFS proxy server i have updated ADFS DNS IP. please suggets if anyhting missed from my end. its a lab environemnt
Great Info again. I have a question however, in case of a NLB setup, how will the traffic flow?, Because the app know only about the ASFS/LS endpoint how will the request reach the NLB?
You have to add public DNS record for adfs endpoint. When the user will try to access the adfs endpoint --> with the help of public DNS record the request will reach NLB --> NLB will forward the request to ADFS proxy --> ADFS proxy will forward the request to internal NLB --> Internal NLB will forward the request to ADFS server. In large enterprise, there also an external and internal firewall. Regards, ConceptsWork
Thanks for ADFS Videos, I have a query can we have installed 2 servers as ADFS proxy if yes can we installed load balance between them or any others configuratons
It should be kept in DMZ ideally, as the purpose of ADFS proxy server is to proxy the endpoints to internet, so that the identity of your adfs server remains secure.
Wild card is just a suggestion, you can use SAN as well, but make sure every alternative name that ADFS uses as a service must be added in the certificate.
This video is very helpful and to the point. Sir, Please help me on the below I have a Windows AD server 2012 R2(it is in a closed network). Here users are already there. We have created 1 app from where only AD users can login. Basically in the app we have given the option to enter IP address, Port No, Distinguished names. The request should go through Windows Server 2012(a proxy). We can do the above steps. Anything else is required ? We are planning to create a separate Group in AD where those users will be present.So, the users in that group will work independently or there will be a conflict ? So, it is like Authentication through AD Proxy without MFA
Great Video Thanks . We are planning to do lift and shift migration of ADFS server to Azure cloud and planning to make use of application gateway instead Proxy server . Please suggest will it work.
Hello, Thankyou so much for video on ADFS, it's very helpful, Can you please tell about how we can configure Authentication lockout feature for web application (Ex:- If user enter more than 3 time wrong credential then it should be locked out ) .
ADFS Extranet lockout is the name of the feature, which prevents the lockout of account in local AD. Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection
Hi, Thanks for the needful videos ADFS. I have configured the ADFS server in Azure VM and I am facing issues while accessing the ADFS endpoint outside of Azure VM. Whatever I have configured domain needs to be publicly accessible. Please suggest what may be the issue for this. Thanks in advance.
You have to add a public ip address to your VM, so that it can be reached over internet. Secondly add a public DNS record in your domain to point adfs request to a particular IP.
Great Video.Thanks much for the quality information. I do have a following query. If my application is hosted in my Internal Network & I have created a public DNS entry for application URL which points it to my FireWall\Reverse Proxy & then there is a NAT\ReverseProxy rule which forwards the traffic from FireWall\Reverse Proxy to this internal application & this is my only application that I want to configure on ADFS so in that case do you think we need to place the ADFS Proxy to redirect the request coming from internet to access this application?? The Application & ADFS are in same internal network. I think the ADFS Proxy not required as the Application & ADFS are in same internal network.so it means ADFS Proxy only required when Externally Hosted application wants to redirect the authentication request to ADFS?
ADFS proxy is a reverse proxy solution, which can be used just to map external link of the application with the internal link, and also to proxy ADFS endpoints to public internet. Usually Enterprises use ADFS proxy to add more security. Likewise, if you will use the ADFS proxy server, you will keep it in DMZ network, so that your internal ADFS server is not exposed to public internet.
@@ConceptsWork Hi, i currently have our ADFS proxy setup on a DMZ segment of our firewall and i am wondering how it needs to be configured, i have followed alot of instructions and i think i have gotten further but when i try to configure the ADFS proxy via the wizard, im getting stuck when its trying to configure the certificate, i have added the certificate and it seems to be showing it perfectly fine but under the ADFS admin logs in Event Viewer, im seeing THIS: " The federation server proxy could not establish a trust with the Federation Service. Additional Data Exception details: Unable to connect to the remote server User Action Ensure that the credentials being used to establish a trust between the federation server proxy and the Federation Service are valid and that the Federation Service can be reached." does this mean my credentials are wrong? i have tried the local admin credentials and im getting the same thing, do remember that the ADFS proxy on a DMZ network and its on a different subnet and not part of the domain, would that cause any issues that im having or is it just the credentials? Thanks for your help in advance.
