Verify That an AD FS-Enabled Web Server Is Operational

Applies To: Windows Server 2008

After you set up your Active Directory Federation Services (AD FS)–enabled Web server and you successfully install and configure the applications, you can use one or more of the procedures in this topic to verify that the AD FS-enabled Web server can be reached by a federation server, by a client on the Internet, or by local clients through Windows Integrated authentication.

Depending on whether you currently have federation servers deployed or you want to verify local connectivity, perform one or more of the following tasks:

  • If you have a resource federation server deployed in your organization, verify that the AD FS-enabled Web server and the resource federation server can ping one another using their fully qualified domain names (FQDNs) and IP addresses. If the ping command fails, use nslookup to test Domain Name System (DNS) connectivity.

    For more information about troubleshooting connectivity between AD FS-enabled Web servers and federation servers, see Verifying Active Directory Federation Services Computer Settings and Connectivity (https://go.microsoft.com/fwlink/?LinkId=74929).

  • Verify that you can access the application with AD FS disabled. Perform the steps in the following procedure when you want to verify basic Windows Integrated authentication connectivity to the application. This procedure can be helpful when you want to test local connectivity to the AD FS-enabled Web server by using a client computer in the same Active Directory Domain Services (AD DS) forest or a trusting forest. This procedure can also be helpful when you want to verify that the application has been installed correctly even though federation servers have not yet been deployed.

Membership in Administrators, or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To verify local access to an application

  1. If you previously enabled Anonymous Access for the Web site or virtual directory where your application resides, temporarily disable Anonymous Access and make sure that Windows Integrated authentication is enabled for the purposes of this verification test.

  2. If you previously enabled the AD FS Web Agent by using the Internet Information Services (IIS) Manager user interface (UI) (for Windows NT token–based agents) or by using the web.config file (for claims-aware agents), temporarily disable the AD FS Web Agent for the purposes of this verification test.

  3. Log on to a client computer that is a member of the same forest or trusting forest as the AD FS-enabled Web server.

  4. Open a browser window, type the return URL for the federated application that you will attempt to access (for example, https://adfsweb.treyresearch.net/ordering), and then press ENTER.

  5. If the test is successful, you should be able to access the application.

  • Verify that you can access the application with AD FS enabled. Perform the steps in the following procedure when you want to verify that AD FS components are working as expected and that IIS is publishing the application correctly. The steps that you perform here assume that you have the appropriate permissions assigned so that federated users can access your application. These steps are intended only to verify connectivity to the AD FS-enabled Web server.

Note

If you enabled Windows Integrated authentication (for the previous procedure), disable Windows Integrated authentication and then re-enable Anonymous Access again before continuing with this procedure.

Membership in Users, Backup Operators, Power Users, Administrators or equivalent, on the local computer is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To verify federated access to an application

  1. Log on to a client computer with Internet access.

  2. Open a browser window, type the return URL for the federated application that you will attempt to access (for example, https://adfsweb.treyresearch.net/test), and then press ENTER.

    If the Web server is configured properly, a client computer that does not yet trust the server authentication certificates should see a prompt for certificates and then a prompt for the account partner discovery page.

Note

If the resource Federation Service has only one account partner and no account stores are identified in the trust policy, the client computer will not be prompted fro the account partner discover page. Instead the client will be redirected to the account partner's login page.

If you do not see either of these prompts, try double-checking that all of the tasks in the checklist for the federation server are all complete, and then try again. If you still do not see these prompts, see Configuring AD FS Servers for Troubleshooting ([https://go.microsoft.com/fwlink/?LinkId=74970](https://go.microsoft.com/fwlink/?linkid=74970)).

For general information about how to troubleshoot problems with Secure Sockets Layer (SSL)–enabled Web sites, including identifying configuration problems in the IIS metabase, certificates, or certificate stores, see Internet Information Services Diagnostic Tools (https://go.microsoft.com/fwlink/?LinkId=55062).

Additional references

Checklist: Installing an AD FS-Enabled Web Server