Enabling configuration for ADFS 2.0 Server Traces

I was working on doing diagnostics for an R-STS scenario with ADFS 2.0 and I was getting lots of errors. I had enabled tracing already for the client side but I was not getting any error traces for the client. I think a large percentage of the errors occur on the ADFS server side. So I enabled tracing for the server side as well. I just tried it and did not know if this was officially supported or documented. Doing this REALLY helped me figure out the problem and deal with error messages that were confusing. In this post I am going to show what I did to enable the server side tracing.
In doing secondary research for this post I did see this post from back during ADFS Beta 2: http://imav8n.wordpress.com/2009/08/06/enabling-logging-in-adfs/. I will just update some of the details here.
The config for ADFS is found in c:\Program Files\Active Directory Federation Services 2.0 called Microsoft.IdentityServer.ServiceHost.exe.config. Here is a copy of my config file with the tracing added. You should be able to copy this directly and then the tracing can be output for you. I did also disable the default trace ADFS listener because I wanted the output to go to a file so that I can correlate everthing using the service trace viewer
<?xml version="1.0" encoding="utf-8" ?>

    <section name="microsoft.identityServer.service" type="Microsoft.IdentityServer.Service.Configuration.ServiceConfiguration, Microsoft.IdentityServer.Service, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
    <section name="microsoft.identityServer" type="Microsoft.IdentityServer.Service.Configuration.IdentityServerConfiguration, Microsoft.IdentityServer.Service, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL"/>
    <section name="microsoft.identityServer.proxy" type="Microsoft.IdentityServer.Service.Configuration.ProxyConfigurationSection, Microsoft.IdentityServer.Service, Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL"/>

  <microsoft.identityServer serviceMode="Server"/>

  <microsoft.identityServer.proxy >
    <host name="" httpPort="80" httpsPort="443" />
    <proxyTrust proxyTrustRenewPeriod="240" />

    <policyStore connectionString="Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True"
      administrationUrl="net.tcp://localhost:1500/policy" />
    <trustMonitoring enabled="true" />

      <!-- To enable WIF tracing, change the switchValue below to desired trace level - Verbose, Information, Warning, Error, Critical -->
      <!-- Set TraceOutputOptions as comma separated value of the following; ProcessId ThreadId CallStack. Specify None to not include any of the optional data-->
      <source name="Microsoft.IdentityModel" switchValue="Verbose">
<!--          <add name="ADFSWifListener"  traceOutputOptions="ProcessId,ThreadId" initializeData="Wif" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer,Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" /> -->
          <add name="ADFSWifListener" />


      <!-- To enable WCF tracing, change the switchValue below to desired trace level - Verbose, Information, Warning, Error, Critical and
           uncomment the system.servicemodel section below -->
      <source name="System.ServiceModel" switchValue="Verbose" >
        <!--  <add  name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer,Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" /> -->
          <add name="ADFSWcfListener" />
      <source name="System.ServiceModel.MessageLogging" switchValue="Verbose" >
<!--          <add  name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer,Version=, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" /> -->
          <add name="ADFSWcfListener" />
    <!-- Added by Ben Cline - sharedListeners -->
      <add name="ADFSWcfListener"
           type="System.Diagnostics.XmlWriterTraceListener, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"
        <filter type="" />
      <add name="ADFSWifListener"
           type="System.Diagnostics.XmlWriterTraceListener, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089"
        <filter type="" />

    <trace autoflush="true" ></trace>


      <messageLogging logEntireMessage="true"

    <gcServer enabled="true"/>

Some tips on Active Federation with ADFS 2.0


At work I have been working on helping my company adopt ADFS 2.0 for a Single Sign-On initiative. I have been working on handling a WPF application’s federation with ADFS and needed to use active federation (by definition). I had been following along with Dominick Baier’s blog post at http://www.leastprivilege.com/WIFADFS2AndWCFndashPart5ServiceClientMoreFlexibilityWithWSTrustChannelFactory.aspx. Dominick’s sample seemed simple enough but there were quite a few ADFS things I had to figure out in order to make things work.

