The trust relationship between this workstation and the primary domain failed Hyper-V Server

The trust relationship between this workstation and the primary domain failed

When playing around with some Hyper-V servers that have been inactive for some time, we received an error:

Screenshot 2016 01 05 19 31 45

The cause of this is due to the fact that Active Directory is doing a lot more than simple user name and password storage. We found that a Hyper-V system that remains off for some time, then is turned on again can suffer this. The reason for this has to do with the way that some applications use the Active Directory. Take Exchange Server, for example. Exchange Server stores messages in a mailbox database residing on a mailbox server. However, this is the only significant data that is stored locally on Exchange Server. All of the Exchange Server configuration data is stored within the Active Directory. In fact, it is possible to completely rebuild a failed Exchange Server from scratch (aside from the mailbox database) simply by making use of the configuration data that is stored in the Active Directory.

The suggestion by some other blogs is to: simply reset the computer account. To do so, open the Active Directory Users and Computers console and select the Computers container. Right click on the computer that you are having trouble with. Select the Reset Account command from the shortcut menu, as shown in Figure 2. When you do, you will see a prompt asking you if you are sure that you want to reset the computer account.  Click Yes and the computer account will be reset.

NewImage

This is perfectly safe to do, but is not likely to resolve the issue.

The Fix

1. Log into the server in question using the non domain admin account.

2. Open the Power Shell and run the command:

$credential = Get-Credential

(When prompted, you need to enter the domain administrator account and name.)

3. Then run the command: 

Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere

(Replacing the “ClosestDomainControllerNameHere” with your domain AD domain. domain.com for example.)

After running this you should be good to login.

Moving Active Directory AD to a New Domain Controller DC

Since I don’t have to do this very often, but always seem to forget how to transfer the Schema Masterand Domain Naming Master, I decided to write it down, when it came up again as I transferred all the roles to my Windows 2012 server.

The following three FSMO roles can be migrated from Active Directory Users and Computers. Right mouse click on the domain and select Operations Masters. There is one tab for each of the three FSMO roles:

PDC
RID Pool Manager
Infrastructure Master

The following FSMO role can be transfered from Active Directory Domains and Trusts. Right mouse click on Active Directory Domains and Trusts, and select Operations Master.:

Domain Naming Master

For the Schema Master FSMO role, you first need to register a dll by executing the following command (Note: This only needs to be done once from an elevated command prompt.):

c:\> regsvr32 schmmgmt.dll

Then, you can add the Active Directory Schema Snap-In to a Microsoft Management Console (MMC). With the Snap-In added, ensure that the targeted domain controller is the one that you want to transfer the Schema Master role to. To change it, right mouse click on Active Directory Schema, under Console Root, and select Change Active Directory Domain Controller.. to select the domain controler you want to transfer the role to. Once that is done, right mouse click on Active Directory Schema, and select Operations Master to change the role.

If you do not have a different domain controller targeted, you will get the following message:

The current Active Directory Domain Controller is the Operations Master. To transfer the Operations Master to a different DC, you need to target Active Directory Schema to that DC.

And when you switch the target domain controller, you get the following, which is okay for what we want to do.:

Active Directory Schema snap-in is not connected to the schema operations master. You will not be able to permform any changes. Schema modification can only be made on the schema FSMO holder.

SQL 2014 ‘Agent XPs’ componet is turned off when accessing Maintenance Plans

When trying to create a Maintenance Plan you get an error: 

‘Agent XPs’ component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘Agent XPs’ by using sp_configure. For more information about enabling ‘Agent XPs’ see “Surface Area Configuration” in SQL Server Books Online. (Object Explorer)

Screenshot 2015 04 01 14 39 39

Details of the error are:

===================================

Cannot show requested dialog.

===================================

Unable to execute requested command.

——————————
Program Location:

at Microsoft.SqlServer.Management.UI.VSIntegration.ObjectExplorer.ToolMenuItemHelper.OnCreateAndShowForm(IServiceProvider sp, XmlDocument doc)
at Microsoft.SqlServer.Management.SqlMgmt.RunningFormsTable.RunningFormsTableImpl.ThreadStarter.StartThread()

===================================

‘Agent XPs’ component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘Agent XPs’ by using sp_configure. For more information about enabling ‘Agent XPs’, see “Surface Area Configuration” in SQL Server Books Online. (Microsoft.SqlServer.Management.MaintenancePlanWizard)

——————————
Program Location:

at Microsoft.SqlServer.Management.MaintenancePlanWizard.MaintenancePlanWizardForm.LoadData()
at Microsoft.SqlServer.Management.MaintenancePlanWizard.MaintenancePlanWizardForm..ctor(XmlDocument doc, IServiceProvider serviceProvider)

 

The Cause

This is caused because the “SQL Server Agent” is not running.

By default, this service is set to start manually. This is normal after a fresh install.

 

The Solution

1. Open SQL Server Configuration Manager

2. Start the service for SQL Server Agent.

SQL Server Agent

3. Right click the service and select Properties

Screenshot 2015 04 01 14 43 29

4. Click the Service tab and change the start mode to Automatic

Screenshot 2015 04 01 14 43 48

That’s it! 

 

 

Windows 2012 Turn off Password Complexity

How to disable (turn off) the default Windows 2012 Administrator Complexity

1. Open the Administrative Tool

Windows 2012 Password Complexity.png

2. This places you in the Administrative Tools section. Select Local Security Policy.

Windows 2012 Password Local Security Policy.png

3. Change the password Must Meet Complex Requirements option to Disabled.

In a Domain Environment, for an Active Directory Domain Server.

  • In the Server Manager click on Tools and from the drop down click Group Policy Management
  • Expand Forrest >> Domains >> Your Domain Controller.
  • Right click on the Default Domain Policy and click on the Edit from the context menu.
  • Now Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
  • Double-click on the Passwords Must Meet Complexity Requirements option in the right pane.
  • Select Disabled  under define this policy setting:
  • Click Apply then OK all the way out and close the GPO window.
  • In order to refresh the policy type the following command: “gpupdate /force”  in the CMD window and click ENTER.

Windows 2012 R2 Remote Desktop Enabled Cannot RDP Connect

Windows 2012 RDP Remote Desktop Enabled but you Cannot Connect

You find that after you enable the Windows 2012 RDP or Remote Desktop Connection features to allow you to remote desktop into your new server, you are still unable to connect to the server.

The Cause

By default on new installs of Windows 2012 R2 the server firewall is enabled for TCP IP on Remote Desktop User Mode In TCP-IP.

The Fix

Enable the rule that permits access through the Windows Firewall.

1. Search for Firewall and open “Windows Firewall and Advanced Security”.

2. Find the rule “Remote Desktop – User Mode TCP-in” and ENABLE Rule

Windows 2012 Remote Desktop Firewall Rule

ADFS Server on Windows 2012 R2 – AddressThe e-mail address of the userGiven NameThe given name of the userName

Setting up an ADFS 3.0 Server on Windows 2012 R2

On testing the setup, you receive an error that looks like this:

dkYfAUMU0yl74SE4kki4WC2wzYiQ2c5ea3sOz/KMfAk=f1EHPUY2buvcksrq2PV4Jzz1gPzqqsJLte1AgpTWwtQ0MnKMgzgVQ5OTSTcElWugzU4m3nZFOz0OmR9nUd/KaKasgnv0kxKO7SjuQ09VTtcIblHBwr/sRe13Q5pb6LeWC17g5/STWC4JMy9MjQzk97WvBLtNjlV77tijW9EK5XTQAuUqyXfbZsPuMw9hLZ7YBEEWB8SEmopUHWVGcVYAEjl3eFk+jqbPmL71K9OdlBM0l0BuzK9vr1rppjBHKUoWP7nuhiY9oohaVkktUA4pI9DhWhMwVhGx3Yr8VYyZtI65LfeIyyz2MzEhcxuzkaxory4VQdxn4af4r534mP5W5w==MIIC2DCCAcCgAwIBAgIQfjdRsjCXc75E99PlMFiDijANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTRaFw0xNjAyMTgwNzQ3NTRaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuThBgpEQ0IeqKWmaVdlY4idGsd7E/PiPdggk9Ol+wA/bYSSth4sHPOe2DWFu+IkgqaCKfZdCN6aI8TmQbfPjcqwlJSGqws2EFO/TULpbu/x1AwYV6J++BhpFD0iPbFPuypqGgC423+Z6RjP/99wU4tu5GtxvUD2L8iuW9AtXnZJy6MFDLmITVTWCzFQnPC7lGjY1mQ/XZXmidgq0f29qK1mvqGuwGT/BhQO1woj6O95gPhF3ZCMqW6h6ma0LjJhj1dR36NIs0k0sseUUjGbfOF81WZPm7e/HaDUJTF4ox51VIrf+Z7+HpUBCesYwFXhyCvYq6TIvY5NTkRWCKQ97mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBl4L7NIWBeoeQRJg9RlkDzs2stg7Q+tZ6tminURNOC8ch0vhITbCq60uKXBzXn9LTHex1iXNlyZwI5YGXbw9pBsybDPDFxtyBGAwi/EX8Y0xe7ePGs7jNaGDMywFofP61g64HIAey6YjvKYFPxMqZmDBrzIhNnZ44f/o07TTOCdZJkqh5L/Qjilzfw2bwVg3uGaFthrn1LkL9xB82kuuXYW1QWe37Y9Gwf57qTQo56S44pxBB8loKn4hkNaRdKCgNCH7Ary3uLmmaFP/ETucAkIcy9Y/wr+TEzDVvGkRqCaWLUKeOumc+p026Jv3r/ba4Iq2njfat/pNv+dRIqt/PKMIIC3jCCAcagAwIBAgIQFOgcyJdf6pRLRqk+kAcU1zANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIEVuY3J5cHRpb24gLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTVaFw0xNjAyMTgwNzQ3NTVaMCsxKTAnBgNVBAMTIEFERlMgRW5jcnlwdGlvbiAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA539QwHAojXm5lcKoRAAe3yoOQxCbItjkgWsomRat9/E9o+tpszADLfO6KcyIwmxMdcN1mIPzEUzW/Fc5biMGCK2jSNCKN9HXiABUXJcRa+iZ7RN7eFdmKcLXRWaAeqb/l0icuSqbKxxCb3gFnQUxpRar7gZmS6xrnz0MBkRI7LXD/Mp6kU0VnfAMHQf33Wt1LXf/+w+l9V78o5b95OylPleRA6dplNfv60GLemmXY45VTpPlBDV0gFBrkYgmg7DPhR0U3MY1RYuUAsWx3htY7S4oNTEbl96Hyel6UPWiqaZFeeN+3aujABohgHM0vVVndswyxe2pnMZtieWJ+pP8yQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDjfiC4cMQ353SjBRAtbSH6hJ9zZ97yvguVNELyHojSUmi6VEHT6OWsntFWxPsGZvJ0Oq34KM4ZSrnq5QhrB4QuB26RLSw1yR9jBtZMTy/fGm4X25wczPCoZbkrySktPtyCVC3xJw6MKlwcZNGF/zOwoqjeY015Z4CGJsBijtd7MSBf+6ijAcGYdxC1bumB3vfsJ9bu1eVu9QRpDQm78zXpw/LBMj68RfiXz50WRlALa+ca7NqeVIKcSYx20JaSAoe6y1tWlAPVieGDpaXzpKFQ/fF1wIHjdc3euNeKAX/eaV56vCuBG4kwAjSSrawwt/nZ4nflpKVC8RLNgobeaDnTE-Mail AddressThe e-mail address of the userGiven NameThe given name of the userNameThe unique name of the userUPNThe user principal name (UPN) of the userCommon NameThe common name of the userAD FS 1.x E-Mail AddressThe e-mail address of the user when interoperating with AD FS 1.1 or AD FS 1.0GroupA group that the user is a member ofAD FS 1.x UPNThe UPN of the user when interoperating with AD FS 1.1 or AD FS 1.0RoleA role that the user hasSurnameThe surname of the userPPIDThe private identifier of the userName IDThe SAML name identifier of the userAuthentication time stampUsed to display the time and date that the user was authenticatedAuthentication methodThe method used to authenticate the userDeny only group SIDThe deny-only group SID of the userDeny