2

I am trying to create an MVC5 Web Application configured to use the On-Premises Organizational Authenticated Option (ADFS) as described Here by Vittorio Bertocci

First, I create new MVC project. Then I change the Authentication to On-Premises. Set the On-Premises Authority to my ADFS federation metadata Endpoint. I checked to make sure the federation metadata xml could be reached and it was. I leave the App ID URI field blank accepting the default value. I ve done both, provided a value and left blank.

I then configured my relying party app manually. Setting the relying party WS-Federation Passive Protocol URL: to https://localhost:44300 which was provided by Visual studio. This value is the only value given as the trust identifier.

Lastly, I mapped 2 claim types for good measure; Display Name and User-Principal Name. All this provided by the example link.

I then runit(F5) the ADFS login pops up with a generic error. I goto the ADFS server and find the following detailed error.

Development Enviroment I have 3 servers and 1 client

  • 1 Domain Controller
  • 1 CA server
  • 1 ADFS
  • 1 windows 8 client.

I keep receiving the following error message inside from ADFS

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 
wsfed 

Relying Party: 
https://localhost:44300/ 

Exception details: 
Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'https://localhost:44300/' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationSignInContext.Validate()
   at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Any help is appreciated.

monkeyjumps
  • 702
  • 1
  • 14
  • 24

2 Answers2

4

as mentioned in Vittorio's first response, the seems that the relying party identifier sent by your application does not match what is registered in ADFS. This should not require a new vanilla ADFS setup. I suggest the following:

  1. Ensure that you have a Relying Party trust setup in ADFS for the application.
  2. Ensure that the identifier for the application matches what you have specified in your application as you see in Vittorio's blog post.
  3. Ensure that the return URL is set correctly on the ADFS relying party trust and matches your F5 settings for the application. You can see a screen shot in Vittorio's blog post.

Let me know if this works out for you.

--Sam

SamuelD MSFT
  • 781
  • 4
  • 5
  • Ok thanks got it to work. The identifier was indeed incorrect. However, I don't get redirected to the ADFS custom login page. When i run the app, it throws up a windows prompt from the browser. Then passes me through to the app. Why might that be? – monkeyjumps Jul 11 '14 at 23:23
  • Using Chrome worked as expected. I was taken to the ADFS default signon and then connected. Perfect, thanks again to everyone! – monkeyjumps Jul 12 '14 at 01:16
1

it looks like you defined your RP trust using https://localhost:44300 but in fact you are sending https://localhost:44300**/**. The trailing slash is significant for that comparison! :-) I recommend using a logical identifier per realm, or adding the trailing slash in your RP trust. HTH V.

vibronet
  • 7,364
  • 2
  • 19
  • 21
  • started over & created a new dev enviroment with two domains this time companyA and companyB. On companyA domanin i set up the RP trust as you described & it worked.I hit F5 it takes me to the following url: https://adfs.companya.local/adfs/ls/?wa=wsignin1.0&wtrealm=https%3a%2f%2flocalhost%3a44300%2f&wctx=rm%3d0%26id%3dpassive%26ru%3d%252f&wct=2014-06-25T20%3a10%3a17Z with the following [login page ](https://monkeyjumps.blob.core.windows.net/images/HomeRealmDiscovery.PNG) I then choose companyA and it then [prompts me again](https://monkeyjumps.blob.core.windows.net/images/WindowsSecurity.PNG) – monkeyjumps Jun 25 '14 at 20:11
  • Once I log in again, I receive a Bad Request [error](https://monkeyjumps.blob.core.windows.net/images/BadRequestError.PNG) first off, not sure why i am getting challenged twice and then the error must mean i need to publish to IIs and create a new Identifier in the RP and modify my local dns? I Feel completely off target from provided example. Thanks. – monkeyjumps Jun 25 '14 at 20:28
  • Hi, the sample describes a simple topology where there's just one vanilla ADFS and domain setup. The issues you are experiencing seem to be related more to the infrastructure side of the setup, on which I have limited expertise. Let me try to pull somebody from the ADFS team to the thread. – vibronet Jun 25 '14 at 21:00
  • The second domain is not even turned on yet. It shows up because the root cert is in the trusted root authority. my MVC app is in the same domain (companyA) as the adfs server. – monkeyjumps Jun 25 '14 at 21:12
  • I type the following url
    https://adfs.companya.local/adfs/ls/idpinitiatedsignon.aspx
    then I am challenged twice, I receive a blank screen but inside fiddler I receive a 401 unauthorized error. My error seems to be very similar to [http://kilta.sovelto.fi/core/infra/windows-server-2012-r2-ad-fs-login-fails-with-http-error-400/](this) but my dns checks out unlike his example. My DNS is set as a Host(A)     – monkeyjumps Jul 02 '14 at 02:21
  • Hi there, did you get a follow-up from ADFS in the end? – vibronet Jul 02 '14 at 23:26
  • No, but i am going to try it again and set up a new vanilla environment. Then run through your example again. Do you have any references on how you set up your environment? – monkeyjumps Jul 03 '14 at 01:37
  • I don't, sorry. I don't set up my own ADFSes, I am not a good admin :-) Apologies about the delay. I'll ping them again. thanks – vibronet Jul 03 '14 at 22:10