BTW, learning how WIF relates to ADFS has been quite challenging but I have found the following article to be very helpful: http://technet.microsoft.com/en-us/library/adfs2-federation-wif-application-step-by-step-guide(WS.10).aspx.


    1. So I downloaded the code for the post and tried running the ManualClient. This uses WSTrustChannelFactory to connect to ADFS. The base sample uses the following ADFS endpoint:
      static string stsEndpoint = "https://<machine.domain>/adfs/services/trust/13/windowstransport";

      The windowstransport ADFS endpoints are not enabled by default so you must enable them. When I first tried to enable the WS Trust 1.3 version it would enable but it would not allow me to enable the proxy for this. I am not sure why. Eventually I was able to get the WS Trust 1.3 endpoint enabled. So at first I switched over to using the WS Trust 2005 endpoint. I also had to change the trust version to TrustVersion.WSTrustFeb2005 in the code as well. Here is the updated code at this point:

      static string stsEndpoint = "https://<machine.domain>/adfs/services/trust/2005/windowstransport";
      static string svcEndpoint = "https://<machine.domain>/soapadfs/service.svc";
      static void Main(string[] args)
         var token = GetToken();
      private static SecurityToken GetToken()
         var factory = new WSTrustChannelFactory(
            new WindowsWSTrustBinding(SecurityMode.Transport),
         factory.TrustVersion = TrustVersion.WSTrustFeb2005;
         var rst = new RequestSecurityToken
            RequestType = RequestTypes.Issue,
            AppliesTo = new EndpointAddress(svcEndpoint),
            KeyType = KeyTypes.Symmetric
         var channel = factory.CreateChannel();
         return channel.Issue(rst);
    2. So then I ran the code and it got all the way to the last line of the method GetToken() and it gives me the following nearly meaningless message back (wrapped in a FaultException):

      ID3082: The request scope is not valid or is unsupported.

      I was not able to find very good information on this error but I eventually found out that one of the reasons that this can occur is if you have not setup a relying party trust in ADFS for your application.

    3. Like with much of active federation, there is a lot less documentation out there for active federation than for passive federation. Here are the steps I went through to create an ADFS relying party for an application that does not have a federation metadata document:

      a. In the ADFS 2.0 MMC, click to create a Relying Party trust.
      b. On the next page of the wizard, choose to “Enter data about the relying party manually”. Click Next
      c. Enter a display name, click Next
      d. Choose ADFS 2.0, click Next
      e. For now, do not specify an encryption certificate, click Next,
      f. Do not click to enable WS-Federation passive or Web-SSO. Both of these are browser-based options that do not apply to active federation. Click Next.
      g. For the relying party trust identifier, enter the endpoint reference you are using to call over WS-Trust, so I entered: <a href=”https:///soapadfs/service.svc”>https://<machine.domain>/soapadfs/service.svc
      h. Click to allow all to access the relying party, click Next.
      i. Click Next to move on to the Claims Authorization Wizard.
      j. I just specify a Windows username pass through at this point (see the link in my introduction for how to set this up).

    4. So then I try to run the application again and I get another annoying error message:

ID3037: The specified request failed.

Unfortunately, this is a very general one. The solution I found was to go into the relying party trust and specify the encryption certificate.

  1. Then I can successfully get the GetToken method to work properly. I did also notice one other variation in the ADFS configuration that can lead to a weird error. If you disable a relying party trust and try to run the application again you get the following error:

MSIS3127: The specified request failed.

To resolve this, simply enable the relying party trust.


I have found that much of the work with ADFS goes by the principle, “no guts, no glory,” and I wish it were easier. There seem to be a large number of errors that you can receive without a lot of helpful information for helping you resolve them. Hopefully these error resolutions will help you and I will be sure to post any other workarounds I find as I get further down the road of implementing ADFS.


Passed 70-583 on Windows Azure

I just found out that I passed the Windows Azure beta exam! I took it back in November and have been waiting for such a long time to find out the results. I did hear that this exam will require re-certification every 2 years due to the constant rate of change of Azure.

