AD FS Logon Page Graphics

Two Planker 111

Greetings,

I've deployed an AD FS server successfully in an isolated environment (no Internet). When I get to the AD FS logon page, there are no graphics, just text and related fields. I'm not having any luck finding a resolution. The system works properly otherwise.

Has anyone experienced this?

Thanks,

Chris

Accepted answer

Two Planker 111 Reputation points

2021-11-16T17:07:03.313+00:00

Sikumars,

after breaking and troubleshooting ADFS after a backup, uninstall, re-install and restore, I have found a workaround here:

https://social.technet.microsoft.com/Forums/Lync/en-US/2df3ef95-b0e1-4a89-96ce-3fd4edd7a7f9/failed-to-start-endpoint-https49443adfsportal?forum=ADFS

I've added my Group Managed Service Account to the local admins group and now the graphics on the logon page appear. I've also tried the "fix" described by one of the users yet it does not work. Only adding the gmsa to the admins group allows the site to present normally.

I may not be applying the fix properly as I don't quite understand all that he is referring to. I tried modifying the url acl permission for https://+:443/adfs by deleting the existing perms for User: NT SERVICE\adfssrv and adding my gmsa service account yet there was no change after restarting services.

Does this make sense to you?

I apologize if I don't reply to any responses as I'm leaving town for about a week.

Thanks for the help,

TP
Please sign in to rate this answer.

1 person found this answer helpful.
Sean McGee 0 Reputation points

2023-07-20T06:11:09.7333333+00:00

Thank you Two Planker, did you say also it doesn't need to stay that way afterwards?
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

10 additional answers

Two Planker 111 Reputation points

2021-11-16T17:15:02.7+00:00

A quick update,

I removed the gmsa account from the admin group and restarted the adfs server. The logon page graphics are still present. Wondering if the fix actually worked and the server just needed restarting or did adding/removing the gmsa account from the admin group was all that was needed.

TP
Please sign in to rate this answer.

2 people found this answer helpful.
Siva-kumar-selvaraj 15,721 Reputation points

2021-11-17T20:59:32.177+00:00

I appreciate your efforts in identifying the problem.

To circumvent permission difficulties, one common solution is to provide the ADFS service account local administrator access.

When performing the installation and initial setup of AD FS, the administrator should have local administrator access on the AD FS server, so ADFS configure all required permissions during the installation process, such as HTTP, logon service, NTFS, and local database permission. If any permissions were overlooked after installation, the problem might be resolved by adding the ADFS service account to the local admin group.

Here is ADFS Permissions requirements. Hope this helps.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Rich Matheisen 47,901 Reputation points

2021-10-13T21:05:05.52+00:00

How about this? ad-fs-user-sign-in-customization
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
Limitless Technology 39,921 Reputation points

2021-10-15T09:34:38.61+00:00

Hi there,

When a federated user tries to sign in to a Microsoft cloud service such as Office 365, Microsoft Azure, or Microsoft Intune, the Internet browser can't display the Active Directory Federation Services (AD FS) sign-in webpage. Additionally, the user may receive an error message.

This issue may occur if the user can't contact the on-premises AD FS federation server or the Internet-facing AD FS Federation server proxy. This can occur when the AD FS Federation Service stops running or when IP connectivity is marginalized.

You can try the following steps https://learn.microsoft.com/en-us/office365/troubleshoot/sign-in/ad-fs-sign-in-page-not-display

------------------------------------------------------------------------------------------------------------------------------------

If the reply is helpful, please Upvote and Accept it as an answer
Please sign in to rate this answer.
Two Planker 111 Reputation points

2021-10-21T18:37:25.007+00:00

Sorry LimitlessTechnology-2700,

as stated, the environment is not Internet connected. This is an on-premise AD FS instance. The log in works, it's just that the graphics do not appear on the log in page.

Thanks
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee

2021-10-18T12:22:37.187+00:00

@Two Planker Since you mentioned that you configured that in an isolated environment, make sure that the machine on which you are trying has the ADFS url in local intranet zone of internet explorer.

Follow this if you need step by step method : https://learn.microsoft.com/en-us/dynamics365/customerengagement/on-premises/deploy/add-the-ad-fs-website-to-the-local-intranet-security-zone?view=op-9-1

Let me know if this helps, we can also take this offline to understand more and help.

-----------------------------------------------------------------------------------------------------------------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Please sign in to rate this answer.
Two Planker 111 Reputation points

2021-10-21T18:34:19.483+00:00

Thanks ipulsparsh-MSFT,

Although I've added the URL and IP as well to no avail.

VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee

2021-10-26T12:22:34.5+00:00

@Two Planker Can you confirm the following :

1) If idp initiated signon page is disabled. ?
Because if that is disbled then we only see blank page

2) What url are you tying to access the ADFS page internally ?

3) and also confirm if you have enabled form paged authentication internal otherwise.
If its not enabled, you should get a WIA prompt.

Two Planker 111 Reputation points

2021-10-26T15:47:03.727+00:00

1) The idp initiated signon page is enabled and functioning (without graphics/illustrations).
2) https://<adfs-server>.domain/adfs/ls
3) Yes, Forms based authentication is the Primary Intranet Authentication Provider

Thanks for the reply

VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee

2021-10-27T07:45:14.743+00:00

@Two Planker Can we take this offline to discuss further, I want to get all the details about the graphics that you are talking about, is this something that you added to ADFS web themes, if yes, have you tried setting the default them again and see if that works fine for you :

Set-AdfsWebTheme –TargetName default

I would need screenshot of what ADFS graphics are you expecting, Connect with me offline at azcommunity@microsoft.com with subject "Atten-Vipul" and I will get back to you on this.

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2021-11-01T23:27:58.843+00:00

@Two Planker
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue offline with Vipul?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Two Planker 111 Reputation points

2021-11-02T17:57:00.48+00:00

Unfortunately no,

the issue still persists. While I appreciate Vipul's offer, I'll refrain from going outside the forum. I don't see an advantage as policy prevents any uploads of any kind and the system is not Internet connected.

TP
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

AD FS Logon Page Graphics

10 additional answers

Your answer