only primary SIDThe deny-only primary SID of the userDeny only primary group SIDThe deny-only primary group SID of the userGroup SIDThe group SID of the userPrimary group SIDThe primary group SID of the userPrimary SIDThe primary SID of the userWindows account nameThe domain account name of the user in the form of domain\userIs Registered UserUser is registered to use this deviceDevice IdentifierIdentifier of the deviceDevice Registration IdentifierIdentifier for Device RegistrationDevice Registration DisplayNameDisplay name of Device RegistrationDevice OS typeOS type of the deviceDevice OS VersionOS version of the deviceIs Managed DeviceDevice is managed by a management serviceForwarded Client IPIP address of the userClient ApplicationType of the Client ApplicationClient User AgentDevice type the client is using to access the applicationClient IPIP address of the clientEndpoint PathAbsolute Endpoint path which can be used to determine active versus passive clientsProxyDNS name of the federation server proxy that passed the requestApplication IdentifierIdentifier for the Relying PartyApplication policiesApplication policies of the certificateAuthority Key IdentifierThe Authority Key Identifier extension of the certificate that signed an issued certificateBasic ConstraintOne of the basic constraints of the certificateEnhanced Key UsageDescribes one of the enhanced key usages of the certificateIssuerThe name of the certificate authority that issued the X.509 certificateIssuer NameThe distinguished name of the certificate issuerKey UsageOne of the key usages of the certificateNot AfterDate in local time after which a certificate is no longer validNot BeforeThe date in local time on which a certificate becomes validCertificate PoliciesThe policies under which the certificate has been issuedPublic KeyPublic Key of the certificateCertificate Raw DataThe raw data of the certificateSubject Alternative NameOne of the alternative names of the certificateSerial NumberThe serial number of a certificateSignature AlgorithmThe algorithm used to create the signature of a certificateSubjectThe subject from the certificateSubject Key IdentifierDescribes the subject key identifier of the certificateSubject NameThe subject distinguished name from a certificateV2 Template NameThe name of the version 2 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.V1 Template NameThe name of the version 1 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.ThumbprintThumbprint of the certificateX.509 VersionThe X.509 format version of a certificateInside Corporate NetworkUsed to indicate if a request originated inside corporate networkPassword Expiration TimeUsed to display the time when the password expiresPassword Expiration DaysUsed to display the number of days to password expiryUpdate Password URLUsed to display the web address of update password serviceAuthentication Methods ReferencesUsed to indicate all authentication methods used to authenticate the userClient Request IDIdentifier for a user sessionAlternate Login IDAlternate login ID of the user 