For other people that have been waiting on their results, I checked the Prometric Candidate History and it changed from “Tested” to “Passed”. I had not yet gotten a “Congratulations on your new certification” email that usually comes. Apparently the results have been delayed for some reason.

— Update 2/18/2011 —
The exam is now showing on my Microsoft Transcript so the scoring process should be back to normal now.


.NET 4 WCF Certified!, Why I take Beta Exams

I just found out this week I passed a .NET 4 beta of the WCF exam. I had taken 2 of the betas for .NET 4 and was lucky to have passed one. It is a nice honor to be in the charter group for this exam. I had previously passed the .NET 3.5 WCF exam about a year ago.
About 5 years ago I took and passed a couple of the .NET 2 betas and it was a very fun experience. Here are a couple reasons you should take beta exams any time you have the opportunity:
  • It is one of the biggest challenges – there is basically only MSDN documentation, VS samples, and the exam outline to study from. There are usually not books, Transcenders, or specialized test taking materials available.
  • If you are ever worried about all those brain dumps out there, take the exam before any brain dumps become available. If you pass before anyone could accuse you of cheating, there is practically no way to say you do not deserve the cert.
  • You gain a credential few people can say they have for a period of time. It is a big cool factor too. 🙂
  • It really tests your test taking endurance. If you are studying for a very long test like the CISSP, a Microsoft beta will help you extend your endurance. The betas usually take about 3 hours to do.
  • You help improve the tests by providing valuable feedback on exam items, translation, and other details.
  • Often times you earn a certification voucher good for another exam.

There are not that many times you can take beta exams so if you find an opportunity, go for it!. One way to find out about them is to go to the register page on Prometric, find a Microsoft exam with 71-* in the name, and then search the web for this exam to find the free code to get the test free. I love beta exams because they are the lowest cost opportunity to earn a certification. Thanks Microsoft for offering these!

New CodePlex Project – Custom WCF Bindings

I opened up a codeplex project for housing some custom WCF binding work I have been doing: http://customwcfbindings.codeplex.com/. I uploaded my progress on a custom SalesForce binding based on the WCF LOB SDK if you want to take a look. There are a couple bugs I would like to get out of the way before making an initial release but I am happy to say you can download the source and it will show up in the add adapter service wizard and with the right parameters will connect to SalesForce and generate a basic WCF proxy stub. The source includes an installer project based off of the WCF LOB SDK samples.
One innovation on the current experience of use of the WCF LOB SDK and the BizTalk adapter pack is that I include a property on the property grid to load properties from a config file. This helps reduce the time it takes to enter all of the properties on the grid for connecting to the LOB system. Entering connectivity information and LOB system details for every time a new BizTalk schema or WCF client proxy is generated is a huge annoyance in the current WCF LOB SDK lifecycle.  Once I get a release out for my codeplex project I promise to show some screenshots for some of the improvements on the development experience I have come up with.
At this point not all of the functionality in the SalesForce custom binding is working and I am only supporting .NET method calls. My SalesForce custom binding does support invocation from BizTalk and does generate BizTalk schemas and binding files but there is not type information in the generated metadata at this time, just method invocation details.
While I prepare for my next WCF LOB SDK presentation I will be moving the source code over to VS 2010 and the BizTalk 2010 beta libraries for the WCF LOB SDK. Please let me know if you have any feedback!

WCF LOB SDK Talk at CNUG – June 16

I will be presenting my WCF LOB SDK talk I did for the Magenic CodeMastery event for the Chicago .NET User Group on June 16. This is part of a special interests group (SIG) for BizTalk – http://www.cnug.org/. This presentation is great for anyone doing WCF and working with WCF custom bindings. Although BizTalk will certainly be mentioned during the presentation, the targeted audience will be .NET developers working with WCF.
In my talk at Code Mastery I presented on VS 2008 but I may be switching over to VS 2010 and working with the BizTalk 2010 beta bits as part of the demo depending on how well the performance of the demo does in my testing.
Hope to see you there!

