infor ming.le installation guide for standalone ifs...if you have questions about infor products, go...

Infor Ming.le Installation Guide forStandalone IFSRelease 11.1.x

Copyright © 2016 Infor

Important NoticesThe material contained in this publication (including any supplementary information) constitutes and contains confidential and proprietary information of Infor.

By gaining access to the attached, you acknowledge and agree that the material (including any modification, translation or adaptation of the material) and all copyright, trade secrets and all other right, title and interest therein, are the sole property of Infor and that you shall not gain right, title or interest in the material (including any modification, translation or adaptation of the material) by virtue of your review thereof other than the non-exclusive right to use the material solely in connection with and the furtherance of your license and use of software made available to your company from Infor pursuant to a separate agreement, the terms of which separate agreement shall govern your use of this material and all supplemental related materials ("Purpose").

In addition, by accessing the enclosed material, you acknowledge and agree that you are required to maintain such material in strict confidence and that your use of such material is limited to the Purpose described above. Although Infor has taken due care to ensure that the material included in this publication is accurate and complete, Infor cannot warrant that the information contained in this publication is complete, does not contain typographical or other errors, or will meet your specific requirements. As such, Infor does not assume and hereby disclaims all liability, consequential or otherwise, for any loss or damage to any person or entity which is caused by or relates to errors or omissions in this publication (including any supplementary information), whether such errors or omissions result from negligence, accident or any other cause.

Without limitation, U.S. export control laws and other applicable export and import laws govern your use of this material and you will neither export or re-export, directly or indirectly, this material nor any related materials or supplemental information in violation of such laws, or use such materials for any purpose prohibited by such laws.

Trademark AcknowledgementsThe word and design marks set forth herein are trademarks and/or registered trademarks of Infor and/or related affiliates and subsidiaries. All rights reserved. All other company, product, trade or service names referenced may be registered trademarks or trademarks of their respective owners.

Publication information

Release: Infor Federation Services (IFS) 11.1.x

Publication date: October 6, 2016

Document code: ifsig

Contents

About this guide..............................................................................................................7Contacting Infor...........................................................................................................................9

Chapter 1: About Infor Federation Services...............................................................11Authentication..........................................................................................................................................11Claims-based authentication...................................................................................................................12

AD FS certificates................................................................................................................................13Configuration information in AD FS.....................................................................................................14

Authorization and other user properties..................................................................................................14Central user management.......................................................................................................................14

Chapter 2: Preparing for the installation....................................................................17Infrastructure requirements......................................................................................................................17

Prerequisites for the IFS server...........................................................................................................17Prerequisites for the client PC..............................................................................................................18TCP/IP ports.........................................................................................................................................18

Installing Microsoft SQL Server 2008 R2................................................................................................19Setup Role...........................................................................................................................................19Feature Selection.................................................................................................................................19Server Configuration............................................................................................................................20Database Engine Configuration...........................................................................................................20Activating mixed mode authentication in a prior installation of SQL server.........................................20Using the required SQL collation.........................................................................................................21Starting the SQL Server Browser service............................................................................................21Verifying the SQL Server TCP/IP accessibility....................................................................................21

Installing IIS.............................................................................................................................................22Verifying server roles and features..........................................................................................................22Adding IIS binding for HTTPS..................................................................................................................23

Adding the HTTPS bindings for IIS......................................................................................................23Changing the HTTP and HTTPS ports of the default website.............................................................23

Chapter 3: Installing IFS...............................................................................................25

Chapter 4: Post-installation tasks...............................................................................27Bootstrapping the IFS application............................................................................................................27Enabling integrated Windows authentication in Internet Explorer 8 or later............................................28Enabling integrated Windows authentication in Mozilla Firefox 3.x or later.............................................28

Infor Ming.le Installation Guide for Standalone IFS | 3

Contents

Chapter 5: Changing security mode...........................................................................31Changing from Windows http to Windows over SSL...............................................................................31Prerequisites to use claims-based authentication...................................................................................32

Installing and configuring AD FS 2.0....................................................................................................32Changing the security mode to claims-based authentication..................................................................37

Viewing the results in AD FS................................................................................................................38

Chapter 6: Upgrading to IFS 11.1.................................................................................39Prerequisites............................................................................................................................................39Preparing the upgrade.............................................................................................................................40

Removing duplicate person entries......................................................................................................40Creating a backup of the IFS database (INFORFS) and your IFS system..........................................41Availability during IFS upgrade............................................................................................................41

Upgrading from IFS 10.0, IFS 10.1, IFS 10.2, IFS 10.3 or IFS 11.0 to IFS 11.1.....................................41Updating from an IFS 1.2 version............................................................................................................42Corrections if the IFS upgrade fails because of duplicates in PersonIdentifier.......................................42

Correcting the IFS security configuration.............................................................................................42Finalizing the database migration........................................................................................................43

Appendix A: Troubleshooting......................................................................................45Issues with the IFS environment..............................................................................................................45

SSO does not work: unexpected sign-in dialog in Internet Explorer (using AD FS or otherwise).......45Repeated browser sign-in dialog and/or HTTP error 401 Unauthorized on sign-in, using correctcredentials (AD FS or IFS, or elsewhere)............................................................................................46Connection to a remote IFS database fails because NT AUTHORITY\ANONYMOUS LOGON isused NT AUTHORITY\ANONYMOUS LOGON...................................................................................49IFS reports Active Directory error, LDAP-related error, or UPN error..................................................49

Issues when installing the IFS application...............................................................................................49Issues when running the IFS application.................................................................................................51Microsoft AD FS specific issues..............................................................................................................52Issues when signing in to AD FS.............................................................................................................54Issues with IFS Web Services.................................................................................................................56Tracing of AD FS.....................................................................................................................................58IFS and ION integration issues related to infrastructure settings............................................................59Chrome 42 NPAPI disables Java and Silverlight.....................................................................................59

Appendix B: Security considerations for connecting to SQL Server......................61How does integrated Windows authentication work?..............................................................................61Encrypting connection strings..................................................................................................................62Encrypting connections to SQL Server....................................................................................................63

4 | Infor Ming.le Installation Guide for Standalone IFS

Contents

Appendix C: Changing the HTTP/HTTPS port numbers for AD FS 2.0....................65

Appendix D: Creating server certificates....................................................................67Self-signed certificate vs. CA-signed certificate......................................................................................67Creating a self-signed certificate.............................................................................................................67Creating a Certificate Authority (CA) Signed certificate...........................................................................68Creating a domain certificate...................................................................................................................69


Contents


Contents

About this guide

Infor Federation Services (IFS) is a component of Infor Ming.leTM.

To install IFS in standalone mode you must use the Infor Federation Services installer. Do not use theInfor Ming.le Enterprise and Infor Ming.le Foundation installers to install IFS in standalone mode.

The installation installs and configures the IFS application on the IFS server. IFS data is stored in aSQL Server database, which can on a local or remote server. Sign-in is through Integrated WindowsAuthentication.

Intended AudienceThe guide is intended for administrators who plan to install IFS and who are familiar with Microsoft SQLServer databases, IIS, and MS Windows administration.

Related documentsYou can find the documents in the product documentation section of the Infor Xtreme Support portal,as described in "Contacting Infor".

• Infor Federation Services Administration Guide (U9663 US)


8 | About this guide

About this guide

Contacting Infor

If you have questions about Infor products, go to the Infor Xtreme Support portal.

If we update this document after the product release, we will post the new version on this website. Werecommend that you check this website periodically for updated documentation.

If you have comments about Infor documentation, contact [email protected].


mailto:[email protected]


Contacting Infor

1About Infor Federation Services

In a multi-application environment, IFS facilitates centralized authentication and authorization.

In an Infor Ming.le environment, these methods of authentication are supported:

• Integrated Windows Authentication• Claims-based authentication with Microsoft Active Directory Federation Services (AD FS)

The role of IFS differs for each authentication method.

IFS has these roles:

• If the authentication method is claims-based, IFS configures Microsoft AD FS, and registers Inforapplications.

• In an ION Process environment, IFS manages the users and distribution groups that are used inION.

IFS provides a section to manage user properties, both authorization and non-authorization related,that is used by several applications.

See the Infor product documentation to verify whether IFS is required for your installation.

AuthenticationIFS supports Integrated Windows Authentication and claims-based authentication for the IFS UI andfor the IFS web services.

This table shows security modes and the corresponding authentication methods and bindings:

BindingsAuthentication method forIFS web services

Authentication method forIFS UISecurity Mode

http and/orhttps

Integrated Windows Authen-tication

Integrated Windows Authen-tication

Windows

httpsIntegrated Windows Authen-tication and claims-basedauthentication

Claims-based authenticationSAMLToken Allowing Win-dows for Web Services


BindingsAuthentication method forIFS web services

Authentication method forIFS UISecurity Mode

httpsClaims-based authenticationClaims-based authenticationSAMLToken

Note: The IFS configuration web service, only used when new applications are registered, usesanonymous authentication and requires the http binding.

The "SAMLToken Allowing Windows for Web Services" security mode is an intermediate security mode.This mode supports a smooth changing of the security mode of an Infor application environment.Several Infor applications use the IFS web services. By switching IFS to this intermediate securitymode, a customer can switch the applications making use of the IFS web services one by one to thenew security mode. As a last step the IFS application can be switched to the targeted security mode.

Claims-based authenticationThis diagram shows the center relationship between IFS, and the Security Token Service (STS).

The supported STS is Microsoft AD FS.


About Infor Federation Services

When a user accesses an application, the STS verifies the user credentials and provides sufficientinformation about the user.

When a user accesses an application for the first time, the user is redirected to the STS. If the user isnot already known, the STS verifies the credentials of the user against AD, for example, by requestinga user ID and password. STS creates a set of claims about the user in a so-called token.

Microsoft AD FS can use multiple sources to create a set of claims for a user. The primary source isActive Directory (AD), which is used to verify the identity of the user and provide the basic claims aboutthe user. Typical examples of basic claims are the first and last name of the user and their e-mailaddress. Infor applications require additional information such as security roles and accounting entities.This data is not available in AD and is therefore read from a SQL server database. The IFS applicationmaintains the data in this SQL server database.

The token and the user are then redirected to the application. Based on this token, the Infor applicationgrants access to the user. To ensure that the token comes from a reliable STS, the STS signs the tokenusing (the private key part of) a certificate. The Infor application verifies the signature on the receivedtoken against the public key of that same certificate. The next subsection provides backgroundinformation for certificates which play a role in AD FS.

AD FS certificatesThis table shows the certificate types that play a role in AD FS:

DescriptionCertificate type

This certificate signs tokens and requests that ADFS sends out.

Token-signing certificate

This certificate decrypts tokens and requests thatAD FS receives.

Token-decrypting certificate

This certificate is used for internal AD FS commu-nication.

Service Communications certificate

This certificate is used to prove that the AD FSweb server is really the contacted AD FS server.

SSL certificate

The first three certificate types are maintained in the AD FS Management snap-in. The SSL certificateis maintained in IIS Manager. According to Microsoft documentation, the Service Communications andSSL certificates always must be the same.

