ADFS, Antivirus and Backup and Monitoring

What do I need to do a Disaster Recovery of ADFS?What exclusions should I configure for my ADFS Server? There’s a really good Wiki article on backing up ADFS on that is a must-read for any serious deployment of ADFS. In short; a System State backup that includes all volumes of the ADFS server will be…


Installing ADFS 2.1 on Windows Server 2012 with Windows Internal Database fails if local GPO granting User Rights is overwritten at the Domain or OU-level

During the installation of ADFS 2.1 on Windows Server 2012 the Add-Role wizard grants the local virtual account NT SERVICEMSSQL$MICROSOFT##WID that runs the WID service ‘Log on as a service’ user rights via the Local Group policy. If the Local Group Policy that grants the user rights is overwritten by a GPO with a higher priority that also defines User Rights the…


Upgrading from ADFS 2.0 to ADFS 2.1

[Note: this is a shortcut variation on the steps in the Technet article on and should for now only be used in lab scenarios as it hasn’t been officially tested by the PG’s] The short version;  Add the AD FS role on Windows Server 2012, choose to add it to an existing farm. Make the new…


Fiddling with ADFS – end the infinite authentication loop

While working at a customer site the other day I was reminded of an article by Eric Lawrence on why you sometimes start seeing endless pop-up windows asking for credentials when using Fiddler to decrypt HTTPS traffic during troubleshooting. In short; If the web server has Extended Protection for Authentication enabled then it detects that…


Setting up your first ADFS POC

Here are the steps for setting up a POC for ADFS: First of all, you need to decide on what your federation server farm will be called on the Internet. In the drawing below I’ve chosen the name – this will be registered in DNS as follows: in external DNS to point to the…


ADFS case sensitivity

ADFS is case-sensitive for the most part – but there are some sections of ADFS 2.0 where you might not need an exact match. In general you should however still try to make sure you both compy with the standard format for public attributes and settings and maintain consistency when referring to internal server names. Example: referring…


Using Wevtutil to capture and view the ADFS Debug log

When troubleshooting ADFS server-side issues it can be useful to turn on ADFS Debug logging on the server. To enable the ADFS debug event log: wevtutil sl “AD FS 2.0 Tracing/Debug” /E:true Running the same command with /E:False disables the debug logging again. After you have enabled it, repro the problem scenario and then run the…


ADFS Event ID 364 on ADFS 2.0 proxy

Problem: The following is logged in the event log on an ADFS Proxy or ADFS Server: Log Name:      AD FS 2.0/AdminSource:        AD FS 2.0Date:          15.09.2011 14:28:16Event ID:      364Task Category: NoneLevel:         ErrorKeywords:      AD FSUser:          NETWORK SERVICEComputer:      ADFSProxy01Description:Encountered error during federation passive request. Additional Data:Exception details: System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the…


Setting up ADFS 2.0 as an IDP for Visma Proceedo

I’ve put together a Word document with the details on how to set up a federation trust between Visma Proceedo acting as a Relying Partner (RP) and ADFS 2.0 acting as the Identity Provider (IDP). The document can be downloaded on   Further details: