Verify that an ADFS-enabled Web server is operational

Applies To: Windows Server 2003 R2

After you set up your Active Directory Federation Services (ADFS)–enabled Web server and you successfully install and configure the applications, you can use one or more of the procedures in this topic to verify that the ADFS-enabled Web server can be reached by a federation server, by a client on the Internet, or by local clients through Windows Integrated authentication.

Depending on whether you currently have federation servers deployed or you want to verify local connectivity, perform one or more of the following tasks:

  • If you have a resource federation server deployed in your organization, verify that the ADFS-enabled Web server and the resource federation server can ping one another using their fully qualified domain names (FQDNs) and IP addresses. If the ping command fails, use nslookup to test Domain Name System (DNS) connectivity.

    For more information about troubleshooting connectivity between ADFS-enabled Web servers and federation servers, see Verify Active Directory Federation Services Computer Settings and Connectivity (https://go.microsoft.com/fwlink/?LinkId=74929).

  • Verify that you can access the application with ADFS disabled. Perform the steps in the following procedure when you want to verify basic Windows Integrated authentication connectivity to the application. This procedure can be helpful when you want to test local connectivity to the ADFS-enabled Web server by using a client computer in the same Active Directory forest or a trusting forest. This procedure can also be helpful when you want to verify that the application has been installed correctly even though federation servers have not yet been deployed.

To verify local access to an application

  1. If you previously enabled Anonymous Access for the Web site or virtual directory where your application resides, temporarily disable Anonymous Access and make sure that Windows Integrated authentication is enabled for the purposes of this verification test.

  2. If you previously enabled the ADFS Web Agent by using the Internet Information Services (IIS) Manager UI (for Windows NT token-based agents) or by using the web.config file (for claims-aware agents), temporarily disable the ADFS Web Agent for the purposes of this verification test.

  3. Log on to a client computer that is a member of the same forest or trusting forest as the ADFS-enabled Web server.

  4. Open a browser window, type the return URL for the federated application that you will attempt to access (for example, https://adfsweb.treyresearch.net/ordering), and then press ENTER.

  5. If the test is successful, you should be able to access the application.

  • Verify that you can access the application with ADFS enabled. Perform the steps in the following procedure when you want to verify that ADFS components are working as expected and that IIS is publishing the application correctly. The steps that you perform here assume you have the appropriate permissions assigned so that federated users can access your application. These steps are intended only to verify connectivity to the ADFS-enabled Web server.

    Note

    If you previously enabled Windows Integrated authentication (for the previous procedure), disable Windows Integrated authentication and then re-enable Anonymous Access again before continuing with this procedure.

To verify federated access to an application

  1. Log on to a client computer with Internet access.

  2. Open a browser window, type the return URL for the federated application that you will attempt to access (for example, https://adfsweb.treyresearch.net/test), and then press ENTER.

    If the Web server is configured properly, a client computer that does not yet trust the server authentication certificates should see a prompt for certificates and then a prompt for the account partner discovery page.

    Note

    If the resource Federation Service has only one account partner and no account stores are identified in the trust policy, the client computer will not be prompted fro the account partner discover page. Instead the client will be redirected to the account partner's login page.

    If you do not see either of these prompts, try double-checking that all of the tasks in the checklist for the federation server are all complete, and then try again. If you still do not see these prompts, see Configuring ADFS Servers for Troubleshooting (https://go.microsoft.com/fwlink/?LinkId=74970).

For general information about how to troubleshoot problems with Secure Sockets Layer (SSL)–enabled Web sites, including identifying configuration problems in the IIS metabase, certificates, or certificate stores, see Internet Information Services Diagnostic Tools (https://go.microsoft.com/fwlink/?LinkId=55062).

See Also

Concepts

Checklist: Installing an ADFS-enabled Web server