Initially the token-signing and token-decrypting certificates are generated during the initial AD FSconfiguration. These generated certificates are valid for one year. Therefore you must renew thesecertificates within a year. We recommend that you generate certificates that are valid for a longer time.

By default, the AD FS 'certificate rollover' mechanism is enabled. This mechanism automaticallygenerates new AD FS certificates before the existing ones expire. The mechanism then gives theapplications time to recognize the new certificates, and finally switches to the new certificates. Everyapplication which regularly checks AD FS for new certificates, and trusts all of the token-signingcertificates, will continue to work without requiring additional steps.



Note: Many AD FS-enabled Infor applications currently do not check AD FS automatically. For theseapplications you must manually update the trust, using a procedure that is different for each application.See solution 1119982.

Configuration information in AD FSThe IFS installer maintains the configuration information in AD FS for the IFS setup. Infor-specific claimtypes are configured and the integration with the IFS application database in SQL server is configured.The IFS application and the required claim rules are registered as a relying party in AD FS.

See the specific application's Installation and Configuration documentation to verify what informationis required to register that application in IFS and AD FS.

Infor Federation Services applicationThe claims that are required for accessing an application depend on the Infor application. Someapplications use only federation services for authentication and therefore require only the user ID.Other applications also depend on claims for the authorization schemes and other user properties.IFSknows which claims are used by which Infor application, and adjusts the required configuration forusers accordingly.

Authorization and other user propertiesThe Infor application determines which claims are required for accessing an application. Someapplications use federation services only for authentication and therefore only require the user ID.Other applications also depend on claims for the authorization schemes and other user properties.

The IFS application holds information about which claims are used by which Infor application. IFSadjusts the required configuration for users accordingly.

Note: In claims-based authentication claims communicate user properties to the Infor applications.

Central user managementThe Federation Services application enables central authentication and central authorization. Therefore,the IFS application can be used to assign security roles and accounting entities to users. Security rolesdefine what type of role(s) the user has in the organization. Applications can provide the relatedfunctionality to that role. Accounting entities define for which legal entities in the organization a user isworking so the appropriate data can be presented to the user.



The first decision to make based on a security role is whether a user with that role requires access toa certain application. A user with the AccountingManager security role cannot, for example, requireaccess to EAM. EAM does not provide the functionality that is required for this role. Therefore, the IFSapplication can be used to link security roles to applications. IFS sends out claims that identify for whichapplication a user is entitled. The Infor Ming.leTM application uses these claims to limit the set ofapplications in your navigation pane. An application's security role can be used to grant access to thefunctionality related to that role. An application such as Infor PM Dashboards uses the security role toprovide the appropriate views.

Because the required properties of a user are handled at a central level, there is no need to administrateusers in individual applications that have fully adopted the IFS.



2Preparing for the installation

This section describes the following:

• Infrastructure requirements, such as the requirements for the IFS server and the client PCs• SQL Server configuration• Internet Information Services (IIS) installation• How to give the IIS default website an https binding with the corresponding certificate

Infrastructure requirementsMicrosoft Active Directory must be available. Microsoft Active Directory must run on a domain controllerwith Microsoft Windows 2003 SP1 or later.

Microsoft Active Directory is an Identity Provider, that is: a service that provides (user) identity informationto applications.

IFS requires a consistent user definition from Active Directory for the LDAP attributes. IfuserPrincipleName is populated for any user, it must be populated for all users. Inconsistent data inthe userPrincipleName LDAP attribute may result in issues in IFS.

Prerequisites for the IFS serverThe following are prerequisites for the IFS server:

• 64-bit Windows Server 2008 R2 or Windows Server 2012 or Windows Server 2012 R2 operatingsystem.

• If IFS will be using claims-based authentication, the password of the local Administrator on the IFSserver is required to activate applications in the IFS software.

• Internet connection for installing software from Microsoft.• The IFS server must be part of the same Windows domain as the client PCs.• All available 'important' Windows updates.• Microsoft SQL Server 2008 R2 or Microsoft SQL Server 2012 SP1.


To install the SQL Server, see "Installing Microsoft SQL Server 2008 R2" on page 19.•

• Internet Information Services (IIS) on the IFS server.

• To install IIS, see "Installing IIS" on page 22.

• .NET Framework 4.5.1. You can download .Net from this site: http://msdn.microsoft.com/en-us/netframework/aa569263.aspx.

• Other Infor applications. These products may be installed on the same server as IFS:

• Infor ION• Microsoft SharePoint with Infor Ming.le Foundation

These products cannot be installed in the 'Default website'.

Prerequisites for the client PCUsers can use the IFS configuration on the IFS server through a browser on their client PC. The clientPC must meet these prerequisites:

• Windows Vista or Windows 7 operating system• Internet Explorer 8, Internet Explorer 9, or Mozilla Firefox latest browser

The browser must trust the IIS SSL certificate of the SSL binding of the default website.

• Silverlight 4.x or 5.x frameworkThe plug-in is downloaded at the first instantiation of the IFS UI.

• To have a true SSO experience, these conditions must be met:

• The client must be part of the same Windows domain as the IFS server.• The browser must have 'integrated authentication' turned on. In Internet Explorer, this option is

selected by default.See "Enabling integrated Windows authentication in Internet Explorer 8 or later" on page 28 and"Enabling integrated Windows authentication in Mozilla Firefox 3.x or later" on page 28.

TCP/IP portsIf you plan to install Infor Ming.le and SharePoint on the IFS server, do not use ports 80 and 443 forthe http and https service for IFS. This table shows the default ports that are used:

Default PortApplication

1433SQL Server

port 1500 and 1501AD FS


Preparing for the installation

http://msdn.microsoft.com/en-us/netframework/aa569263.aspx

http://msdn.microsoft.com/en-us/netframework/aa569263.aspx

Default PortApplication

port 80 and 443 (if the remaining Infor Ming.lecomponents are installed on a different server)or

IIS default website, where AD FS and IFS are in-stalled

port 9680 and 9643 (if the remaining Infor Ming.lecomponents are installed on the same server)

Check if any of these ports are used by existing processes. From the Windows command prompt, runthis command: netstat -ano

Check the output. Ensure the ports used for the IIS default website are not blocked by your firewall.

Installing Microsoft SQL Server 2008 R2SQL Server 2008 R2 is required for the IFS install. It can be installed on the IFS server or on a remotesystem. During the install, make a note of the SQL Server instance name, because you may need itlater.

To install Microsoft SQL Server 2008 R2, we recommend that you create an account, namedSQLService, to run the SQL services. However, you can use any account that is a member of theserver's Administrators group.

Follow the installation steps in the Microsoft documentation, and follow these recommendations on thepages of the SQL Server Installation Center.

Note: You can also use Microsoft SQL Server 2012 for the IFS install. The recommendations are thesame as for Microsoft SQL Server 2008 R2.

Setup RoleOn the Setup Role page, select SQL Server Feature Installation.

Feature SelectionOn the Feature Selection page, you can select to install all features, but this is not required. This tableshows the minimum features you must select:

Feature NameFeature Group

Database Engine ServicesInstance Features

Management Tools - BasicShared Features



Server ConfigurationOn the Server Configuration page, complete these steps:

1 Click Use the same account for all SQL Server services.2 Select the SQLService account, if you created that account. If the account was not created, use the

default account.

Database Engine ConfigurationOn the Database Engine Configuration page, complete these steps:

1 On the Account Provisioning tab under Authentication Mode, select the Mixed Mode (SQL Serverauthentication and Windows authentication) option, and provide a password for the sa (systemadministrator) account.

2 Click Add Current User to add the currently logged user as a SQL Server administrator.

Activating mixed mode authentication in a prior installation of SQLserverIf you are using an existing SQL server installation and will use the SQL Server account during the IFSinstallation for authentication in IFS, verify that mixed mode authentication is activated.

If you use integrated authentication during the installation, you can skip these steps.

To activate mixed mode authentication:

1 On the SQL Server, open SQL Server Management Studio by selecting Start > All Programs >Microsoft SQL Server 2008 R2 > SQL Server Management Studio.

2 Connect to the appropriate database instance.3 In the Object Explorer, right-click the server and select Properties.4 Select Security.5 Select SQL Server and Windows Authentication mode and click OK.6 Open SQL Server Configuration Manager by selecting Start > All Programs > Microsoft SQL

Server 2008 R2 > Configuration Tools > SQL Server Configuration Manager.7 Under SQL Server Configuration Manager, click SQL Server Services.8 On the right panel, right-click SQL Server and select Restart.



Using the required SQL collationWhether you are using an existing SQL Server installation or installing a new one, IFS has specificrequirements for the collation of the IFS database. The recommended SQL collation isSQL_Latin1_General_CP1_CI_AS. The collation must at least be configured for:

• Case-insensitive (CI)• Accent-sensitive (AS)

Depending on your Windows server locale you may have additional parameters in your SQL collation:

• Kana-sensitive (KS)• Width-sensitive (WS)

For an existing installation, you can run the sp_helpsort command in a query window to confirm thecurrent collation.

Note: This collation is specific to IFS. If this database is shared with Infor Ming.le and SharePoint amore specific SQL Collation is described in the Infor Ming.le installation guide.

Starting the SQL Server Browser serviceTo start the SQL Server Browser service:

1 On the SQL Server, select Start > All Programs > Microsoft SQL Server 2008 R2 > ConfigurationTools > SQL Server Configuration Manager.

2 Under SQL Server Configuration Manager, click SQL Server Service.3 On the right panel, right-click SQL Server Browser and select Properties.4 Select the Service tab.5 Change the Start Mode to Automatic.6 Click OK.7 Right-click SQL Server Browser and select Start.

Verifying the SQL Server TCP/IP accessibilitySQL Server must be accessible on a TCP/IP port. For all SQL Server editions except SQL ServerExpress, the default port for TCP/IP is 1433.

To verify the SQL Server port:

1 On the SQL Server, select Start > All Programs > Microsoft SQL Server 2008 R2 > ConfigurationTools > SQL Server Configuration Manager.

2 Double-click SQL Server Native 10.0 Client Configuration to expand it.3 Select Client Protocols.4 Right-click TCP/IP and select Properties.



5 Ensure the Default Port is 1433, or another TCP/IP accessible port. If it is not, set it to 1433.6 Click OK.

Installing IISTo install IIS:

1 Open Server Manager by selecting Start > Administrative Tools > Server Manager.2 Click the Server Manager node at the top.3 Under Server Manager, click Roles.4 Under Roles Summary, click Add Roles.5 On the Before You Begin screen in the Add Roles Wizard, click Next.6 On the Select Server Roles screen, check the following:

• Web Server (IIS)• ASP.Net

If the required role services are not installed, the wizard will prompt you to install them. Click AddRequired Role Services if prompted.

• Logging Tools• Tracing• Basic Authentication• Windows Authentication

7 Click Next.8 On the Select Role Services screen, click Next.9 On the Confirm Installation Selections screen, verify the selections and click Install.