CodeMastery Conference Recap

Today I spoke on the WCF LOB SDK and I just wanted to say thanks for everybody who attended.
I was amazed by the low number of people who had built WCF custom bindings and how few people knew of ESBs within their company. Perhaps this trend was specific to the audience but interesting none the less. As promised, I am releasing the slides and sample SalesForceBinding created for my session. I am making a few tweaks to the SalesForceBinding but will be posting it here as a comment later this week.
— Update —
I fixed the links above. With the Office 2010 launch there is a new PPT viewer and all the urls for my presentations changed again.

WCF LOB SDK Talk on May 26

I will be speaking at a Magenic sponsored mini conference called Code Mastery on May 26 2010. Here is a link to the site: http://codemastery.com/index.htm. Magenic is hosting a couple of these mini conferences in the regions we have offices. The site will be updated soon with more information on the sessions and speakers. It is a free event so bring a friend!
I will be talking about the WCF LOB SDK from both a BizTalk and general .NET user perspective. This is a technology that is fairly well known in the BizTalk community but almost completely unknown in the general .NET community. I give some introductory articles below but notice that almost everything is directly from Microsoft and on the heavily technical side. I will be reviewing some of these concepts but will also be approaching it from a practical perspective about how this technology would fit within the enterprise and how you might use it in your software projects.
Here are a couple of good links to get you started:

Certifications in Reverse

Over the past week I have taken and passed two certification exams, 70-503: WCF, and 70-529: Distributed Application Development. Rather than take the exams in the .NET framework version order of 70-529 then 70-503 for .NET 2 and then 3.5, I decided to take them in reverse. Here are a couple quick observations of this unlikely certification journey. Hopefully it is humorous:
  • After studying all of the way to implement interfaces with WCF, it was much easier to understand what was going in WSE 3.
  • Sometimes when working with WSE a few years ago I would scratch my head and wonder why it had to work that way or how round-about some of the exposed APIs were and how difficult it was to get my head around the concepts.
  • I am very glad that the WCF bindings and BindingElements are organized so much better than the WSE SOAP Extension Types and Policy assertion types.
  • If you do this unlikely certification path, of taking tests from most recent backwards, you can use this approach as a test strategy. 🙂
  • During the 70-529 exam, I tried to figure out how the WSE APIs must have evolved in order to be the WCF APIs, and then I could answer the questions based on much more WCF experience. It was a funny endeavor.
Good Luck,

BizTalk 2009 RFID – new WCF Endpoint Behavior

I was looking around in BizTalk 2009 RTM trying to find new features that have been mostly undocumented and found one today! It looks like there is a new endpoint behavior that comes with the BizTalk 2009 RFID installer for use with RFID events. The WCF-Custom adapter properties does not really give you the ability to edit the endpoint’s array of events so I opened up a WCF Service Application to explore it more. The following blog post gives an example of how to build a WCF service that takes advantage of this new endpoint adapter: http://blogs.msdn.com/krishg/archive/2009/04/13/epcis-support-in-biztalk-rfid-2009-part-1.aspx. Here is a screenshot of the WCF Service Configuration Tool (it is right in the middle):
I did a little reading on the blog post mentioned above to find out that this endpoint behavior basically is like an event pipeline or event bus for working with RFID in a standards-based way. Previously, you could work with BizTalk RFID using an event-sinks approach and then connect the dots and add decision logic using the Business Rules Engine. Custom events with EPCIS can be implemented and exposed on a WCF service and called on the basis of a event chain based on device events or programmatic .NET code. One of the examples in the BizTalk RFID help file shows using REST behaviors to interact with the service that exposes EPCIS events. This is really interesting because it provides a way to interact over WCF events with the BizTalk RFID infrastructure. Since .NET 3.5 WCF services can be exposed from a WF, this development makes it a very interesting development because RFID-workflows could be created. I am still learning about the BizTalk RFID capabilities, but thought this was worth blogging on.
There seem to be some interesting new areas to learn about with the advances in BizTalk RFID provided with the 2009 release.

Blog at WordPress.com.

Up ↑