Need Help After enabling adfs proxy getting the bellow error while connecting to proxy from client "HTTP Error 503. The service is unavailable." Note: Proxy to adfs server connectivity all looks good, Remote access management console - operation status all are green Able to connect directly to adfs server without any error but through proxy server only getting this error
An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
@@ConceptsWork I have a Domain controller in which I have installed a certification role and provided a local certificate to the ADFS machine and configured an ADFS role, Now I am trying to configuring a proxy server in which I have exported the ADFS local certificate into my proxy server and in those final step, it is showing this error. Currently working on a testing environment.
This alerts only comes, if there is no connectivity between ADFS and ADFS proxy, or you are using wrong credentials. You can also check event viewer logs for more details.
@@ConceptsWork I have 3 VMs in my environment all can ping each other through private IP and also by their domain name. It means they have a connection with each other right? There is one concern that I am not able to connect to IDP initiated page where I have enabled it through PowerShell and it is valued as True. How can I check event viewer logs?
Thank you for the detailed information. As per your second last comment, which was "Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel" As per this error, you need to check for network connectivity and credentials. Now as per your last comment, where you have mentioned about the Idpinitiated page being not accessible. Please follow the below mentioned steps. Please make sure there are no typos for the link. Also is Idppage is even accessible on ADFS or not. If it is accessible on ADFS, whether you can sign in or not. If the idp page is accessible from ADFS, and your ADFS proxy is able to contact ADFS, then IDP page must be accessible on your proxy. If according to you everything is in place, please reach out to us at learnconceptswork@gmail.com, and we will try to check more details. Thank you once again.
![Megan Thee Stallion - Mamushi (Remix) [feat. TWICE] [Official Audio]](http://i.ytimg.com/vi/5c0_u9PsrsQ/mqdefault.jpg)
Excellent series, keep on rocking 🤘
Hi I have been following your series of ADFS and let me tell you your explanation of the concepts and demos are superb. But a request please complete this series so that i can learn the leftover components of ADFS. Looking forward to this series being completed.
Will upload soon
@@ConceptsWork any update on this ?
Excellent series on ADFS 2016 !!!
Thank you sir. Your video is very much useful... I am waiting eagerly for claim rules video
Great explanation, Waiting for the video on Claim rules..
Thankyou for sharing this valuable knowledge, could you please complete this series , claims rule video is much awaited !!!
Yes this has been pending from long, and we will post it soon.
Hi I configured my ADFS setup to use certificate authentication as MFA. I also configured ADFS Proxy. But the access control policy did not work on the extranet part. When I try to sign into claims X-ray it signs in without asking for MFA.
Excellent videos. One suggestion. Can you please name ADFS videos with a sequence number at the end so we know in which order we should watch.
Hello Zobair,
ADFS playlist is already created in order.You can click on the below mentioned link to check the exact order. ruclips.net/p/PL8wOlV8Hv3o9uHl0XFfI6_katp6BXNVjb
Hi As mentioned at the end of this video , where is the video for Claim Rules of ADFS server
Nice video..
next video is different then mentioned at the end
Thank kundan, we really appreciate your response on all of our videos.
ADFS VS Azure AD was added as a comparison, but we will be posting the claims rule video soon.
@@ConceptsWork Hi, Can you please update if you have uploaded the claim rule video.
underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. i have enabled port 443 for both ADFS and ADFS proxy servers . i configured adfs proxy server as work group and in ADFS proxy server i have updated ADFS DNS IP. please suggets if anyhting missed from my end. its a lab environemnt
Superb Explanation
Great video! Thanks a lot. keep it up
Glad you liked it!
