Stuart Hickson commented on Nov 22, 2015

Re: Cookbook: Setting up ADFS for integrated Windows authentication (IWA)

When attempting to cross certify the ADFS server SSL certificate in Domino, I get the error message " A cross certificate will not be made due to key usage restrictions in the input certificate".

The exported key was made following the instructions in "SHOW100 : AD + SAML + Kerberos + IBM Notes and Domino = SSO!" from Connect2014.

The key is at the server level i.e. Issued to: adfs.myservername.com and Issued by is Geo Trust DV SSL CA-G4 - any clues?

Chad Scott commented on Apr 16, 2015

Re: Cookbook: Setting up ADFS for integrated Windows authentication (IWA)

The portion about setting the SPN for the ADFS server does not appear to be correct. Take a scenario where the ADFS server is named sso.acme.com. The instructions here seem to imply that you'd run "setspn -a HTTP/SSO sso$" and "setspn -a HTTP/sso.acme.com sso$" to bind those SPNs to the sso computer account. However, it is the built-in ADFS account to which those SPNs must be bound. For example, "setspn -a HTTP/SSO ADFS$" and "setspn -a HTTP/sso.acme.com ADFS$". Binding the SPN to the wrong account (sso$ in my example) will cause the Notes client system to receive Kerberos errors like this:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server ADFS$. The target name used was HTTP/sso.acme.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (ACME.COM) is different from the client domain (ACME.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Kerberos errors can be logged using the instructions here: https://support2.microsoft.com/default.aspx?scid=kb;EN-US;262177

Robert Axelrod commented on Jan 8, 2014

Issue with ADFS on Win 2012R2

In Win 2012 R2 ADFS doesn't use the IIS interface at all so there is no way through the interface to turn off Extended Authentication. You need to do this through PowerShell. Additionally there is another ADFS property that needs to be set so that the Notes client can authenticate using IWA the commands are below:

Disable extended token authentication:

Set-ADFSProperties –ExtendedProtectionTokenCheck None

This one determines what browser agents can use IWA. Note that Firefox/Mozilla are not on the list by default and since that is what Notes uses you are out of luck unless you update it. Add any other user agents that you want to use IWA. Find the exact names in your domlog.nsf or weblogs.

Set-AdfsProperties -WIASupportedUserAgents ("MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Firefox/25.0", "Mozilla/4.0", "Mozilla/5.0")