I'm currently working to configure my SharePoint 2010 environment to use SAML tokens in a claim based web application. I'm getting an IIS error 500 when I select the SAML authentication mode. I am able to log in with NTLM authentication. I'm using the below powershell to configure the claim and trusted identity token issuer.
The accounts to complete the below powershell scripts were Farm administrators.
The web application is setup with AAM with http and https. I'm running 2 wfe, App, and database server.
We are setup to pass through authentication for on network computers
--------------------------
Configure sts
Copy .cer file to root of computer. Make sure to include any sub certs as a separate file.
$root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(C:\domain.com.cer)
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\adfs.cer ")
New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -IncomingClaimTypeDisplayName "Upn" SameAsIncoming
$realm = "urn:csteam.domain.com:sharepoint"
$ap = new-SPTrustedIdentityTokenIssuer -Name "SAML Provider" -Description "SharePoint secured by SAML" -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://fsvip.domain.com/adfs/ls/" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
$ap.update()
-------------------------------------------
I converted the web application to claims based authentication from classic using the following powershell.
--------------------------------------------------------
$WebAppName = "http://webadddress.com"
$account = "domain\test_sp_install"
$wa = get-SPWebApplication $WebAppName
Set-SPwebApplication $wa -AuthenticationProvider (New-SPAuthenticationProvider) -Zone Default
$zp = $wa.ZonePolicies("Default")
$p = $zp.Add($account,"PSPolicy")
$fc=$wa.PolicyRoles.GetSpecialRole("FullControl")
$p.PolicyRoleBindings.Add($fc)
$wa.Update()
$wa = get-SPWebApplication $WebAppName
$wa.MigrateUsers($true)
-------------------------------
I completed an IIS reset on all servers.
I then use CA to configure the web app to use the saml provider token process and NTLM
After completing the above steps I get redirected back to _trusts and receive the error 500. The ADFS setup has followed the information in ttps://technet.microsoft.com/en-us/library/Hh487289(v=Office.14).aspx .
Trace log:
Url: https://webappliation.com:443/_trusts/
app pool: Site_pool app-webappliccation
authentication: not_available
trigger status 500
final status 500
96. |
AspNetWebEventRaiseStart |
Data1="System.Web.Management.WebRequestErrorEvent", Data2="3005", Data3="0"
|
13:40:06.416 |
97. |
AspNetWebEventDeliverStart |
Data1="EventLogProvider", Data2="All Errors Default", Data3="All Errors"
|
13:40:06.416 |
98. |
AspNetWebEventDeliverEnd |
13:40:06.416 |
|
99. |
AspNetWebEventRaiseEnd |
13:40:06.416 |
|
100. |
MODULE_SET_RESPONSE_ERROR_STATUS Warning |
ModuleName="FederatedAuthentication", Notification="AUTHENTICATE_REQUEST", HttpStatus="500", HttpReason="Internal Server Error", HttpSubStatus="0", ErrorCode="The operation completed successfully.
(0x0)", ConfigExceptionInfo=""
|
13:40:06.416 |
error module_set_
I continue to search online and have not found much to help find the reason for this.
- Edited by Schiesl Friday, September 04, 2015 7:43 PM