Great Info again. I have a question however, in case of a NLB setup, how will the traffic flow?, Because the app know only about the ASFS/LS endpoint how will the request reach the NLB?
You have to add public DNS record for adfs endpoint.
When the user will try to access the adfs endpoint --> with the help of public DNS record the request will reach NLB --> NLB will forward the request to ADFS proxy --> ADFS proxy will forward the request to internal NLB --> Internal NLB will forward the request to ADFS server.
In large enterprise, there also an external and internal firewall.
Regards,
ConceptsWork
@@ConceptsWork Thanks Brother.
Is there any article or a video which explains ADFS Cookies and Azure Cookies in Depth.
If yes ,please share.
Hello Aqib,
Check this link.
docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-single-sign-on-settings
Regards,
ConceptsWork
Thanks for ADFS Videos, I have a query can we have installed 2 servers as ADFS proxy if yes can we installed load balance between them or any others configuratons
You have to setup load balancer specifically.
Great video! Thanks a lot.
couldnt find the next video in the playlist - , could you please share the URL.
Also thanks for the videos shared , clear explanation
Should the ADFS Proxy Server be inserted in the domain or outside it? Is the network configuration similar to the Skype for Business Reverse Proxy?
It should be kept in DMZ ideally, as the purpose of ADFS proxy server is to proxy the endpoints to internet, so that the identity of your adfs server remains secure.
@@ConceptsWork That is, the ADFS Proxy Server does not need to be joined to the domain.
Please post video on "Claim rules for ADFS Server".
Very informative...can you tell me why wildcard and not SAN?
Wild card is just a suggestion, you can use SAN as well, but make sure every alternative name that ADFS uses as a service must be added in the certificate.
Quality videos, thanks..
This video is very helpful and to the point. Sir, Please help me on the below
I have a Windows AD server 2012 R2(it is in a closed network). Here users are already there. We have created 1 app from where only AD users can login. Basically in the app we have given the option to enter IP address, Port No, Distinguished names.
The request should go through Windows Server 2012(a proxy). We can do the above steps. Anything else is required ? We are planning to create a separate Group in AD where those users will be present.So, the users in that group will work independently or there will be a conflict ?
So, it is like Authentication through AD Proxy without MFA
Great Video Thanks .
We are planning to do lift and shift migration of ADFS server to Azure cloud and planning to make use of application gateway instead Proxy server . Please suggest will it work.
Do you mean, your are going to user Azure Application Gateway to proxy the endpoints of ADFS ?
yes@@ConceptsWork
We are unable to find the next video Claim rules of ADFS server. Kindly provide the next video.
Hello, Thankyou so much for video on ADFS, it's very helpful,
Can you please tell about how we can configure Authentication lockout feature for web application (Ex:- If user enter more than 3 time wrong credential then it should be locked out ) .
ADFS Extranet lockout is the name of the feature, which prevents the lockout of account in local AD.
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 15 -ExtranetObservationWindow (new-timespan -Minutes 30) -ExtranetLockoutRequirePDC $false
docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection
Please share the video of claim rule of adfs server
Hi,
Thanks for the needful videos ADFS.
I have configured the ADFS server in Azure VM and
I am facing issues while accessing the ADFS endpoint outside of Azure VM.
Whatever I have configured domain needs to be publicly accessible. Please suggest what may be the issue for this.
Thanks in advance.
You have to add a public ip address to your VM, so that it can be reached over internet.
Secondly add a public DNS record in your domain to point adfs request to a particular IP.
@@ConceptsWork thank you very much for the reply :)
Great Video.Thanks much for the quality information. I do have a following query.
