Symptoms

Browsing to certain AD FS 2.0 resources results in an authentication prompt rather than being allowed the expected anonymous access.

Examples:

  • /adfs/ls/idpinitiatedsignon.aspx
  • homerealmdiscovery.aspx as a result of browsing /adfs/ls/ containing WS-Federation parameters or SAML 2.0 protocol data

Cause

The problem lies in IIS, but can manifest due to different conditions:

1. Authentication settings on /adfs/ls/

  • /adfs/ls/ should have Anonymous and Windows authentication enabled

2. Settings from web.config

  • Check for web.config files at the root of the web site and any web application or virtual directory down to the path that is failing. For example, if I am having problems accessing /adfs/ls/idpinitiatedsignon.aspx I would look for a web.config file at the Default Web Site, /adfs/, and /ls/.
  • Web.config files can contain a URL authorization section which can cause anonymous authentication to fail even though Anonymous authentication is enabled at the site level you are accessing. The URL authorization section looks like this:

 

<authorization>

<{some_authorization_statement}/>

</authorization>

 

More specifically:

<authorization>

<deny users="?" />

</authorization>

 

The <deny users> tag can have any value, such as "?", "*", or specific user names.

"?" - means all anonymous users are denied access.

"*" - means all users are denied access.

 

Resolution

1. Revert IIS authentication settings back to default. /adfs/ should have Anonymous only. /adfs/ls/ should have Anonymous and Windows.

2. Edit or remove web.config files containing authorization settings which block anonymous access.