ADFS 2.0 Client Certificate Log in Error pages

Question

I have an ADFS 2.0 server set up to use Smart Card authentication.

It works great if the user already exists in the AD, or isn't disabled.

Slight background, we operate an Active Directory forest that uses a third party PKI for user authentication. We don't have a trust to the original AD, just the PKI, so user accounts will be created on an as needed basis. There is the potential to have tens of thousands of users so we want the process to be self-serve.

When a person fails to log in (because of their account not existing or their account being disabled) there's two errors thrown, an event 364, which is always the same and event 111 which says either User name/password failure or account is disabled.

The error page seems to only pull (as far as I can tell) from event 364, which is tremendously unhelpful.

Is there any way to figure out WHY the user authentication fails during smart card log in?

Have you enabled logon auditing on the ADFS server? – colealtdelete Sep 17 '14 at 19:37 — colealtdelete, Sep 17 '14 at 19:37
I didn't do anything special to logging in – Snowburnt Sep 17 '14 at 20:11 — Snowburnt, Sep 17 '14 at 20:11

Snowburnt · Accepted Answer · 2014-09-19T15:04:52.997

I ended up rewriting the error.aspx.cs to run through and try to grab the account then examine if there's something wrong with it.

The code is pretty specific to my environment but it's still fairly simple to write up in c#

For those interested some pseudocode:

add to top:

using System.Security.Cryptography.X509Certificates
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;

at bottom of page_load:

X509Certificate2 cert = new X509Certificate2(Request.this.Request.ClientCertificate);
X509Extension SAN = cert.Extensions["Subject Alternative Name"];

if (SAN!=null){
    string principalname = [parse out principalname from SAN];
    PrincipalContext ctx = new PrincipalContext(ContextType.Domain, "DomainName", "OU");

    UserPrincipal principal= UserPrincipal.FindByIdentity(ctx, IdentityType.UserPrincipalName, principalname);

    if (principal!=null) {
         [check if disabled, display message accordingly]
         principal.Dispose();
    } else {
         [display message about account not exisiting]
    }
    ctx.Dispose();
}

ADFS 2.0 Client Certificate Log in Error pages

1 Answers1