RelayState support for AD FS 2016 in the mixed mode ADFS farm

You might experience issues if you are migrating from AD FS 3.0 farm level to AD FS 2016 by gradually introducing AD FS 2016 servers in the farm (running farm in the mixed mode) and if you are using IdP initiated RelayState.

NOTE: the mixed mode is not recommended for production, it was designed to make transition from AD FS 3.0 to AD FS 2016 smoother. 

You can view the AD FS Farm Behavior Level by running following command:  

Get-AdfsProperties | Select CurrentFarmBehavior

A value of 1 indicates that the farm is at the Windows Server 2012 R2 FBL and a value of 3 indicates a Windows Server 2016 FBL.

For the Windows Server 2016 FBL you can enable RelayState support by issuing following command:

Set-AdfsProperties -EnableRelayStateForIdpInitiatedSignOn $True

You might also need to enable IdPInitiatedSignOn page on each AD FS 2016 server. Its disabled by default.

Set-AdfsProperties -EnableIdpInitiatedSignonPage $True

But mentioned two commands will not work for Windows Server 2012 R2 FBL.

If you have AD FS 2016 servers in the AD FS 3.0 farm (farm in the mixed mode), you have to use C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe.Config file to enable RelayState support.

In the microsoft.identityServer.web section, add a line for useRelyStateForIdpInitiatedSignOn as follows, and save the change:

<microsoft.identityServer.web>    

 <useRelayStateForIdpInitiatedSignOn enabled="true" />    

</microsoft.identityServer.web>

NOTE: you must have 2018-01 Cumulative Update for Windows Server 2016 for x64-based Systems (KB4057142) (for some reason the update description is missing RelayState fix description) installed on each ADFS 2016 server to make it work. Otherwise you will get following errors after making changes in the config file and restarting the ADFS service.  

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/18/2018 11:57:43 AM
Event ID:      383
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
The Web request failed because the web.config file is malformed.
User Action:
Fix the malformed data in the web.config file.
Exception details:
MSIS2008: A configuration error has occurred in section ‘microsoft.identityServer.web’.
Unrecognized element ‘useRelayStateForIdpInitiatedSignOn’. (C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe.Config line 37)

 

 And

Log Name:      AD FS/Admin
Source:        AD FS
Date:          1/18/2018 11:57:43 AM
Event ID:      102
Task Category: None
Level:         Error
Keywords:      AD FS
User:          XXX
Computer:      XXX
Description:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Additional Data
Exception details:
System.Configuration.ConfigurationErrorsException: MSIS2008: A configuration error has occurred in section ‘microsoft.identityServer.web’. —> System.Configuration.ConfigurationErrorsException: Unrecognized element ‘useRelayStateForIdpInitiatedSignOn’. (C:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe.Config line 37)
at System.Configuration.BaseConfigurationRecord.EvaluateOne(String[] keys, SectionInput input, Boolean isTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult)
at System.Configuration.BaseConfigurationRecord.Evaluate(FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult, Boolean getLkg, Boolean getRuntimeObject, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)
at System.Configuration.ConfigurationManager.GetSection(String sectionName)
at Microsoft.IdentityServer.Configuration.ConfigurationSectionLoader`1.GetSection()
— End of inner exception stack trace —
at Microsoft.IdentityServer.Configuration.ConfigurationSectionLoader`1.GetSection()
at Microsoft.IdentityServer.Web.Configuration.FederationPassiveConfigurationSection.get_Current()
at Microsoft.IdentityServer.Web.PassiveProtocolListener.LoadProtocolHandlers()
at Microsoft.IdentityServer.Web.PassiveProtocolListener.InitializePipeline()
at Microsoft.IdentityServer.Web.PassiveProtocolListener.Start()
at Microsoft.IdentityServer.ServiceHost.STSService.OnStartInternal(Boolean requestAdditionalTime)

 

Advertisement

One thought on “RelayState support for AD FS 2016 in the mixed mode ADFS farm

  1. Pingback: Integrating ADFS into Campus Solutions 9.2 – Simon O'Donoghue

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s