Verifying server roles and featuresTo verify whether the appropriate roles and features are installed on your server:

1 Open Server Manager by selecting Start > Administrative Tools > Server Manager.2 Verify whether these roles and features are installed:

• HTTP Activation• Web Server (IIS) Support

3 If any roles or features are missing, activate and install the missing roles and features.



Adding IIS binding for HTTPSThis step is only required if you plan to use SSL or use claims-based authentication. Before installingAD FS as a web application in IIS, you must give the IIS default website an HTTPS binding with thecorresponding certificate. If no SSL certificate is available on IIS, create a self-signed certificate. Lateryou can replace this certificate with a CA-signed certificate.

For details, see "Self-signed certificate vs. CA-signed certificate" on page 67.

Adding the HTTPS bindings for IISTo add the HTTPS Bindings for IIS:

1 In IIS Manager, select the node with the name of the IFS Server and double-click to expand it.2 Expand Sites.3 Select the Default website and, under Actions on the right panel, click Bindings.4 If you already have an HTTPS binding, see "Changing the HTTP and HTTPS ports of the default

website" on page 23.5 If there is no HTTPS binding, click Add to add an HTTPS binding.6 Under Type, select https.7 Leave the IP Address set to All unassigned.8 Set the port to 443.

Note: if you plan to install the remaining Infor Ming.le components and Sharepoint on the sameserver as IFS, set the port to 9643.

9 Under SSL certificate, select the certificate that was just created in one of these sections: "Creatinga self-signed certificate" on page 67 or "Creating a Certificate Authority (CA) Signed certificate" onpage 68.

10 Click OK.

Changing the HTTP and HTTPS ports of the default websiteIf you plan to install the remaining Infor Ming.le components and SharePoint on the same IFS server,the ports for the HTTP and HTTPS service must not be set to the default value.

To change the HTTP and HTTPS ports of the Default website:

1 Open the IIS Manager snap-in:a Select Start > Control Panel.b Select System and Security > Administrative Tools.c In the Administrative Tools window, double-click Internet Information Services (IIS) Manager.

2 Select the node with the name of the IFS Server and double-click to expand it.



3 Expand Sites.4 Select the Default website and, under Actions on the right panel, click Bindings.5 Under Type, select HTTP and click Edit.6 Change the port to 9680 or another unique port number. Do not change the other fields.7 Under Type, select HTTPS and click Edit.8 Change the port to 9643 or another unique port number. Do not change the other fields.

Note: if you change the ports after IFS is installed, see "Changing the HTTP/HTTPS port numbers forAD FS 2.0" on page 65. You must re-install IFS after the ports are changed.



3Installing IFS

If you upgrade from IFS 1.2, IFS 10.x, or IFS 11.0, see "Upgrading to IFS 11.1" on page 39.

Note:

• We do not recommend that you install IFS on the same server where LN Web UI has been installed.For details, see KB1135674 on the Infor Xtreme site.

• We do not recommend that you install IFS with the IFS Standalone installer unless you are surethis instance of IFS will never be used with Infor Ming.le in the future.

• The database schema for IFS and the remaining Infor Ming.le components are shared; thereforeyou must specify the same database name for IFS and the remaining Infor Ming.le components.

• The currently logged in user that is running the installation must have permissions in the databaseserver to create a database.

To install IFS:

1 Start the IFS installer.Right-click on setup.exe and select Run as Administrator.If prompted, install any prerequisite software.

Note: .NET Framework 4.5.1 is required.

2 On the Welcome screen, click Next.3 On the Choose a Destination Location screen, select a destination and click Next.

The default destination location is: C:\Program Files\Infor\Mingle\.

4 On the Select Features screen, select Infor Federation Services [IFS] and Infor Ming.le Services.5 On the Database Server Login screen, specify your database instance, such as [hostname][named

instance].a Select Windows Authentication or SQL Authentication.b Specify the user name and password. This user must have access to create a database and to

add a user.

Note: The currently logged in user is used if you selected Windows Authentication.

c Click Next.

6 On the Infor Federation Services Configuration screen, specify the user name and password to runthe IFS Services.


The currently logged in user is selected by default. If this is an upgrade, the user selected is theuser that the previous version of IFS used.

7 On the Infor IFS Service Configuration screen, specify the IFS Timer service port.The IFS Timer service port is set to 555 by default. If required, select a port that is not in use. Thisport is used to synchronize users in IFS.

8 On the Feature Installation Summary screen, review the features that will be installed and click Next.9 On the Ready to Install screen, click Install.

• The installation creates the IFS databases and a user for integrated security.• At this point you have a working server system with IFS.• The security mode for IFS is 'Windows'.

10 On the InstallShield Wizard Complete screen, click Finish.


Installing IFS

4Post-installation tasks

You can perform these post-installation tasks:

1 Bootstrap the IFS application.2 Enable integrated Windows authentication.

Bootstrapping the IFS applicationAccess to the IFS application is granted through security roles. After the installation, no user with theappropriate security roles is available. Therefore, if no user is defined in the application, the Bootstrapscreen is displayed. On this screen, the first user who starts the application can choose to becomeapplication administrator.

To become an application administrator:

1 Start the IFS application using the IFS shortcut created on the IFS server desktop, or open this URL:http(s)://[IFS server].[domain]:[port]/IFS/

For example: http://myserver.acme.com:9680/IFS/

2 If a login screen is displayed, specify a valid domain username and password and click OK. TheBootstrap screen is displayed. In this screen, a welcome message and the current user are displayed.

3 For the current user to become the application administrator, click Become IFS ApplicationAdministrator. The current user name is displayed above the button.

4 A Bootstrap completed message is displayed. Click OK.5 Close all instances of the browser and restart the IFS application by clicking on the shortcut on the

desktop.If you become an application administrator, the claims for your account are changed. Therefore youmust re-access the application.

6 Log on to IFS with the username and password of the IFS Application Administrator.

Note: if you only see the Home menu inside of IFS, close all the browser windows and access theapplication again.


You are now ready to configure the IFS application. To configure IFS, see the Infor Federation ServicesAdministration Guide (U9663 US).

Note: if you plan to use claims-based authentication, AD FS must be installed before you configureIFS. See these sections: "Installing AD FS 2.0 for Windows Server 2008" on page 32 and "ConfiguringAD FS 2.0" on page 33. You must also complete the steps in this section: "Changing the security modeto claims-based authentication" on page 37.

Enabling integrated Windows authentication in InternetExplorer 8 or laterThis section contains information about non-Infor products.

Note: This information is provided for your convenience. Infor is not responsible for the accuracy ofthis information.

Integrated Windows Authentication is enabled in Internet Explorer. To verify that Integrated WindowsAuthentication is enabled:

1 Start Internet Explorer 8.2 Select Tools > Internet Options.3 In the Internet Options dialog box, click the Advanced tab.4 In the Settings pane, scroll to the Security section and ensure that Enable Integrated Windows

Authentication is enabled. If it is not, select the check box to enable it and click Apply. The settingswill not take effect until your browser has been restarted.

5 Add your domain to the local internet:a In the Internet Options dialog box, click the Security tab.b For the zone, click on Local Intranet.c Click Sites.d On the Local intranet window, click Advanced.e Specify your domain in this format: http(s)://*.[domain]. For example, https://*.

infor.com.

Enabling integrated Windows authentication in MozillaFirefox 3.x or laterThis section contains information about non-Infor products.

Note: This information is provided for your convenience. Infor is not responsible for the accuracy ofthis information.


Post-installation tasks

Complete these steps:

1 To switch off extended protection for authentication:a On the AD FS server, open the IIS Manager.b In the right pane, navigate to Sites > Default Web Site > adfs > ls.

The middle pane shows /adfs/ls Home.

c While ls is selected, in the middle pane, open Authentication under IIS. The middle pane showsAuthentication.

d Select Windows Authentication. The right pane shows the possible actions.e In the right pane, open Advanced Settings. The Advanced Settings window is displayed.f Change the status of Extended Protection to Off.g Click OK to close the Advanced Settings window.

2 Enable Integrated Windows Authentication.Integrated Authentication is not enabled in Mozilla Firefox.To enable Integrated Windows Authentication:a Start Mozilla Firefox 3.b Open this URL: about:config.c On the This might void your warranty! window, click I'll be careful, I promise.d Filter on network.automatic-ntlm-auth.trusted-uris.e Specify a value in the network.automatic-ntlm-auth.trusted-uris field.

See this site: https://developer.mozilla.org/En/Integrated_Authentication



5Changing security mode

The IFS installation configures IFS in the Windows security mode. You can use the Security Configurationutility to change the Security Mode of IFS to each of these security modes:

• Windows• SAML token allowing windows for Web Services• SAML token

To change to claims-based authentication, Microsoft AD FS must be installed.

For more information about the security modes, see chapter 1, "About Infor Federation Services".

Changing from Windows http to Windows over SSLIf you have installed IFS while no SSL binding was defined for the default website, complete the followingsteps to activate Windows over SSL authentication:

Note: By changing the authentication method for IFS you will also change the authentication methodfor calling the IFS web services. ION Process, for example, uses these web services. The reconfigurationof ION is described in the ION documentation. Therefore be prepared if you also have other applicationsthat use the IFS web services.

1 Configure an https binding for the default website with an appropriate certificate. See "Adding IISbinding for HTTPS" on page 23.

2 To start the Security Configuration utility, run [IFS Installation folder]\bin\SecurityConfiguration.exe.The default path of a new installation is C:\Program Files\Infor\Mingle\Components\Federation Services\bin\SecurityConfiguration.exe.The default path for an IFS upgrade is C:\Program Files\Infor\ Federation Services\bin\SecurityConfiguration.exe.The Security Configuration utility identifies whether the bindings of the default website have changedand asks for a confirmation to change the IFS application accordingly.

3 To confirm the change, click Yes.4 Verify if IFS is working properly.


Complete these steps:a Click the IFS shortcut. The IFS UI should open via https.b Start the IFSConfiguration application in the IFS bin folder. Verify if you can call the IFS

web services via Windows over SSL.

Prerequisites to use claims-based authenticationTo use claims-based authentication, Microsoft Active Directory Federation Services (AD FS) 2.0 isrequired.

• For guidelines for the AD FS 2.0 installation, see "Installing AD FS 2.0 for Windows Server 2008"on page 32 and "Configuring AD FS 2.0" on page 33.

• AD FS must be installed on the server where IFS will be installed.• AD FS must be installed in the Default website of IIS.• AD FS must be installed as stand-alone federation service, using internal database.

Installing and configuring AD FS 2.0If your infrastructure requires ADFS to be configured in a highly available farm scenario, skip all topicsin this section and use the appropriate appendix in the Infor Ming.le Installation and Configuration Guidefor Active Directory Federation Services for your specific installation:

• Creating a high-availability ADFS 2.1 farm using SQL Server for Window Server 2012• Creating a high-availability ADFS farm using SQL Server for Windows 2008 R2

Also, review Creating a wild card certificate in the Infor Ming.le Installation and Configuration Guide forActive Directory Federation Services if necessary.

When you have completed your AD FS farm, you can continue with Creating a web application in theInfor Ming.le Installation and Configuration Guide for Active Directory Federation Services .

