Friday, August 04, 2006

ADFS Troubleshooting : Part 1

I've been having to do some work on Web SSO at work, and to start with I wanted to take a simple ADFS set-up (as per the MSFT step-by-step test rig), and put my own certificate infrastructure on — an Enterprise CA for the server identities and a stand-alone CA for the assertion signing, just to make everything as clear and under control as possible. This wasn't too bad to set up, until it came to kick the tyres and do a trial authentication.

UnauthorisedAccessException in the WebSsoAuthenticationModule.OnEnter method. After the authentication had happened and the Federation Server was sending the assertion back to the Web Agent. The error message was all about setting the process to have the appropriate access to “the resource”. What “resource”?

Server Error in '/testcode' Application.

Attempted to perform an unauthorized operation.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.

ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.

To grant ASP.NET access to a file, right-click the file in Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[UnauthorizedAccessException: Attempted to perform an unauthorized operation.]
   System.Web.Security.SingleSignOn.WebSsoAuthenticationModule.OnEnter(Object o, EventArgs args) +3352
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

Version Information: Microsoft .NET Framework Version:2.0.50727.42; ASP.NET Version:2.0.50727.42

Even Google didn't help.

Yesterday, I'd had a problem where the web agent opened the SSL connection to the FS, and the connection was dropped just as soon as the SSL handshake was complete; but that went away without any of my doing when I tried it this morning. So I wondered if there was anything wrong with the time-zones, which meant it took 8+hours for certificates to become valid?

Well, it turned out that they were all on BST, but the FS and Web Agent were about 10 minutes adrift. So I synched them all up. And suddenly it all worked. And if I set the Web Agent machine's clock slow again (or sufficiently fast), the error re-appears.

If it was the result of having an assertion signed too far in the future, the response of the infrastructure was rather out of order.

No comments :