https://iwebscrm15.com/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256

https://iwebscrm15.com/adfs/services/trust/2005/issuedtokenmixedsymmetricbasic256

https://iwebscrm15.com/adfs/services/trust/13/issuedtokenmixedasymmetricbasic256

https://iwebscrm15.com/adfs/services/trust/13/issuedtokenmixedsymmetricbasic256

https://iwebscrm15.com/adfs/ls/

http://iwebscrm15.com/adfs/services/trust

https://iwebscrm15.com/adfs/services/trust/2005/issuedtokenmixedasymmetricbasic256

https://iwebscrm15.com/adfs/ls/

MIIC2DCCAcCgAwIBAgIQfjdRsjCXc75E99PlMFiDijANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTRaFw0xNjAyMTgwNzQ3NTRaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuThBgpEQ0IeqKWmaVdlY4idGsd7E/PiPdggk9Ol+wA/bYSSth4sHPOe2DWFu+IkgqaCKfZdCN6aI8TmQbfPjcqwlJSGqws2EFO/TULpbu/x1AwYV6J++BhpFD0iPbFPuypqGgC423+Z6RjP/99wU4tu5GtxvUD2L8iuW9AtXnZJy6MFDLmITVTWCzFQnPC7lGjY1mQ/XZXmidgq0f29qK1mvqGuwGT/BhQO1woj6O95gPhF3ZCMqW6h6ma0LjJhj1dR36NIs0k0sseUUjGbfOF81WZPm7e/HaDUJTF4ox51VIrf+Z7+HpUBCesYwFXhyCvYq6TIvY5NTkRWCKQ97mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBl4L7NIWBeoeQRJg9RlkDzs2stg7Q+tZ6tminURNOC8ch0vhITbCq60uKXBzXn9LTHex1iXNlyZwI5YGXbw9pBsybDPDFxtyBGAwi/EX8Y0xe7ePGs7jNaGDMywFofP61g64HIAey6YjvKYFPxMqZmDBrzIhNnZ44f/o07TTOCdZJkqh5L/Qjilzfw2bwVg3uGaFthrn1LkL9xB82kuuXYW1QWe37Y9Gwf57qTQo56S44pxBB8loKn4hkNaRdKCgNCH7Ary3uLmmaFP/ETucAkIcy9Y/wr+TEzDVvGkRqCaWLUKeOumc+p026Jv3r/ba4Iq2njfat/pNv+dRIqt/PKE-Mail AddressThe e-mail address of the userGiven NameThe given name of the userNameThe unique name of the userUPNThe user principal name (UPN) of the userCommon NameThe common name of the userAD FS 1.x E-Mail AddressThe e-mail address of the user when interoperating with AD FS 1.1 or AD FS 1.0GroupA group that the user is a member ofAD FS 1.x UPNThe UPN of the user when interoperating with AD FS 1.1 or AD FS 1.0RoleA role that the user hasSurnameThe surname of the userPPIDThe private identifier of the userName IDThe SAML name identifier of the userAuthentication time stampUsed to display the time and date that the user was authenticatedAuthentication methodThe method used to authenticate the userDeny only group SIDThe deny-only group SID of the userDeny only primary SIDThe deny-only primary SID of the userDeny only primary group SIDThe deny-only primary group SID of the userGroup SIDThe group SID of the userPrimary group SIDThe primary group SID of the userPrimary SIDThe primary SID of the userWindows account nameThe domain account name of the user in the form of domain\userIs Registered UserUser is registered to use this deviceDevice IdentifierIdentifier of the deviceDevice Registration IdentifierIdentifier for Device RegistrationDevice Registration DisplayNameDisplay name of Device RegistrationDevice OS typeOS type of the deviceDevice OS VersionOS version of the deviceIs Managed DeviceDevice is managed by a management serviceForwarded Client IPIP address of the userClient ApplicationType of the Client ApplicationClient User AgentDevice type the client is using to access the applicationClient IPIP address of the clientEndpoint PathAbsolute Endpoint path which can be used to determine active versus passive clientsProxyDNS name of the federation server proxy that passed the requestApplication IdentifierIdentifier for the Relying PartyApplication policiesApplication policies of the certificateAuthority Key IdentifierThe Authority Key Identifier extension of the certificate that signed an issued certificateBasic ConstraintOne of the basic constraints of the certificateEnhanced Key UsageDescribes one of the enhanced key usages of the certificateIssuerThe name of the certificate authority that issued the X.509 certificateIssuer NameThe distinguished name of the certificate issuerKey UsageOne of the key usages of the certificateNot AfterDate in local time after which a certificate is no longer validNot BeforeThe date in local time on which a certificate becomes validCertificate PoliciesThe policies under which the certificate has been issuedPublic KeyPublic Key of the certificateCertificate Raw DataThe raw data of the certificateSubject Alternative NameOne of the alternative names of the certificateSerial NumberThe serial number of a certificateSignature AlgorithmThe algorithm used to create the signature of a certificateSubjectThe subject from the certificateSubject Key IdentifierDescribes the subject key identifier of the certificateSubject NameThe subject distinguished name from a certificateV2 Template NameThe name of the version 2 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.V1 Template NameThe name of the version 1 certificate template used when issuing or renewing a certificate. The extension is Microsoft specific.ThumbprintThumbprint of the certificateX.509 VersionThe X.509 format version of a certificateInside Corporate NetworkUsed to indicate if a request originated inside corporate networkPassword Expiration TimeUsed to display the time when the password expiresPassword Expiration DaysUsed to display the number of days to password expiryUpdate Password URLUsed to display the web address of update password serviceAuthentication Methods ReferencesUsed to indicate all authentication methods used to authenticate the userClient Request IDIdentifier for a user sessionAlternate Login IDAlternate login ID of the user 