Installing AD FS 2.0 for Windows Server 2008If you are using Windows Server 2012, Active Directory Federation Services is a server role that canbe enabled.

Skip this topic and continue with "Installing AD FS 2.1 for Windows Server 2012" on page 34 or "InstallingAD FS 3.0 for Windows Server 2012 R2" on page 34.

To install AD FS 2.0:


Changing security mode

1 Download the AD FS installer from this site:

http://www.microsoft.com/en-us/download/details.aspx?id=10909

a Select Language: English and click Continue.b Select No, I do not want to register. Take me to the download. and click Continue.c Select Language: English and click Download.d Select this file name: RTW\W2K8R2\amd64\AdfsSetup.exee Click Next and click Save to save AdfsSetup.exe to a known location.

2 Run the installer: AdfsSetup.exe.3 On the Welcome page, click Next.4 Select the check box to accept the End-User License Agreement and click Next.5 On the Server Role page, select Federation server.

Note: Federation server proxy is not supported.

6 Click Next to start the installation.7 If prompted, click Next on the Install Prerequisite Software page.

The installation may take up to five minutes.When the installation is finished, the Completed the AD FS 2.0 Setup Wizard page is displayed.

8 Select the Start the AD FS 2.0 Management snap-in when the wizard closes check box. Thenclick Finish. The AD FS snap-in will start automatically.

Note: If you use a "favorites" MMC console, it is useful to add the AD FS 2.0 Management snap-into it.

Configuring AD FS 2.0To configure AD FS 2.0:

1 If you did not start AD FS in the previous steps, start the AD FS snap-in by selecting Start >Administrative Tools > AD FS 2.0 Management.

2 From the Overview page, select AD FS 2.0 Federation Server Configuration Wizard underConfigure this Federation Server.

3 On the Welcome step, select Create a new Federation Service and click Next.4 On the Select Deployment Type step, select Stand-alone federation server and click Next.

On the Federation Service Name step, AD FS selects the certificate that was added to the httpsbindings on the default website and selects a Federated Service name based on the subject fieldof the SSL certificate. If AD FS cannot determine the Federation Service name from the SSL settings,you must select the certificate. If more than one https binding is found on the default website, selectthe appropriate binding. The IFS installation supports an installation with only one https binding onthe default website.

5 Click Next.



6 On the Summary step, click Next.7 The Results step displays the progress of the configuration. When the configuration is completed,

click Close.

Note: Continue with "Extending AD FS certificate validity" on page 36.

Installing AD FS 2.1 for Windows Server 2012To install AD FS 2.1 for Windows Server 2012:

1 Open the Server Manager and click Add roles and features.2 Select Role-based or feature-based installation and click Next.3 Select Active Directory Federation Services, select Add Features, and click Next.4 From the features menu, select .NET Framework 3.5 Features.5 Click Next until the Role Services menu is displayed.6 Select Federation Service, clear all other options, and click Next.7 Click Next until the confirmation is displayed and click Install.8 Click Close when the installation is complete.

Continue with "Configuring AD FS for Windows Server 2012 and Windows Server 2012 R2" on page34.

Installing AD FS 3.0 for Windows Server 2012 R2Note: Microsoft requires a Domain Administrator account to install and configure AD FS 3.0 on WindowsServer 2012 R2.

To install AD FS 3.0 for Windows Server 2012 R2:

1 Open the Server Manager and click Add Roles and Features.2 Select Role-based or feature-based installation and click Next.3 Select Select a Server from the server pool and click Next.4 Select Active Directory Federation Services, and click Next.5 From the features menu, select .NET Framework 3.5 Features & .NET Framework 4.5 Features

and click Next.6 Click Next until the confirmation is displayed and click Install.7 Click Close when the installation is complete.

Configuring AD FS for Windows Server 2012 and Windows Server 2012 R2Note: Microsoft requires a Domain Administrator account to install and configure AD FS 3.0 on WindowsServer 2012 R2.

To configure AD FS:



1 On the Server Manager Dashboard page, click the Notifications flag, and then click Configure thefederation service on the server. The Active Directory Federation Service Configuration Wizardopens.

2 On the Welcome page, select Create the first federation server in a federation server farm, andthen click Next.

3 On the Connect to AD DS page, specify an account with domain administrator rights for your ActiveDirectory domain to which this computer is joined, and then click Next.

4 On the Specify Service Properties page, complete these steps and then click Next:a Import the SSL certificate. This certificate is the required service authentication certificate. Browse

to the location of your SSL certificate.b Provide a name for your Federation Service. This value is the same value that you provide when

you enrolled an SSL certificate in Active Directory Certificate Services (AD CS).c Provide a display name for your Federation Service.

5 On the Specify Service Account page, select Use an existing domain user account or groupManaged Service Account, and then specify the account name and password of an account withdomain administrator rights for your Active Directory domain to which this computer is joined.

6 On the Specify Configuration Database page, select Create a database on this server usingWindows Internal Database, and then click Next.

7 On the Review Options page, verify your configuration selections, and then click Next.8 On the Pre-requisite Checks page, verify that all prerequisite checks were successfully completed,

and then click Configure.9 On the Results page, review the results, check whether the configuration has completed successfully,

and then click Close.

Note: Windows Server 2012 R2 requires the following additional configuration:

10 After the successful installation and configuration of AD FS manually run this command:a Open the Windows PowerShell as an administrator.b At the command prompt, type and press Enter:

setspn -s <<http/Hostname>> <<computer name where the service is running>setspn -s <<http/Fully Qualified Domain Name>> <<computer name where the service isrunning>>For example, for users accessing the Infor Ming.le application installed on MYADFSSERVERthrough MyMingleURL.MyCompany.com, the setspn commands should be as follows:

setspn -s http/MyMingleURL MyADFSServersetspn -s http/MyMingleURL.MyCompany.com MyADFSServer

c Open ADFS Management and click Authentication Policies.d Click Edit in the Primary Authentication section.e Select Forms Authentication for Extranet and Intranet, deselect Windows Authentication for

Intranet, and click Apply.



Extending AD FS certificate validityDuring the configuration, a token-signing and a token-decrypting certificate are generated with a validityof one year. You must renew these certificates within a year, and at that time all linked applicationsmust start trusting the new token-signing certificate. To prevent maintenance for applications that donot automatically update their trust information, we recommend that you regenerate these certificatesso that they are valid for a longer time.

For example, to generate 30-year certificates:

1 Start a Windows PowerShell:a Select Start.b In the Search box, type Powershell.c Select Windows PowerShell Modules.d Right-click and select Run as administrator.

2 To verify that the AD FS snap-in is registered with Windows PowerShell, type the command:

Get-PSSnapin –Registered

You should see this command line output:

Name : Microsoft.Adfs.PowerShell

If you see the output above, continue with step 4 below. Otherwise, add the snap-in as describedin step 3 below.

Note: If you are on Windows Server 2012, the output above does not show the snap-in and you donot need to add the snap-in. Continue with step 4.

3 If the AD FS snap-in is not registered with Windows PowerShell, type the command:

Add-PSSnapin Microsoft.Adfs.PowerShell

4 After the AD FS snap-in is registered with Windows PowerShell, type these commands:

Set-ADFSProperties -CertificateDuration 10950

Update-ADFSCertificate -Urgent

Caution: Do not run the above commands on an AD FS system that is already in use unlessyou are fully aware of the consequences. All existing token-signing certificates are removed;therefore, all linked applications, "Relying Party Trusts", must update their list of trusted tokensignature certificates. The same is true for all token-decrypting certificates, but currently no ADFS-enabled Infor application uses this.



For details about rollover, see this Microsoft documentation:

• AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-DecryptingCertificatesOpen this URL: http://social.technet.microsoft.com/wiki/contents/articles/2554.aspx

• The help information for the Update-ADFSCertificate: Type Get-Help Update-ADFSCertificate.Alternatively, open this URL: http://technet.microsoft.com/en-us/library/ee892330.aspx

Note:

• The AD FS 2.0 MMC snap-in now shows the Required Configuration Incomplete option, with the"Required: Add a trusted relying party" task. Relying Party Trusts are created during the installationof products that use AD FS.

• The AD FS 2.0 MMC snap-in now shows sub-nodes, for example for Trust Relationships and Service.• Browsing on the client PC to:

https://[ADFS server].[domain]:[port]/adfs/services/trust/mex

returns a WSDL <definitions> XML document. No certificate error occurs, because the https certificateis CA-signed and its root certificate is trusted by the browser.See "Creating server certificates" on page 67.

• Now the AD FS 2.0 base configuration is complete, but no Relying Party Trusts are defined yet.Relying Party Trusts are created during the installation of products that use AD FS.

Changing the security mode to claims-basedauthenticationTo change the security mode to claims-based authentication:

1 Install Microsoft AD FS according to the prerequisites further in this section.2 To start the Security Configuration utility, run [IFS Installation folder]\bin\Security

Configuration.exe.The default path for a new IFS installation is C:\Program Files\Infor\Mingle\Components\Federation Services\bin\SecurityConfiguration.exe.The default path for an IFS upgrade is C:\Program Files\Infor\Federation Services\bin\SecurityConfiguration.exe.The Security Configuration utility shows the current Security Mode: Windows.

3 Optionally, change the Security Mode to SAMLToken Allowing Windows For Web Services.Use this mode if there are Infor applications that use the IFS web services via Windows authentication.In this mode, the IFS web services can be accessed via both Windows and SAML tokenauthentication.

4 Optionally, switch the Security Mode of the other Infor applications to SAML token.5 Change the IFS Security Mode to SAMLToken.



http://social.technet.microsoft.com/wiki/contents/articles/2554.aspx

http://technet.microsoft.com/en-us/library/ee892330.aspx

Viewing the results in AD FSDuring the switch to SAMLToken mode a relying party trust for the IFS application is added to AD FS.Also an attribute store, InforFS data store, and Infor specific claims are added.

To view the results in AD FS:

1 Start the AD FS management console. If this console is already started, press F5 in each node torefresh the data.

2 Verify these nodes:

• Node AD FS 2.0 - Service - Claim Descriptions:Various Infor claim types are available, such as InforInternalCustomerId.

• Node AD FS 2.0 - Trust Relationships - Attribute Stores:The InforFS data store attribute store is created. The store is of type SQL and has the appropriateconnection string.

• Node AD FS 2.0 - Trust Relationships - Claims Provider Trusts:Right-click on Active Directory, and select Edit Claim rules. Several Infor generated rules arepresent. For example:

• INFOR GENERATED: Attribute.extractions• INFOR GENERATED: Emit Customer• INFOR GENERATED: Emit Identity2

• Node AD FS 2.0 - Trust Relationships - Relying Party Trusts:A relying party trust for the Infor Federation Services application exists.



6Upgrading to IFS 11.1

IFS 11.1 is compatible with these IFS versions:

• IFS 1.2• IFS 10.0• IFS 10.1• IFS 10.2• IFS 10.3• IFS 11.0

Infor applications that currently use one of these IFS versions will also work with IFS 11.1.