If my application is hosted in my Internal Network & I have created a public DNS entry for application URL which points it to my FireWall\Reverse Proxy & then there is a NAT\ReverseProxy rule which forwards the traffic from FireWall\Reverse Proxy to this internal application & this is my only application that I want to configure on ADFS so in that case do you think we need to place the ADFS Proxy to redirect the request coming from internet to access this application?? The Application & ADFS are in same internal network.
I think the ADFS Proxy not required as the Application & ADFS are in same internal network.so it means ADFS Proxy only required when Externally Hosted application wants to redirect the authentication request to ADFS?
ADFS proxy is a reverse proxy solution, which can be used just to map external link of the application with the internal link, and also to proxy ADFS endpoints to public internet.
Usually Enterprises use ADFS proxy to add more security.
Likewise, if you will use the ADFS proxy server, you will keep it in DMZ network, so that your internal ADFS server is not exposed to public internet.
@@ConceptsWork Hi, i currently have our ADFS proxy setup on a DMZ segment of our firewall and i am wondering how it needs to be configured, i have followed alot of instructions and i think i have gotten further but when i try to configure the ADFS proxy via the wizard, im getting stuck when its trying to configure the certificate, i have added the certificate and it seems to be showing it perfectly fine but under the ADFS admin logs in Event Viewer, im seeing THIS: "
The federation server proxy could not establish a trust with the Federation Service.
Additional Data
Exception details:
Unable to connect to the remote server
User Action
Ensure that the credentials being used to establish a trust between the federation server proxy and the Federation Service are valid and that the Federation Service can be reached."
does this mean my credentials are wrong? i have tried the local admin credentials and im getting the same thing, do remember that the ADFS proxy on a DMZ network and its on a different subnet and not part of the domain, would that cause any issues that im having or is it just the credentials?
Thanks for your help in advance.
Need Help
After enabling adfs proxy getting the bellow error while connecting to proxy from client
"HTTP Error 503. The service is unavailable."
Note:
Proxy to adfs server connectivity all looks good,
Remote access management console - operation status all are green
Able to connect directly to adfs server without any error but through proxy server only getting this error
Do I have to install IIS
No you don't need IIS, from any one of your client machine add host file entry for ADFS proxy and see if it works.
thank you
I want to export certificate from one machine and import to another but export the private key is off, any body?
Claim rule or continuation video for this is missing
can someone please share the video of claim rule of adfs server
An error occurred when attempting to establish a trust relationship with the federation service. Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Is DNS configured for ADFS ?
@@ConceptsWork I have a Domain controller in which I have installed a certification role and provided a local certificate to the ADFS machine and configured an ADFS role, Now I am trying to configuring a proxy server in which I have exported the ADFS local certificate into my proxy server and in those final step, it is showing this error. Currently working on a testing environment.
This alerts only comes, if there is no connectivity between ADFS and ADFS proxy, or you are using wrong credentials.
You can also check event viewer logs for more details.
@@ConceptsWork I have 3 VMs in my environment all can ping each other through private IP and also by their domain name. It means they have a connection with each other right? There is one concern that I am not able to connect to IDP initiated page where I have enabled it through PowerShell and it is valued as True. How can I check event viewer logs?
Thank you for the detailed information.
As per your second last comment, which was "Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel"
As per this error, you need to check for network connectivity and credentials.
Now as per your last comment, where you have mentioned about the Idpinitiated page being not accessible.
Please follow the below mentioned steps.
Please make sure there are no typos for the link.
Also is Idppage is even accessible on ADFS or not.
If it is accessible on ADFS, whether you can sign in or not.
If the idp page is accessible from ADFS, and your ADFS proxy is able to contact ADFS, then IDP page must be accessible on your proxy.
If according to you everything is in place, please reach out to us at learnconceptswork@gmail.com, and we will try to check more details.
Thank you once again.
For JOIN these concepts work can share me the google Pay or any others option instead
of Cards details
Hello Anup,
Thanks for showing intrest.
The join channel option is a youtube feature and we can't control customizing.