https://iwebscrm15.com/adfs/services/trust/2005/certificatemixed

https://iwebscrm15.com/adfs/services/trust/mex

https://iwebscrm15.com/adfs/ls/

MIIC3jCCAcagAwIBAgIQFOgcyJdf6pRLRqk+kAcU1zANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIEVuY3J5cHRpb24gLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTVaFw0xNjAyMTgwNzQ3NTVaMCsxKTAnBgNVBAMTIEFERlMgRW5jcnlwdGlvbiAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA539QwHAojXm5lcKoRAAe3yoOQxCbItjkgWsomRat9/E9o+tpszADLfO6KcyIwmxMdcN1mIPzEUzW/Fc5biMGCK2jSNCKN9HXiABUXJcRa+iZ7RN7eFdmKcLXRWaAeqb/l0icuSqbKxxCb3gFnQUxpRar7gZmS6xrnz0MBkRI7LXD/Mp6kU0VnfAMHQf33Wt1LXf/+w+l9V78o5b95OylPleRA6dplNfv60GLemmXY45VTpPlBDV0gFBrkYgmg7DPhR0U3MY1RYuUAsWx3htY7S4oNTEbl96Hyel6UPWiqaZFeeN+3aujABohgHM0vVVndswyxe2pnMZtieWJ+pP8yQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDjfiC4cMQ353SjBRAtbSH6hJ9zZ97yvguVNELyHojSUmi6VEHT6OWsntFWxPsGZvJ0Oq34KM4ZSrnq5QhrB4QuB26RLSw1yR9jBtZMTy/fGm4X25wczPCoZbkrySktPtyCVC3xJw6MKlwcZNGF/zOwoqjeY015Z4CGJsBijtd7MSBf+6ijAcGYdxC1bumB3vfsJ9bu1eVu9QRpDQm78zXpw/LBMj68RfiXz50WRlALa+ca7NqeVIKcSYx20JaSAoe6y1tWlAPVieGDpaXzpKFQ/fF1wIHjdc3euNeKAX/eaV56vCuBG4kwAjSSrawwt/nZ4nflpKVC8RLNgobeaDnTMIIC2DCCAcCgAwIBAgIQfjdRsjCXc75E99PlMFiDijANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTRaFw0xNjAyMTgwNzQ3NTRaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuThBgpEQ0IeqKWmaVdlY4idGsd7E/PiPdggk9Ol+wA/bYSSth4sHPOe2DWFu+IkgqaCKfZdCN6aI8TmQbfPjcqwlJSGqws2EFO/TULpbu/x1AwYV6J++BhpFD0iPbFPuypqGgC423+Z6RjP/99wU4tu5GtxvUD2L8iuW9AtXnZJy6MFDLmITVTWCzFQnPC7lGjY1mQ/XZXmidgq0f29qK1mvqGuwGT/BhQO1woj6O95gPhF3ZCMqW6h6ma0LjJhj1dR36NIs0k0sseUUjGbfOF81WZPm7e/HaDUJTF4ox51VIrf+Z7+HpUBCesYwFXhyCvYq6TIvY5NTkRWCKQ97mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBl4L7NIWBeoeQRJg9RlkDzs2stg7Q+tZ6tminURNOC8ch0vhITbCq60uKXBzXn9LTHex1iXNlyZwI5YGXbw9pBsybDPDFxtyBGAwi/EX8Y0xe7ePGs7jNaGDMywFofP61g64HIAey6YjvKYFPxMqZmDBrzIhNnZ44f/o07TTOCdZJkqh5L/Qjilzfw2bwVg3uGaFthrn1LkL9xB82kuuXYW1QWe37Y9Gwf57qTQo56S44pxBB8loKn4hkNaRdKCgNCH7Ary3uLmmaFP/ETucAkIcy9Y/wr+TEzDVvGkRqCaWLUKeOumc+p026Jv3r/ba4Iq2njfat/pNv+dRIqt/PKurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressurn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transientMIIC3jCCAcagAwIBAgIQFOgcyJdf6pRLRqk+kAcU1zANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIEVuY3J5cHRpb24gLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTVaFw0xNjAyMTgwNzQ3NTVaMCsxKTAnBgNVBAMTIEFERlMgRW5jcnlwdGlvbiAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA539QwHAojXm5lcKoRAAe3yoOQxCbItjkgWsomRat9/E9o+tpszADLfO6KcyIwmxMdcN1mIPzEUzW/Fc5biMGCK2jSNCKN9HXiABUXJcRa+iZ7RN7eFdmKcLXRWaAeqb/l0icuSqbKxxCb3gFnQUxpRar7gZmS6xrnz0MBkRI7LXD/Mp6kU0VnfAMHQf33Wt1LXf/+w+l9V78o5b95OylPleRA6dplNfv60GLemmXY45VTpPlBDV0gFBrkYgmg7DPhR0U3MY1RYuUAsWx3htY7S4oNTEbl96Hyel6UPWiqaZFeeN+3aujABohgHM0vVVndswyxe2pnMZtieWJ+pP8yQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDjfiC4cMQ353SjBRAtbSH6hJ9zZ97yvguVNELyHojSUmi6VEHT6OWsntFWxPsGZvJ0Oq34KM4ZSrnq5QhrB4QuB26RLSw1yR9jBtZMTy/fGm4X25wczPCoZbkrySktPtyCVC3xJw6MKlwcZNGF/zOwoqjeY015Z4CGJsBijtd7MSBf+6ijAcGYdxC1bumB3vfsJ9bu1eVu9QRpDQm78zXpw/LBMj68RfiXz50WRlALa+ca7NqeVIKcSYx20JaSAoe6y1tWlAPVieGDpaXzpKFQ/fF1wIHjdc3euNeKAX/eaV56vCuBG4kwAjSSrawwt/nZ4nflpKVC8RLNgobeaDnTMIIC2DCCAcCgAwIBAgIQfjdRsjCXc75E99PlMFiDijANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDEx1BREZTIFNpZ25pbmcgLSBpd2Vic2NybTE1LmNvbTAeFw0xNTAyMTgwNzQ3NTRaFw0xNjAyMTgwNzQ3NTRaMCgxJjAkBgNVBAMTHUFERlMgU2lnbmluZyAtIGl3ZWJzY3JtMTUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuThBgpEQ0IeqKWmaVdlY4idGsd7E/PiPdggk9Ol+wA/bYSSth4sHPOe2DWFu+IkgqaCKfZdCN6aI8TmQbfPjcqwlJSGqws2EFO/TULpbu/x1AwYV6J++BhpFD0iPbFPuypqGgC423+Z6RjP/99wU4tu5GtxvUD2L8iuW9AtXnZJy6MFDLmITVTWCzFQnPC7lGjY1mQ/XZXmidgq0f29qK1mvqGuwGT/BhQO1woj6O95gPhF3ZCMqW6h6ma0LjJhj1dR36NIs0k0sseUUjGbfOF81WZPm7e/HaDUJTF4ox51VIrf+Z7+HpUBCesYwFXhyCvYq6TIvY5NTkRWCKQ97mQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBl4L7NIWBeoeQRJg9RlkDzs2stg7Q+tZ6tminURNOC8ch0vhITbCq60uKXBzXn9LTHex1iXNlyZwI5YGXbw9pBsybDPDFxtyBGAwi/EX8Y0xe7ePGs7jNaGDMywFofP61g64HIAey6YjvKYFPxMqZmDBrzIhNnZ44f/o07TTOCdZJkqh5L/Qjilzfw2bwVg3uGaFthrn1LkL9xB82kuuXYW1QWe37Y9Gwf57qTQo56S44pxBB8loKn4hkNaRdKCgNCH7Ary3uLmmaFP/ETucAkIcy9Y/wr+TEzDVvGkRqCaWLUKeOumc+p026Jv3r/ba4Iq2njfat/pNv+dRIqt/PKurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressurn:oasis:names:tc:SAML:2.0:nameid-format:persistenturn:oasis:names:tc:SAML:2.0:nameid-format:transient

When you find this

Typically when you test at a URL that looks like this: https://adfs.iwebscrm15.com/federationmetadata/2007-06/federationmetadata.xml (With you domain name in it)

Solution:

On Internet Explorer / Internet Options / Local Intranet / Sites

Add the domain name with a wild card to your safe sites:

IE Safe Sites

Advance

Ie Safe Sites Advance

Adding the *.domain.com  to the safe sites list

*.domain.com Safe Sites.png

Add 

Now hitting the URL to test: https://sts.iwebscrm15.com/federationmetadata/2007-06/federationmetadata.xml

Gives a better result and expected result

ADFS 3.0 Test Results