Note: If you previously installed IFS 11.0 using the Infor Ming.le Foundation or Infor Ming.le Enterpriseinstaller, you cannot upgrade IFS using the IFS standalone installer. Use the Infor Ming.le Foundationor Infor Ming.le Enterprise installer to upgrade.

A specific note if you upgrade from IFS 1.2With IFS 10, the URL for the IFS Configuration service is

[portnumber]/IFSServices/ConfigurationService.svc/ConfigurationService

For IFS 1.2 the IFS Configuration service URL was different:

[portnumber]/IFS/ConfigurationService.svc/ConfigurationService.

Therefore other Infor application documents may still refer to the IFS 1.2 configuration URL. Modify allapplication deployments that refer to the IFS 1.2 configuration URL, so that they refer to the new URL.

PrerequisitesOne of these IFS versions must be installed:

• IFS 1.2


• IFS 10.0• IFS 10.1• IFS 10.2• IFS 10.3• IFS 11.0

Preparing the upgradeTo prepare the upgrade:

1 Remove duplicate person entries.2 Create a backup of the IFS database and your IFS system.

Removing duplicate person entriesThis section is only applicable if you upgrade from IFS 1.2 or IFS 10.0.

If you use ION Process, a property called "Person" is configured in IFS. This "Person" field must beunique for each user, unless it is empty. The upgrade process sets a "unique unless empty" constrainton the "Person" field. Therefore you must remove duplicate person entries before the upgrade. If youfail to do so, duplicate entries are found during the upgrade. Therefore the installation finishes with anerror and you must take extra steps to get IFS working again.

Complete these steps before you run the upgrade to IFS 11.0:

1 To check for duplicate PersonIdentifiers in the dbo.TenantUsers table, run this query in the INFORFSdatabase:

SELECT PersonIdentifier, COUNT(PersonIdentifier) as nDuplicatesFROM dbo.TenantUsersWHERE PersonIdentifier IS NOT NULLGROUP BY PersonIdentifierHAVING ( COUNT(PersonIdentifier) > 1 )

If there are any duplicates, the result of this query shows which PersonIdentifiers are duplicate andhow often they exist.

2 Remove all duplicate PersonIdentifiers.


Upgrading to IFS 11.1

Creating a backup of the IFS database (INFORFS) and your IFSsystemWe recommend that you create a backup of the IFS environment. You can restore this backup ifsomething goes wrong during the installation.

Availability during IFS upgradeIf you use claims-based authentication (Microsoft AD FS), you can upgrade to IFS 11.1 while otherInfor applications are using AD FS for authentication. However, we recommend that you upgrade IFSat a moment when AD FS is not used.

There may be applications, such as ION Process, that use the IFS web services. During the IFS upgrade,these web services are not available. This may influence the availability of the other applications.

Upgrading from IFS 10.0, IFS 10.1, IFS 10.2, IFS 10.3or IFS 11.0 to IFS 11.1To upgrade from IFS 10.0, IFS 10.1, IFS 10.2, IFS 10.3 or IFS 11.0 to IFS 11.1:

Note: If you previously installed IFS 11.0 using the Infor Ming.le Foundation or Infor Ming.le Enterpriseinstaller, you cannot upgrade IFS using the IFS standalone installer. Use the Infor Ming.le Foundationor Infor Ming.le Enterprise installer to upgrade.

1 Start the IFS installer.Right-click on setup.exe and select Run as Administrator.If prompted, install any prerequisite software.The installer detects the existing IFS installation and performs an upgrade.

2 On the Infor IFS Upgrade screen, click Next.3 On the Select Features screen, select Infor Federation Services [IFS] and Infor Ming.le Services

and click Next.

Note: If there are other Infor components already selected, leave them checked. If you uncheckthese components, they will be uninstalled.

4 On the Infor IFS Configuration screen, specify your database instance, such as [hostname][namedinstance].

5 Specify the user name and password if necessary. The user you specify must have access to createa database and to add a user. Click Next.

6 On the Infor IFS Services Configuration screen, specify the IFS Timer service port.By default, the IFS Timer service port is set to 555. If required, select a port that is not in use. Thisport is used to synchronize users in IFS.



7 Click Next.8 On the Update Complete screen, click Finish.

Updating from an IFS 1.2 versionTo update an IFS 1.2.0 or 1.2.1 version:

1 As precaution, create a backup of the INFORFS database.2 Uninstall IFS 1.2.x.

Do not remove the INFORFS database. Because this database remains, your configuration staysintact.

3 Install Infor Federation Services 11.1. Complete all the steps in "Upgrading from IFS 10.0, IFS 10.1,IFS 10.2, IFS 10.3 or IFS 11.0 to IFS 11.1" on page 41.

Corrections if the IFS upgrade fails because ofduplicates in PersonIdentifierAn upgrade to 10.3.2 fails if it is executed while duplicates exist in the TenantUsers.PersonIdentifiertable.

To solve the problem:

1 After installation, view the IFS installation log file, C:\ProgramData\Infor\Infor_IFS_Install.log.This file shows whether duplicates are found and, if so, which PersonIdentifiers are duplicate andhow often they exist.

2 Remove all duplicate PersonIdentifiers.3 Run the upgrade process again.

Sometimes the IFS software is installed, but not operational. This problem may be caused by one ofthe following:

• The SecurityConfiguration was not run.• The database migration has not finished.

Correcting the IFS security configurationTo correct the IFS security configuration:



1 Go to the IFS installation folder. The default location is: C:\Program Files\Infor\Mingle\Components\Federation Services\.

2 Go to the bin folder and start SecurityConfiguration.exe.3 Your current security mode is selected. Click Apply. Wait until 'Ready' is displayed in the lower left

corner.In the output window, an exception may be logged for accessing the ConfigurationService.

4 Close the security configuration utility and start it again. A confirmation that the SecurityConfigurationproperties file must be updated is displayed. Click Yes.

5 Verify the security mode is still the same and click Apply again. Wait until 'Ready' is displayed inthe lower left corner.The ouput window shows that accessing the configuration service was successful.

Finalizing the database migrationTo finalize the database migration, rerun the installation. Complete these steps:

1 Uninstall the IFS product. Do not remove the INFORFS database.You can uninstall from the Windows Control Panel or through the IFS installer. The installer containsa 'Remove' option.

2 Install IFS again. Specify the same SQL Server instance. This automatically triggers the missingmigration script.



ATroubleshooting

This section describes various issues that can occur and their solutions.

Issues with the IFS environmentThis section describes the issues that can occur in the IFS environment.

SSO does not work: unexpected sign-in dialog in Internet Explorer(using AD FS or otherwise)The user is logged in with his Windows domain account. When accessing IFS, unexpectedly a browsersign-in (username/password) dialog is displayed.

Cause 1: The federation services site is not registered as a local intranet site. Therefore InternetExplorer does not attempt silent sign-in, using the current Windows credentials, to the site. Instead,the browser shows a username/password dialog.

Solution 1: Add the federation services system or the domain of that system to the list of local intranetsin Internet Explorer. Complete these steps:

1 Open Internet Explorer.2 Select Tools > Internet Options.3 On the Security tab, select Local intranet and click Sites.4 In the Local intranet window, click Advanced.5 Add your domain in this format:

https://*.[domain]

Cause 2: Internet Explorer is configured to always prompt for username/password.

Solution 2: Change the configuration for Internet Explorer. Complete these steps:


1 Open Internet Explorer.2 Select Tools > Internet Options.3 On the Security tab, select Local intranet and click Custom level.... The Security Settings - Local

Intranet Zone window is displayed.4 In the Settings pane, change the User Authentication / Logon setting from Prompt for user name

and password to one of the Automatic logon options.

Repeated browser sign-in dialog and/or HTTP error 401Unauthorized on sign-in, using correct credentials (AD FS or IFS,or elsewhere)When navigating to AD FS, or to an application which uses Integrated Windows Authentication, suchas IFS in Windows mode, for sign-in, the browser shows a sign-in dialog. Sign-in with the correctcredentials fails. Therefore a fresh browser sign-in dialog is displayed.

There are different causes for this problem. See the more detailed symptoms described below.

If the below information does not help sufficiently, you can switch on additional Kerberos-related loggingand inspect the events in the System event log.

See this Microsoft Knowledge Base article: http://support.microsoft.com/kb/262177 .

Possibility #1: Extended Protection (observed only for AD FS)The Security event log of the server has an Audit Failure event with Status: 0xc000035b. Thiswas only observed for AD FS.

This problem was observed with Firefox 3.6 and Google Chrome 7 browsers. The problem also occurswhen using Fiddler to decrypt HTTPS traffic. Without Fiddler, the problem does not occur in InternetExplorer.

Solution: Switch Extended Protection off for the AD FS web application. Complete these steps:

1 On the AD FS system, open IIS Server Manager.2 Select Sites > Default Web Site > adfs > ls.3 In the Features view under the IIS heading, open the Authentication feature.4 Open the Windows Authentication Advanced Settings... dialog.5 Set extended protection to Off. By default the extended protection is probably set to Accept.

You do not have to restart the 'ls' app or IIS.

For details on the benefits of Extended Protection, see this blog post: https://blogs.technet.com/b/srd/archive/2009/12/08/extended-protection-for-authentication.aspx.

Possibility #2: ApplicationPoolIdentity (IFS 10.1 or older)You are signing in to IFS in Windows mode, and you are using IFS 10.1 or older. The problem disappearsif you complete one of these steps:


Troubleshooting

http://support.microsoft.com/kb/262177

https://blogs.technet.com/b/srd/archive/2009/12/08/extended-protection-for-authentication.aspx

https://blogs.technet.com/b/srd/archive/2009/12/08/extended-protection-for-authentication.aspx

• Reboot the system running IFS.• In the IIS manager, find the 'IFSAppPool' application pool. In the advanced settings of this pool,

change the identity from ApplicationPoolIdentity to NetworkService.

There is no other way to find out whether your system is in this specific incorrect state.

Cause: You ran into the Microsoft bug described in this Microsoft Knowledge Base article: http://support.microsoft.com/kb/2545850. This occurs when the machine account password is changed (by defaultit changes automatically every 30 days), and then IIS is restarted, for example, using iisreset. Afterthat, "a flag is set in a global credential incorrectly", which causes the sign-in failure.

Solution: Set the IFSAppPool identity set to NetworkService, as described above. Alternatively, youcan upgrade to IFS 10.2 or later, which uses the NetworkService identity.

Possibility #3: outdated machine account password / old VM snapshotYou started a PowerShell or Command Prompt window, using 'Run as Administrator'. You run thenltest /sc_reset:DOMAIN_NAME command, where DOMAIN_NAME is the name of your Windowsdomain. The command results in this message: I_NetLogonControl failed: Status = 5 0x5ERROR_ACCESS_DENIED.

You must run this command as administrator, otherwise this message is displayed: ERROR_ACCESS_DENIED. Normally, when run as administrator, this command results in The command completedsuccessfully.

