locked
Invalid sign in for non claims based application and WAP RRS feed

  • Question

  • I have a WAP and ADFS server setup.  The ADFS server works great for claims based relying parties and as a SAML2 Identity Provider.  I'm integrating a Web Application Proxy for a non claims based application.  I went through the steps in https://technet.microsoft.com/en-us/library/dn383640%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396 everything completed fine and when I try to access my application I get an error screen from ADFS instead of a login with the following error:  

    "An error occurred. Contact your administrator for more information."

    Looking in the event viewer under "AD FS" Admin there are two entries:

      

    Encountered error during federation passive request. 


    Additional Data 

    Protocol Name: 


    Relying Party: 


    Exception details: 
    Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: The request was malformed or not valid. Contact your administrator for details.
       at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)
       at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    And

    The incoming sign-in request is not allowed due to an invalid Federation Service configuration.  

    Request url: 
     /adfs/ls?version=1.0&action=signin&realm=urn'%'3AAppProxy'%'3Acom&appRealm=fd0406bd-ddbf-e711-80eb-525400b89e61&returnUrl=https'%'3A'%'2F'%'2Fsharepoint.ent2k12.domain.com'%'2F&client-request-id=5CB11196-53DA-0000-C426-B15CDA53D301 

    User Action:
     Examine the Federation Service configuration and take the following actions: 
      Verify that the sign-in request has all the required parameters and is formatted correctly. 
      Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters. 
      Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.

    Any ideas where to look from here?

    Thanks

    Marc


    Thursday, November 2, 2017 4:05 PM

Answers

  • Make sure the client resolves both the FQDN of the application and the FQDN of the ADFS farm to the IP address of the WAP.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, November 2, 2017 4:22 PM

All replies

  • Make sure the client resolves both the FQDN of the application and the FQDN of the ADFS farm to the IP address of the WAP.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Thursday, November 2, 2017 4:22 PM
  • OK, i misread your response.  once i aliased both the WAP IP and the IdP IP I got past authentication.  I'm getting a 500 error now on the auth token but I'll start a new thread if that doesn't work.

    Thanks!

    Thursday, November 2, 2017 5:14 PM