Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 8: Troubleshooting IDA Solutions Troubleshooting AD CS Troubleshooting AD LDS Resolution of AD FS Issues Solving AD RMS Problems
Lesson 1: Troubleshooting AD CS Tools Used to Troubleshoot AD CS What Is Enterprise PKI? How To Use Enterprise PKI to Troubleshoot AD CS Common AD CS Issues Troubleshooting Web Enrollment Errors Troubleshooting Client Autoenrollment Troubleshooting Certificate Validation Errors
Tools Used to Troubleshoot AD CS AD CS Enterprise PKI Certificates Snap-in Certutil.exe
What Is Enterprise PKI? Enterprise PKI: Indicates the validity and accessibility of authority information access (AIA) locations and certificate revocation list (CRL) distribution points Reports various status levels such as: OK. The CA certificate or CRL at the referenced URL is valid. Expiring. The CA certificate or CRL at the referenced URL is close to the expiration date. Expired. The CA certificate or CRL at the referenced URL is expired. Unable to download. The CA certificate or CRL cannot be downloaded from the referenced URL.
Demonstration: How To Use Enterprise PKI to Troubleshoot AD CS To view CA, AIA, CDP, and CRL status by using Enterprise PKI
Common AD CS Issues Common AD CS troubleshooting issues are: Client autoenrollment problems Certificate validation errors Web enrollment errors
Troubleshooting Web Enrollment Errors ProblemSolution Web pages on enterprise CAs don’t generate certificates or Web pages on enterprise CAs generate invalid certificates Web pages on an enterprise CA require user authentication. If the pages are set to allow anonymous connections, then the CA will either fail to generate certificates or will generate invalid certificates. Web pages of Certificate Authority generate error during access Log on as a user who is a member of the Administrators or Power Users group, to access the Web enrollment pages and download the latest version of the software. Check whether the Web pages have execute script permissions in IIS.
Troubleshooting Client Autoenrollment ProblemSolution Clients do not enroll for certificates automatically after autoenrollment is configured. Wait for Group Policy to complete replication. Alternatively, use the Gpupdate command to force replication to occur. Ensure that the user is a member of a group that has enroll permissions on the certificate template being used.
Troubleshooting Certificate Validation Errors ProblemSolution Validation errors occur when users access resources by using certificates. Use Enterprise PKI to verify that the AIA and CDP locations and certificates are valid.
Lesson 2: Troubleshooting AD LDS Common Issues of AD LDS Installation Issues of AD LDS Instances Application Connection Issues of AD LDS Initiating Issues of Instances
Common Issues of AD LDS Tools Platform Access Replication User Groups Scenarios AD LDS Troubleshooting Installation Issues Application Connection Issues Instances Commencement Issues
Installation Issues of AD LDS Instances Problem: The installation or removal of an AD LDS instance fails to complete successfully. Problem: The installation or removal of an AD LDS instance fails to complete successfully. Solution: If no screen message appears and setup fails to complete successfully, view the setup log at: %windir%\Debug\adamsetup.log If no screen message appears and Instance removal fails to complete successfully, view the uninstall log at: %windir%\Debug\adamuninstall.log Solution: If no screen message appears and setup fails to complete successfully, view the setup log at: %windir%\Debug\adamsetup.log If no screen message appears and Instance removal fails to complete successfully, view the uninstall log at: %windir%\Debug\adamuninstall.log
Application Connection Issues of AD LDS Problem: A directory-enabled application cannot find the AD LDS instance. Problem: A directory-enabled application cannot find the AD LDS instance. Solution: Refer to the correct communication port number when specifying an AD LDS instance. The communication port number is 389 or 636. Solution: Refer to the correct communication port number when specifying an AD LDS instance. The communication port number is 389 or 636. Problem: A user is not able to connect to an AD LDS instance. Problem: A user is not able to connect to an AD LDS instance. Solution: Install certificates on the computer running the AD LDS instance and on all client computers, to enable SSL connections. Solution: Install certificates on the computer running the AD LDS instance and on all client computers, to enable SSL connections.
Initiating Issues of Instances Problem: An AD LDS instance will not start. Problem: An AD LDS instance will not start. Solution: Ensure that the service is running. If the service account that is specified for ADAM is a workstation or a domain user account, make sure that the account possesses the Run as a service right. Solution: Ensure that the service is running. If the service account that is specified for ADAM is a workstation or a domain user account, make sure that the account possesses the Run as a service right.