Cause: The application that uses Integrated Windows Authentication, such as IFS in Windows mode,runs on a system, or a VM, which was restored to a previous state, with at least two machine passwordchanges in between. Therefore all communication using the machine account (DOMAIN_NAME\hostname$) fails. By default, the Windows machine password is automatically changedevery 30 days. For details, see this blog post:

https://blogs.msdn.com/b/sudhakan/archive/2010/01/07/experimenting-with-windows-machine-account-passwords-and-vm-snapshots.aspx

Solution: Make the machine rejoin the domain. You must use a Windows domain account with sufficientrights. See the above blog post for one method to do this. If your Windows domain has two differentnames, such as INFOR and infor.com, you can use the following, simpler, procedure:

1 Right-click the Computer node and select Properties. Alternatively, in the Control Panel, selectSystem.

2 In the Computer name, domain, and workgroup settings section, click Change settings. TheSystem Properties dialog is displayed.

3 On the Computer Name tab, click Change....4 Replace the displayed domain name by the alternative name for this domain and click OK.

For example, replace infor.com by INFOR.

5 Reboot the system.

Possibility #4: Web UIYou have installed Web UI on the same system as your IWA-application (such as IFS in Windowsmode).


Troubleshooting



Cause: There is a problem with Kerberos-related SPNs in Active Directory. This is caused by theconfiguration used by Web UI.

Solution: This is a known Web UI issue. See this KB article on http://www.inforxtreme.com: http://www.inforxtreme.com/espublic/EN/solutions/ViewSolution.asp?SolutionID=1135674.

Workaround: Complete these steps:

1 In IIS where IFS resides, under Default Web Site, select the IFS application2 For IFS, open the Authentication page.3 In the Authentication page, right click Windows authentication, which is enabled, and select

Providers.4 In the Providers page, move NTLM above Negotiate.

Possibility #5: Use of an alias (via the SSL certificate)You use an alias for the hostname, and possibly in the SSL certificate. The repeated browser sign-indialog is only displayed if the browser on the IFS system itself is used. When using an URL with theoriginal host name, not the alias, then the sign-in works fine.

Cause: The use of the alias in the URLs to access the IFS application somehow breaks the sign-inprotocols (Kerberos / NTLM).

Workaround: Do not use the browser on the IFS server, but use a browser on a client system.

Possibility #6: Non-default installation locationDescription: You installed IFS to a non-default location, and outside of C:\Program Files or C:\Program Files (x86). When accessing the web application, one of these messages is displayed:

• HTTP error 401 Unauthorized

• The more precise error 401.3: "You do not have permission to view this directoryor page because of the access control list (ACL) configuration orencryption settings for this resource on the Web server."

Cause: If IFS, or any other web application, runs in IWA mode, then IIS checks whether the authenticateduser can read the web application's source files. So, in this case IIS checks for authorization on thisfolder: D:\apps\Infor\Federation Services.

If the standard location, under C:\Program Files, is used, then by default the standard local group'Users' has read access. This group includes the built-in group NT AUTHORITY\Authenticated Users(S-1-5-11), which includes every IWA-authenticated user. So, in this case everything works fine.

If a different location, for which users have no read access, is chosen , and IFS is in IWA mode, thenan error, such as the one above, occurs.

Solution: After installation of IFS to a non-default folder, change the Security properties of that folderand its subfolders as follows: allow Read access by the local group 'Users', or any other group whichincludes all users which will use IFS. Read access is sufficient.


Troubleshooting

http://www.inforxtreme.com

http://www.inforxtreme.com/espublic/EN/solutions/ViewSolution.asp?SolutionID=1135674

http://www.inforxtreme.com/espublic/EN/solutions/ViewSolution.asp?SolutionID=1135674

Connection to a remote IFS database fails because NTAUTHORITY\ANONYMOUS LOGON is used NTAUTHORITY\ANONYMOUS LOGONThe IFS database is on a different system than the IFS application. In the IFS application in the browser,or in one of its log files, this error is displayed:

"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"

Solution: See these sections:

• "Possibility #2: ApplicationPoolIdentity (IFS 10.1 or older)" on page 46• "Possibility #3: outdated machine account password / old VM snapshot" on page 47

IFS reports Active Directory error, LDAP-related error, or UPN errorIFS reports one of these errors:

• An error when it queries Active Directory, either during sign-in, for example to get the user's UPN• An LDAP-related error such as "Load operation failed for query 'GetLdapUsers'"• Error 0x8000500C - "Unknown Error", 0x80072020 - "An operations error occurred.", or 0x200B -

"The specified directory service attribute or value does not exist"• A related AD query error

Solution: See these sections:

• "Possibility #2: ApplicationPoolIdentity (IFS 10.1 or older)" on page 46• "Possibility #3: outdated machine account password / old VM snapshot" on page 47

Issues when installing the IFS applicationThis section describes issues that can occur when you install the IFS application.

Installation fails, log file recommends "manually creating the appropriate logins andpermissions in SQL Server"The installation of IFS fails. The final screen shows a red icon with a cross, and the log file containsthese lines:

...INFO : Checking database logins.INFO : Creating connection to server '<SQL Server instance>', database


Troubleshooting

'InforCETenant_<GUID>' (..).INFO : Connection created.INFO : Searching for login(s) ...INFO : Therefore the following query should return 1: SELECT COUNT(*) AS numberOfLogins FROM sys.server_principals WHERE ...ERROR : ... login(s) found instead of ...RECOMMENDATION : Please refer to the documentation for manually creating the appropriate logins and permissions in SQL Server.INFO : Checked database logins....

Earlier in the log file there may be ERRORs related to this, which indicate that something went wrongwhile creating SQL Server logins.

Cause: For some reason, the installer could not create the appropriate account(s). An ERROR line inthe log file may provide more details.

Solution: Manually create the SQL Server logins. This section describes the logins to create, and howto create them.

IFS 10 requires these logins in SQL Server:

• If the database is on the same system as IFS:

• IIS APPPOOL\IFSAppPool with read-write rights• The network service account with read-only rights

On English systems, this account is called NT AUTHORITY\NETWORK SERVICE. On Germansystems, it is called NTAUTORITÄT\NETZWERKDIENST, and so on.See http://msdn.microsoft.com/en-us/library/ms143504.aspx#Localized_service_names .

• If the database is on a different system than IFS:[domain] \ [IFShostname]$ with read-write rights.

See also "How does integrated Windows authentication work?" on page 61.

Normally these accounts are automatically granted access to SQL Server by the installer, but thisadministration failed for your installation. Therefore you must manually grant access to SQL Server.

To grant access to SQL Server for a Windows user XYZ\ZY, with read-write rights, run this SQL script,for example using SQL Server Management Studio:

CREATE LOGIN [XYZ\ZY] FROM WINDOWS WITH DEFAULT_DATABASE=[ InforCETenant_<GUID>], DEFAULT_LANGUAGE=[us_english]USE [InforCETenant_<GUID>]EXEC sp_grantdbaccess [XYZ\ZY]EXEC sp_addrolemember @rolename = 'db_datareader',@membername = [XYZ\ZY]-- the following line is only needed for write accessEXEC sp_addrolemember @rolename = 'db_datawriter',@membername = [XYZ\ZY]


Troubleshooting

http://msdn.microsoft.com/en-us/library/ms143504.aspx#Localized_service_names

Issues when running the IFS applicationThis section describes issues that can occur when running the IFS application.

Invoke operation 'DoBootstrap' failedDuring the bootstrap of the IFS application, or later, this error occurs:

Invoke operation ‘DoBootstrap’ failed. Error when trying to find user ‘…’ in Active Directory. Base Exception ‘System.Runtime.InteropServices.COMException’, Message: ‘Unknown error (0x8000500c)’ Inner exception messages: Error when trying to find user ‘…’ in Active Directory

Cause: For some reason anonymous authentication is not sufficient to access Active Directory.

Solution: Complete these steps:

1 Navigate to IFS Configure > Parameters and specify the appropriate Active Directory path.The tooltip explains you how to define the path, and provide an appropriate domain userid andpassword.

2 Try the bootstrap action again.

The IFS application gives HTTP error 500.21 - Internal Server ErrorNavigating to the IFS application results in this error message:

HTTP error 500.21. Handler "PageHandlerFactory-Integrated" has a bad module"ManagedPipelineHandler" in its module list

Cause: The .NET Framework 4 registration is not correct.

Solution: Run this command line:

%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe /ir

The IFS application, or some other application, gives HTTP error 404 (not found)after configuring SharePointNavigating to the IFS application (or some other application) results in HTTP error 404, after you haveconfigured SharePoint.

Cause: You just ran the SharePoint Foundation 2010 Configuration Wizard. This wizard created anIIS site called 'SharePoint - 80' with an HTTP binding on port 80. You already had IFS, or some otherapplication, installed on another site with a binding on port 80. Therefore, the other site and the'SharePoint - 80' site cannot run simultaneously. Therefore, IIS has stopped the other site and IFS orthe other application is unreachable.


Troubleshooting

Note that there are many other causes for HTTP error 404. Therefore a different fix may be applicable.

Solution: Open the IIS Manager, and select and stop the 'SharePoint - 80' site. Select and start thesite containing IFS or the other application, and start it.

The IFS application, or some other application such as AD FS, gives HTTP error 500after creating a new SharePoint web applicationNavigating to the IFS application or some other application results in HTTP error 500, after you havecreated a SharePoint web application.

Cause: When creating the SharePoint web application, you did not let SharePoint create an IIS site.Instead you chose to use an existing site, specifically the site where IFS or some other application wasalready installed. This action corrupted the other application.

Note that there are other causes for HTTP error 500. Therefore a different solution can be applicable.

Solution: Reinstall the software. Alternatively, you can remove or rename the web.config file at theroot of the site where IFS or the other application is installed. Note that this will pollute the site.

Could not load type 'System.ServiceModel.Activation.HttpModule'Browsing to the IFS application results in this error message:

Server Error in '/IFS' Application.-------------------------------------------------------------------------------- Could not load type 'System.ServiceModel.Activation.HttpModule'from assembly 'System.ServiceModel, Version=3.0.0.0,Culture=neutral, PublicKeyToken=b77a5c561934e089'.

Cause: This can be caused by installing the SharePoint Foundation 2010 prerequisites, using theSharePoint_SP2_en-us.exe installer. According to the following blog post, this issue can occur when"you install DotNet framework 4.0 on IIS server and then enable DotNet 3.0 or 3.5 WCF features": http://devonenote.com/2010/06/could-not-load-type-system-servicemodel-activation-httpmodule/

Solution: Run this command line:

%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe /iru

Microsoft AD FS specific issuesWhile running the AD FS configuration Wizard, the AD FS Windows Service fails tostartThe AD FS Windows Service fails to start and in the EventViewer AD FS 2.0 Admin logging sectionthis error is displayed:


Troubleshooting

http://devonenote.com/2010/06/could-not-load-type-system-servicemodel-activation-httpmodule/

http://devonenote.com/2010/06/could-not-load-type-system-servicemodel-activation-httpmodule/

Event ID: 202, Description: The Federation Service configuration service could not be opened.

Exception details:

System.ServiceModel.CommunicationException: A TCP error (10013: Anattempt was made to access a socket in a way forbidden by itsaccess permissions) occurred while listening on IPEndpoint=0.0.0.0: 1501. --->System.Net.Sockets.

