Issue Updating WsFedPassiveMetadataUri for Passive Authentication in Lync Server 2013

I had a customer recently where we were setting up passive authentication for Lync Server 2013 and we needed to change the ADFS server that we were using.  That seemed like an easy enough task, however, once we changed to the new ADFS server, we were still being redirected to the old ADFS server.  The process for updating the URL is simple enough.  Running Get-CsWebServiceConfiguration returns the current configuration:

All you need to do to update to a new ADFS server is to run the Set-CsWebServiceConfiguration cmdlet with the WsFedPassiveMetadataUri parameter.  Rerunning the Get-CsWebServiceConfiguration cmdlet shows the change:

After verifying that CMS replication had succeeded:

We were still being redirected to the old ADFS server.  We tried restarting the Lync services and the server, but the PassiveAuth.aspx page kept redirecting us to the old ADFS server.  We verified that the configuration change actually made it to the local CMS replica on the server by running the following:

Export-CsConfiguration -LocalStore -FileName config.zip

Opening the zip file and double-clicking on the DocItemSet.xml file:

You can search for the new ADFS FQDN in the topology document:

So the change is making it to the server and the is in the local CMS replica, but still not taking effect.  We decided to turn on some logging and see if that could shed any light on what was happening.  In the Lync Server 2013 Logging Tool, we turned on logging for WebInfrastructure:

After going to the PassiveAuth.aspx page again and still being redirected to the old ADFS server, the interesting bit from the log file is below:

TL_NOISE(TF_COMPONENT) [0]0DC0.1768::05/11/2015-01:41:53.346.00000193 (WebInfrastructure,WebAuthServiceConsumer.BuildOriginAllowedList:webauthserviceconsumer.cs(307))Enter
TL_NOISE(TF_COMPONENT) [0]0A34.1708::05/11/2015-01:41:54.424.00000194 (WebInfrastructure,WebAuthServiceConsumer.OnWebServiceSettingsChanged:webauthserviceconsumer.cs(855))(00000000020D9396)Enter
TL_INFO(TF_COMPONENT) [0]0A34.1708::05/11/2015-01:41:54.424.00000195 (WebInfrastructure,WebAuthServiceConsumer.OnWebServiceSettingsChanged:webauthserviceconsumer.cs(886))(00000000020D9396)Firing WsFedAdfsMetadataUriChanged event with value https://newadfs.lab.deitterick.com/federationmetadata/2007-06/federationmetadata.xml
TL_NOISE(TF_COMPONENT) [1]0A34.1708::05/11/2015-01:41:54.424.00000196 (WebInfrastructure,LiveIDCertSync.OnWsFedMetadataUriChanged:liveidcertsync.cs(339))(00000000007A637A)Enter
TL_INFO(TF_COMPONENT) [1]0A34.1708::05/11/2015-01:41:54.439.00000197 (WebInfrastructure,LiveIDCertSync.LiveIDTokenUpdateAndSchedule:liveidcertsync.cs(603))(00000000007A637A)Enter
TL_NOISE(TF_COMPONENT) [1]0A34.1708::05/11/2015-01:41:54.439.00000198 (WebInfrastructure,LiveIDCertSync.UpdateLiveIDTokens:liveidcertsync.cs(428))(00000000007A637A)Enter
TL_INFO(TF_COMPONENT) [1]0A34.1708::05/11/2015-01:41:54.439.00000199 (WebInfrastructure,LiveIDCertSync.CheckTempStore:liveidcertsync.cs(702))(00000000007A637A)<file, \\LAB-W15-SE2.lab.deitterick.com\share\1-WebServices-4\WebAuthStore\Cache_Adfs_FederationMetadata.xml>
TL_INFO(TF_COMPONENT) [1]0A34.1708::05/11/2015-01:41:54.455.0000019a (WebInfrastructure,LiveIDCertSync.CheckTempStore:liveidcertsync.cs(711))(00000000007A637A)opened \\LAB-W15-SE2.lab.deitterick.com\share\1-WebServices-4\WebAuthStore\Cache_Adfs_FederationMetadata.xml
TL_INFO(TF_COMPONENT) [1]0A34.1708::05/11/2015-01:41:54.486.0000019b (WebInfrastructure,LiveIDCertSync.UpdateLiveIDTokens:liveidcertsync.cs(468))(00000000007A637A)<now, 5/11/2015 1:41:54 AM>, <lastUpdate, 5/11/2015 1:26:29 AM>, <updateThreshold, 1434.6 minutes>
TL_INFO(TF_COMPONENT) [1]0A34.1708::05/11/2015-01:41:54.486.0000019c (WebInfrastructure,LiveIDCertSync.UpdateLiveIDTokens:liveidcertsync.cs(525))(00000000007A637A)<lastUpdate, 5/11/2015 1:26:29 AM>, <updateTime, 5/11/2015 1:41:54 AM>
TL_INFO(TF_COMPONENT) [1]0A34.1708::05/11/2015-01:41:54.486.0000019d (WebInfrastructure,LiveIDCertSync.ScheduleNextUpdate:liveidcertsync.cs(569))(00000000007A637A)Enter: <nextUpdate, 5/12/2015 1:26:29 AM>
TL_NOISE(TF_COMPONENT) [1]0A34.1708::05/11/2015-01:41:54.486.0000019e (WebInfrastructure,LiveIDCertSync.ScheduleNextUpdate:liveidcertsync.cs(585))(00000000007A637A)Exit

 

So as you can see from the log file, we actually cache the ADFS FQDN in a file on the file store and only update it once a day.  If you browse out to that file location:

There is the Cache_Adfs_FederationMetadata.xml mentioned in the log file.  If you open it:

You can see that the old ADFS server is referenced.  So there are two options.  We could either wait until the cache file updates itself, or we could force an update.  Since we wanted to test with the new ADFS server and didn't want to wait, we went with the second option.  In order to get Lync Server 2013 to start using the new ADFS server, you will need to delete the Cache_Adfs_FederationMetadata.xml file from the file store and then run an iisreset:

Going to the PassiveAuth.aspx page again will create a new Cache_Adfs_FederationMetadata.xml file.  This time if you open it:

You'll see that the new ADFS server is listed and the PassiveAuth.aspx page will redirect you to the new, and correct, ADFS server.

 

This was an interesting problem that had us scratching our heads for awhile.  Luckily the WebInfrastructure logging pointed us in the right direction.