Lesson 3: Resolving AD FS Issues Common Issues of AD FS Setup Issues of AD FS Configuration Issues of AD FS Enabling Debug Logging with AD FS
Common Issues of AD FS Setup Issues AD FS Configuration Issues Login Issues Manufacturer Account Partner Supplier Resource Partner
Setup Issues of AD FS ProblemSolution Verify that all federation servers and AD FS-enabled Web servers have a server authentication certificate issued to the default Web site. Verify that the Web application URL is properly named in the Active Directory® Federation Services snap-in. Verify that Microsoft® ASP.NET is installed on the AD FS-enabled Web server and in the Federation Service. I receive an Internet Explorer® error page with the message “This page cannot be displayed,” “Cannot find server," or "DNS Error.” When I try to connect to the application, I get an Internet Explorer® error page with the message “This page cannot be found” or “HTTP Error 404 – File or directory not found.” Verify that the correct Federation Service host name was used during installation, if there is an external account partner Federation Service Proxy involved. Verify that the Federation Service URL in the IIS Manager snap-in (is configured correctly, if you are using a Windows NT® token– based application. Verify that the Web application is properly configured in IIS. Verify that the virtual directory of the Windows NT® token–based application is set up to use the Ifsext.dll Internet Server Application Programming Interface (ISAPI) extension. After setting up a Windows NT® token–based application, I attempt to connect to it but I am not prompted to choose a host realm and login credentials.
Configuration Issues of AD FS ProblemSolution I am receiving a server error Web pages on an enterprise CAs generate invalid certificates Ensure that the application has been added to the trust policy for the Federation Service. Verify that the return URL is typed correctly in the application’s Web.config file and that it matches the application URL that is specified in the trust policy of the Federation Service for a claims-aware application. Verify that the return URL is typed correctly in IIS and that it matches the application URL in the trust policy of the Federation Service For a Windows NT® token–based application.
Enabling Debug Logging with AD FS Issue Description Informational Audit success Audit failure Event log entries Records events for significant problems to the debug log Warning Verbose Cookie Log files directory Records events, which are not necessarily significant but that may cause future problems, to the debug log Records informational events to the debug log Records detailed information about events to the debug log Records a security audit for every successful user authentication or trust policy change that is made to this Federation Service Error Records a security audit for every unsuccessful attempt to change the trust policy for this Federation Service Records all Active Directory® Federation Services (AD FS) events to the debug log Records cookies to the debug log Provides a space to type or browse to the location of the log file
Lesson 4: Solving AD RMS Issues Common Issues of AD RMS Troubleshooting AD RMS Cluster Installation Troubleshooting AD RMS Cluster URL Availability Troubleshooting Service Connection Point Registration
Common Issues of AD RMS AD RMS Cluster installation SCP configuration Cluster URL availability Common issues related to AD RMS include: Federation Identity support installation
Troubleshooting AD RMS Cluster Installation Verify that the AD RMS administrator account has read, write, and delete access to the _wcms virtual directory in IIS. Grant access to the AD RMS administrator account on the configuration database server. Ensure that the AD RMS service account and the account used to install AD RMS are different. Add the AD RMS service account to the Domain Administrator security group if installing the AD RMS cluster on a domain controller. Verify that the user installing AD RMS is a member of the local administrators group.
Troubleshooting AD RMS Cluster URL Availability Verify that DNS is configured and working correctly. Cluster URL does not respond to HTTP(S) requests Ensure that all SSL certificates are valid and properly installed on all servers and clients. Create AD RMS port exceptions such as TCP port 80 and TCP port 433 for Windows® Firewall.
Troubleshooting Service Connection Point Registration Failure to register the Service Connection Point. Solution: Make sure to ensure that the user registering the service connection point (SCP) is a member of the AD RMS Enterprise Administrators and the Enterprise Admins security groups. Delete any existing SCP and create a new one. Verify that DNS is configured and working correctly.
Lab 8: Troubleshooting Identity and Access Solutions Exercise 1: Identifying Tools and Troubleshooting Techniques of IDA Solutions Estimated time: 20 minutes