Cause: TCP/IP port conflict

The AD FS service uses ports 1500 and 1501 for its communication. Another application at the samesystem is also using one of these ports.

Solution: Adjust AD FS or the other application to use (an) other port(s)

To identify which application is using the conflicting port:

1 In the Windows command line, specify this command: netstat -ano| findstr [portnumber]to return the process ID of the conflicting application.

2 Start Task Manager. On the Processes tab, ensure that the PID is one of the columns and searchfor the process with the previously found ID.

Change the AD FS port(s) or the port(s) of the conflicting application. To change the AD FS ports:

1 Stop the service that uses the conflicting port.2 Restart the AD FS Configuration Wizard, which should have finished.3 Use the Microsoft procedure to change the AD FS ports.

See this article:http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-how-to-change-the-net-tcp-ports-for-services-and-administration.aspx

4 Restart the AD FS service.5 Start the service that resulted in the error.

AD FS service cannot be started; "A SQL operation in the AD FS configurationdatabase [...] failed"You see one or more of these symptoms:

• In the event viewer, or in a PowerShell exception, a message is displayed that the connection tothe AD FS service failed.

• Starting the 'AD FS 2.0 Windows Service' results in an error.• An event viewer message is displayed in the AD FS 2.0\Admin log, event ID 352:

A SQL operation in the AD FS configuration database withconnection string DataSource=\\.\pipe\mssql$microsoft##ssee\sql\query;InitialCatalog=AdfsConfiguration;Integrated Security=True failed.


Troubleshooting

Additional DataException details:

A network-related or instance-specific error occurred whileestablishing a connection to SQL Server. The server was not foundor was not accessible. Verify that the instance name is correct andthat SQL Server is configured to allow remote connections.(Provider: Named Pipes Provider, error: 40 - Could not open aconnection to SQL Server)

Cause: The Windows Internal Database, used by AD FS, is not running.

Solution: In the SQL Server Configuration Manager, under SQL Server Services, start 'WindowsInternal Database (MICROSOFT##SSEE), from the shortcut menu. In the Services snap-in, start the'AD FS 2.0 Windows Service'. This may occur automatically.

Server Error in '/IFS' Application - ID3206: A SignInResponse message may onlyredirect within the current web application: '/IFS' is not allowed.When typing the IFS URL in the browser and after being redirected towards AD FS and returning tothe IFS UI, the browser shows this error:

Server Error in '/IFS' Application. ID3206: A SignInResponsemessage may only redirect within the current web application:'/IFS' is not allowed.

Cause: This is caused by omitting the trailing slash from the URL, such as: https://[server].[domain]/IFS, instead of https://[server].[domain]/IFS/.

Solution: Add the trailing slash when typing the URL.

Issues when signing in to AD FSThis section describes the issues that can occur during the sign in process to AD FS.

Access Denied. You are not authorized to access this site.When accessing an application an 'Access Denied' error is displayed by AD FS.

Cause: These are the possible causes:

• The user accessing the application is not registered as a user in IFS.• None of the applications in IFS has the application type of the application the user tries to access.


Troubleshooting

SharePoint keeps redirecting to AD FSSometimes SharePoint redirects you back to AD FS after receiving a valid token. This action resultsin a loop until AD FS stops this loop. AD FS displays an error message (MSIS7042) along the lines of"The same client browser session has made '6' requests in the last '12' seconds."

Cause: These are the possible causes:

• You use a version of SharePoint Foundation 2010 that requires Microsoft hotfix http://support.microsoft.com/kb/2459108/ to be installed. See the last bullet item under the 'Introduction' heading.

• The SharePoint LogonTokenCacheExpirationWindow is more than the claims basedLifetime in theAD FS Relying Party Trust, as described in this blog post:http://blogs.technet.com/b/speschka/archive/2010/08/09/setting-the-login-token-expiration-correctly-for-sharepoint-2010-saml-claims-users.aspx

.

AD FS snap-in does not work; AD FS sign-in results in errorThese are the symptoms:

• The AD FS snap-in does not work. Instead an "ADMIN0017" error dialog box is displayed.• Being redirected to AD FS results in an error, with the corresponding events also mentioning this

"ADMIN0017" error code.

Cause: The AD FS 2.0 Windows Service is not running. We observed this after installing the SharePointFoundation prerequisites.

Solution: Go to Services and start the AD FS 2.0 Windows Service.

Repeated sign-in form using correct credentialsWhen you are redirected to AD FS for sign-in, an empty sign-in form is displayed. When you specifythe correct information, the same empty sign-in form is displayed.

This has been observed with browsers other than Internet Explorer, such as Firefox.

Workaround: Switch off Extended Protection for the AD FS web application.

To switch off Extended Protection:

1 On the AD FS system, open IIS Server Manager.2 Select Sites > Default Web Site > adfs > ls.3 Open the Authentication feature in the Features view under the IIS heading.4 Open the Windows Authentication Advanced Settings... dialog box.5 Set extended protection to Off. By default it is probably set to Accept.

Restarting the 'ls' app or IIS is not necessary.

Solution: None


Troubleshooting

http://support.microsoft.com/kb/2459108/

http://support.microsoft.com/kb/2459108/

Event: "Attribute store 'InforFS data store' is not configured."AD FS logs an event such as this one:

Log Name: AD FS 2.0/AdminSource: AD FS 2.0Date: 11/26/2010 11:20:34 AMEvent ID: 111Task Category: NoneLevel: ErrorKeywords: AD FSUser: NETWORK SERVICEComputer: SERVER.example.comDescription:The Federation Service encountered an error while processing the WS-Trust request. Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Additional Data Exception details: Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException:

POLICY0017: Attribute store 'InforFS data store' is not configured. at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.

ProcessCoreAsyncResult.End(IAsyncResult ar) at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.

EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)

Cause: Maybe the data store does not exist. More often the issue is caused by an incorrect connectionstring that, for example, has an incorrect username/password combination.

During sign-in: There was a problem accessing the site. Try to browse to the siteagain.This error typically occurs when something goes wrong inside AD FS during token issuing. The errorcontains a reference number, which looks like a UUID.

The reference number refers to an event. In most cases you can find this event in Application AndServices Logs > ADFS in the event viewer on the AD FS server.

Issues with IFS Web ServicesThis section describes some issues with IFS Web services.


Troubleshooting

ID3037: The specified request failed. In AD FS event log: error ID4007

The Federation Service encountered an error while processing the WS-Trust request. Request type: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

Additional Data Exception details: Microsoft.IdentityModel.SecurityTokenService.RequestFailedException: ID4007: The symmetric key inside the requested security token must be encrypted. To fix this, either override the SecurityTokenService.GetScope() method to assign appropriate value to Scope.EncryptingCredentials or set Scope.SymmetricKeyEncryptionRequired to false.

Cause: The absence of the service certificate in the Relying Party configuration in AD FS. The symmetrickey, to which the exception text refers, is a so-called 'proof key'. 'Proof key' is short for 'proof ofpossession key'.

Solution: Import the certificate, only the public key, in the relying party in AD FS.

The IFS web app works but none of the web services work (problems about 'httpbase address')This problem consists of these parts:

• The https://server.infor.com/IFS/ Web application works.• AD FS works.• The Configuration Service is not discoverable.• When accessing the claims-enabled Attribute Service at the .svc URL, for example https://

server.infor.com/IFS/AttributeService.svc, this error is displayed:

The HttpGetEnabled property ofServiceMetadataBehavior is set to true and the HttpGetUrl propertyis a relative address, but there is no http base address. Eithersupply an http base address or set HttpGetUrl to an absoluteaddress.

• When accessing the Configuration Service at the .svc URL, for example https://[server].[domain]/IFS/ConfigurationService.svc, this error message is displayed:

Could not find a base address that matches scheme http for theendpoint with binding WSHttpBinding. Registered base addressschemes are https.

• There is an HTTP binding in IIS for the website.

Cause: A problem with the HTTP binding.


Troubleshooting

Solution: Clear the SSL Required check box in the SSL Settings in the features view of the IFSapplication in IIS, not of the website, but of the application. The changes that you have made shouldnow take effect.

Tracing of AD FSThis section describes how to trace AD FS.

Monitoring AD FS status and errors in the event viewerIf an error occurs in authenticating or creating claims, a message is displayed. This message usuallycontains a long correlation ID (GUID). You can use this number to find the correct events in the eventviewer.

To find the correct event in the event viewer:

1 Select Applications and Services Logs > AD FS 2.0 > Admin.2 On the panel on the right, click Find and paste the correlation ID found in the message. This takes

you to the correct event.

To make the correlation ID visible in the event list:

1 From the View menu, select Add/remove columns….2 Add the 'Correlation ID' column.

Generally, this same event log shows 'informational' and 'warning' messages, which you can use tomonitor the status of AD FS. For example, warnings are displayed here when certificates are about toexpire.

Switching on tracing for AD FSTo switch on tracing for AD FS:

1 On the system where AD FS is installed, in Windows Event viewer, select Applications and ServicesLogs.

2 In the Actions pane on the right, select View > Show Analytic and Debug Logs.3 On the left, an additional AD FS 2.0 Tracing node is displayed. Open the node, right-click Debug,

and select Enable Log.

Showing which claims are emittedWhen authenticating to AD FS and getting a token for your web application, AD FS logs trace eventsin the 'AD FS 2.0 Tracing' log. Logging only takes place if you have switched on tracing; see above.

Note: The newest events are on the last page. Therefore, if the log already contains a lot of events,you must click Next page various times before you get to the correct events.

Look for events that have an Event ID of '1001'; there are many of these events. These events containa list of emitted claims.


Troubleshooting

IFS and ION integration issues related to infrastructuresettingsDuring an ION installation, an IFS validation error about the attribute service user being invalid canoccur. See KB 1531160 at https://www.inforxtreme.com.

Chrome 42 NPAPI disables Java and SilverlightWith Google Chrome browser version 42, released in April 2015, Silverlight does not work, by default.When you start ION Desk, a message is displayed indicating Silverlight is not installed, even thoughit is.

So that ION can run, you must re-enable the NPAPI plug-ins in Chrome. In the browser, go to chrome://flags/#enable-npapi and click Enable for the Enable NPAPI Mac, Windows setting. Thenrelaunch Chrome.


Troubleshooting

https://www.inforxtreme.com

Alternatively, an administrator can re-enable NPAPI through a Chrome Enterprise Policy, for example,through plug-in policies such as EnabledPlugins and PluginsAllowedForUrls.


Troubleshooting

BSecurity considerations for connecting toSQL Server

Be aware of these security considerations, when you install and use the IFS and AD FS products:

• Initially, IFS and AD FS are configured to connect to the SQL Server database using 'WindowsIntegrated authentication' access to SQL Server. This is to ensure that there are noadministrator-readable passwords in these connection strings:

• In the IFS web.config file• In the AD FS attribute store called 'InforFS data store'

Therefore, special accounts are used to access the SQL Server database. See "How does integratedWindows authentication work?" on page 61.

• The above connection strings are not encrypted. Therefore information such as the database servername is administrator-readable. See "Encrypting connection strings" on page 62.

