ADFS 2.0 - Proxy / Server 503 Service Unavailable

2
votes

For the past several days I've been working tirelessly to setup a test environment for development with WIF & ADFS 2.0. One of the problems that I am up against is my home environment only has one IP address and I wasn't about to stick ADFS on my main server. Therefore, I've created a dedicated virtual machine for FS (idp.yyy.local).

For the sake of not having direct links back to my site, 'yyy' refers to 'dgdev'. (image below)

The strange thing is, it's partially working. Here is an image detailing my infrastructure.

enter image description here

What's odd is that I can browse 'idp.yyy.net' in both normal HTTP and HTTPS just fine. I can also view the WS-Federation Metadata perfectly. Now, I'm quite new to ADFS, but I expect that when going to http://idp.yyy.net/adfs/services/trust it would redirect me to a Windows SSL login. Instead all I'm receiving is:

Service Unavailable

HTTP Error 503. The service is unavailable.

I am using the same SSL certificate on the FS Proxy and FS. Its subject is my main domain name yyy.net. It has several Subject Alternative Names so that I can host multiple IIS web sites with SSL with my single IP:Port.

CN = yyy.net
DNS Name=www.yyy.net
DNS Name=idp.yyy.net
DNS Name=idp.yyy.local
...
IP Address=192.168.1.2
IP Address=192.168.1.3
IP Address=192.168.1.4
...

Does anyone have any idea of why I'm seeing 503 Service Unavailable errors. Nothing is showing up in Event Viewer as an error. (except annoying things with AppFabric, but that's another issue I've yet to touch)

Thanks in advance! Actually many many thanks. I've exhausted every avenue and idea I could come up with, why this might be "broken"?

If anyone has an idea how I can debug this issue I'd certainly except that as a solution. I've tried IIS Failed Request Logging but nothing is being generated. Where/What is hosting the ADFS Services? Things I've already looked at:

  • All AppPools are running.
  • The old ADFS 1.0 web service (asmx) is accessible just fine.
  • I can access issuer endpoints directly ... or at least 'windowstransport'
1
wifadfs2.0
I should note that some issuer endpoints are working if I go directly to it, like: idp.yyy.net/adfs/services/trust/2005/windowstransport. Also, the proxy server is returning a 403 Forbidden, but on my local LAN, the actual Federation Server is really returning a 503 Service Unavailable. Not sure why that mis-match exists. - Daniel

1 Answers

3
votes

Well turns out everything has been working all along!

I spent a couple hours ensuring the certificate was created properly. Then after still seeing 503 & 403 errors, I realized that my proxy server AppPool for the \Default Web Site was running under "ApplicationPoolIdentity" - which is really the user: IIS AppPool\DefaultAppPool.

I never gave that user read privileges to the ADFS certificate private key. Hence the reason I saw a 403 Forbidden instead of 503. After switching the AppPool over to Network Service ... voila!, 503 Service Unavailable.

So now I was sure my proxy server and ADFS server were talking just fine. Now why was I still seeing 503 Service Unavailable?!?

I told myself to create a test application anyway. In visual studio, I setup a new MVC 3 Web App. Added my existing STS-Reference. Setup a dummy claim and updated the application's FederationMetadata. Added the new Relying Party to ADFS.

Opened my browser to the web app and instant success!

> GET) https://mywebapp/
> Response-Redirect) Location header kicks me to my IdP (ADFS)
  https://idp.yyy.net/adfs/ls/?wa=wsignin1.0&wtrealm.........
> I sign-in with proper credentials
> POST) https://mywebapp/login << AWESOME!