Using AD FS 3.0 in Server 2012 R2 as a SAML 2.0 Idp. Needs password authentication?

Zane Poyer 96 Reputation points
2020-07-21T20:44:46.897+00:00

We are trying to configure password authentication in order to allow Duo Network Gateway to function on our network. Duo Network Gateway requires AD FS to behave as a SAML 2.0 Idp (Identity Provider). We have checked that everything Duo related is good, so the only thing left is for us to figure out how to allow password authentication in AD FS 3.0. I have searched countless places to figure out how to enable "password authentication" but have gotten nothing on Server 2012 R2. We are using normal AD, not Azure, and are using the Datacenter version of server 2012 R2. We have a nearly out-of-the-box AD FS setup as we barely use it and have little experience with it. Any resources on our version of server or any tips would really help. One of the errors in the logs we have found is

"Invalid response reason: The status code of the Response was not Success, was Responder -> urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,536 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,207 questions
0 comments
Accepted answer
  1. Zane Poyer 96 Reputation points
    2020-07-31T20:36:43.23+00:00

    Hello,

    We found the issue to our problem, which was not listed in that article or other places. I had to allow the forms authentication type for Intranet users and also had to allow all users to access the relying party trust. It seems each documentation covers the integration side of the setup without going over the (rather simple) user settings. I believe there was one other thing I did but cannot recall at the moment... I just looked at the AD FS logs and kept fixing errors until it worked.

    In the end, it turned out that the Duo setup wants my SAML Idp to be publicly accessible, which is a big no for our AD FS server. I eventually redid the setup with something else acting as the Idp, with Active Directory acting as the user database in the back end.

    Thank you for looking into the problem @Gloria Gu ,
    Zane

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gloria Gu 3,891 Reputation points
    2020-07-22T07:24:49.087+00:00

    Hi Zane,

    In regard to your issue, the following link might be helpful to you:

    [Enabling-Domain-Password-Authentication-Using-AD-FS]
    https://community.mimecast.com/s/article/Enabling-Domain-Password-Authentication-Using-AD-FS-461940962

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.