• The network connections to SQL Server are not encrypted. See "Encrypting connections to SQLServer" on page 63.

Customers can have different security policies at these points. This section describes manual proceduresfor making changes in this area.

How does integrated Windows authentication work?This section describes the accounts that are used by IFS and AD FS, for their Integrated Windowsauthentication connections to SQL Server.

IFS applicationThese are the scenarios to consider:

• The SQL Server database is on the same system as the IFS application.• The SQL Server database is on a different system.

If the database is on the same system, IFS uses the identity of the IIS application pool of the IFSapplication, which is the virtual 'IIS APPPOOL\IFSAppPool' account. This account must have read-write


access for the InforCETenant_<GUID> database. Adding this virtual account to SQL Server with theappropriate authorizations is built into the IFS installer.

On a remote SQL Server system, IFS uses the [domain]\[IFShostname]$ machine account. This is builtinto IIS. This account needs read-write access for the InforCETenant_<GUID> database.

AD FS attribute store 'InforFS data store'These are the scenarios to consider:

• The SQL Server database is on the same system as AD FS.• The SQL Server database is on a different system.

If the database is on the same system, AD FS uses the 'identity' of the IIS application pool of the 'adfs\ls'application, which is the 'NT AUTHORITY\NETWORK SERVICE' account. This account must haveread access for the InforCETenant_<GUID> database. Adding this virtual account to SQL Server withthe appropriate authorizations is built into the AD FS 2.0 installer.

On a remote SQL Server system, AD FS uses the [domain]\[ADFShostname]$ machine account butthe relevant Microsoft documentation page ("Attribute Stores", http://technet.microsoft.com/en-us/library/adfs2-help-attribute-stores%28WS.10%29.aspx) does not document this. This account must have readaccess for the InforCETenant_<GUID> database.

Encrypting connection stringsThere are two reasons to encrypt a SQL Server connection string:

• The string contains a SQL Server authentication password.• Other information in the connection string is considered sensitive information.

Note: You cannot encrypt only the password within an otherwise unencrypted connection string.

Encrypting the IFS connection string in web.configTo encrypt the IFS web.config connection string:

1 Start a command prompt window. Run the window as administrator.2 Run this command line:

%WinDir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pe "connectionStrings" -app "/IFS" -prov "DataProtectionConfigurationProvider"

The output should be as follows:

Encrypting configuration section...Succeeded!


Security considerations for connecting to SQL Server

http://technet.microsoft.com/en-us/library/adfs2-help-attribute-stores%28WS.10%29.aspx


This encrypts the entire <connectionStrings> section in the web.config file of the IFS web application,so that IIS can decrypt it.

The instructions earlier are based on these Microsoft documents:

1 Walkthrough: Encrypting Configuration Information Using Protected ConfigurationSee http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx.

2 How To: Encrypt Configuration Sections in ASP.NET 2.0 Using DPAPISee http://msdn.microsoft.com/en-us/library/ff647398.aspx.

3 Finding the Correct Version of Aspnet_regiis.exeSee http://msdn.microsoft.com/en-us/library/k6h9cz8h.aspx#FindingTheCorrectVersion.

4 Windows Data ProtectionSee http://msdn.microsoft.com/en-us/library/ms995355.aspx.

AD FS does not support encrypted connection stringsAn AD FS connection string, which is used for the 'InforFS data store' attribute store, cannot be encryptedand can be read by any administrator.

Therefore, if no readable passwords are allowed, you must use Integrated Windows Authentication;see above.

Microsoft recommends that you use Integrated Windows Authentication: "We recommend that IntegratedWindows Authentication is used for connecting to a SQL Server database. If SQL Server authenticationis used, the applicable SQL user name and its related password information will be stored as clear textin the AD FS 2.0 configuration database." See http://technet.microsoft.com/en-us/library/adfs2-help-attribute-stores%28WS.10%29.aspx.

Any administrator can view the properties of an AD FS attribute store through the GUI or through theAD FS PowerShell snap-in. We expect that Microsoft has protected the Windows Internal Databasetables used by AD FS against access by non-administrator users.

Encrypting connections to SQL ServerBy default, network connections to SQL Server are not encrypted. To encrypt the connections to SQLServer, follow this procedure from Microsoft: "How to: Enable Encrypted Connections to the DatabaseEngine (SQL Server Configuration Manager)".

See (http://msdn.microsoft.com/en-us/library/ms191192.aspx).

This procedure is as follows: provide the SQL Server database server with an appropriate certificate,and ensure the IFS and AD FS system trusts this certificate.



http://msdn.microsoft.com/en-us/library/dtkwfdky.aspx

http://msdn.microsoft.com/en-us/library/ff647398.aspx

http://msdn.microsoft.com/en-us/library/k6h9cz8h.aspx#FindingTheCorrectVersion

http://msdn.microsoft.com/en-us/library/ms995355.aspx



http://msdn.microsoft.com/en-us/library/ms191192.aspx

CChanging the HTTP/HTTPS port numbersfor AD FS 2.0

The steps below assume that the new AD FS port numbers are HTTP 9680 and HTTPS 9643.

These instructions are based on "Configure a Computer for the Federation Server Proxy Role" fromthe AD FS documentation (http://technet.microsoft.com/en-us/library/dd807067%28WS.10%29.aspx).

To change the HTTP/HTTPS port numbers:

1 In the IIS Manager, select Default Web Site. Then go to Bindings… and change the port numbersto 9680 and 9643.

2 Start a Windows PowerShell. You must run the shell as administrator.3 Perform these commands:

a Add-PSSnapin Microsoft.ADFS.PowerShell

b Set-ADFSProperties -HttpPort 9680 -HttpsPort 9643

This warning is displayed:

WARNING: PS0038: This action requires a restart of the AD FS 2.0 Windows Service. If you have deployed a federationserver farm, restart the service on every server in the farm.

Do not attempt to restart the AD FS 2.0 Windows Service yet, because it will fail.

4 Perform these commands without the line breaks:a netsh http add urlacl https://+:9643/adfs/fs/federationserverservice.

asmx/ user="NT Authority\Network Service"

b netsh http add urlacl https://+:9643/FederationMetadata/2007-06/ user="NT Authority\Network Service"

c netsh http add urlacl https://+:9643/adfs/services/ user="NT Authority\Network Service"

d netsh http add urlacl http://+:9680/adfs/services/ user="NT Authority\Network Service"


http://technet.microsoft.com/en-us/library/dd807067%28WS.10%29.aspx

Each time a command completed successfully, this message is displayed:

URL reservation successfully added

You might receive this response for one or more of these commands:

Url reservation add failed, Error: 183Cannot create a file when that file already exists.

In this case the URL reservation was already available, which is correct.

5 Restart the AD FS 2.0 Windows Service.


Changing the HTTP/HTTPS port numbers for AD FS 2.0

DCreating server certificates

Self-signed certificate vs. CA-signed certificateSSL security is based on server authentication. This means that the client can verify if the server iswho he claims to be. Certificates provide a method for that authentication. The server owns the certificatewith a public and private encryption key. The clients that have deployed the public key of this certificatetrust the server. If a self-signed certificate is used, the customer must distribute the public key of thatcertificate to the involved clients. By using a certificate that is signed by a Certificate Authority, whichis trusted by the browsers or client systems, the distribution of the public key of the server certificateis not needed.

Creating a self-signed certificateTo create a self-signed certificate:

1 Log on to the IFS Server with a server Administrator account and complete these steps to startInternet Information Services (IIS) Manager:a Select Start > Control Panel.b Select System and Security > Administrative Tools.c In the Administrative Tools window, double-click Internet Information Services (IIS) Manager.

2 On the Connections panel on the left, click the server name at the root to select it.3 On the middle panel, double-click Server Certificates.4 Under Actions on the right panel, click Create Self-Signed Certificate.5 On the Specify Friendly Name screen, specify a name, such as the Full Qualified Host Name in this

format: [server].[domain]. For example: Jupiter.mycompany.com6 Click OK.


Creating a Certificate Authority (CA) Signed certificateTo create a CA-signed certificate:

1 Open the IIS Manager snap-in:a Select Start > Control Panel.b Select System and Security > Administrative Tools.c In the Administrative Tools window, double-click Internet Information Services (IIS) Manager.

2 On the Connections panel on the left, click the server name at the root to select it.3 On the middle panel, double-click Server Certificates.4 On the right panel, under Actions, click Create Certificate Request.5 In the Distinguished Name Properties screen, specify this information and click Next:

Common NameSpecify the Full Qualified Host Name of the AD FS server. Specify the name in this format:[server].[domain]. For example: Jupiter.mycompany.com

Fill in the rest of the pertinent information.

6 In the Cryptographic Service Provider Properties window, specify this information and click Next:

Cryptographic service providerSelect Microsoft RSA Schannel Cryptographic Provider.

Bit LengthSelect 2048.

Note: AD FS requires at least 2048 bits.

7 In the File Name window, save the request to a text file. Make a note of the name and path. Thekeys will be saved here and you will need this information later.

8 Submit the certificate request to your chosen authority provider. You will be provided a responsefile. Save the file.Some common certificate authorities are Verisign and Komodo. Alternatively, you can use MicrosoftActive Directory Certificate Services (ADCS) to create certificates for your domain.

Once you have received the response file from the Certificate Authority, complete these steps:

1 In IIS, on the Connections panel on the left, click the server name at the root to select it.2 Double-click Server Certificates.3 On the right panel, under Actions, select Complete Certificate Request.4 Under File Containing the certification authority's response, click the button and browse to the

certificate file.5 As Friendly name, specify the Fully Qualified host name. For example, Jupiter.mycompany.

com.6 Click OK.


Creating server certificates

Creating a domain certificateThese instructions assume that your system administrator has set up an Enterprise Active DirectoryCertificate Authority within the domain. To learn more about Active Directory Certificate Services, seehttp://technet.microsoft.com/en-us/library/cc770357%28v=ws.10%29.aspx.

1 Log on to the server with a server administrator account and complete these steps to start InternetInformation Services (IIS) Manager:a Select Start > Administrative Tools.b From the Administrative Tools menu, click Internet Information Services (IIS) Manager.

2 Select your server in the Connections pane.3 Double-click Server Certificates in the middle panel.4 Click Create Domain Certificate in the Actions panel.5 On the Distinguished Name Properties page, specify this information and click Next:

Common NameSpecify the Full Qualified Host Name of the AD FS server. Specify the name in this format:[server].[domain]. For example: Jupiter.mycompany.com

Complete the rest of the pertinent information

6 On the Online Certification Authority page, click Select.

Note: If Select is not available, most likely an Enterprise Certificate Authority has not beenconfigured. Your system administrator must set up an Enterprise Certificate Authority.

7 On the Select Certification Authority page, select your Enterprise Certificate Authority. Click OK.8 On the Online Certification Authority page, assign a Friendly Name. Click Finish.



http://technet.microsoft.com/en-us/library/cc770357%28v=ws.10%29.aspx

infor ming.le installation guide for standalone ifs...if you have questions about infor products, go...

Documents