locked
ADFS keeps breaking RRS feed

  • Question

  • I am having a issue with ADFS at the moment.

    when a user hits a page a site behind adfs, they enter there credentials and get passed through

    The problem i have is every few days it just stops working , that is to say a user gets through to adfs and is requested to enter their credentials and no matter how many times they try they don not get passed through.

    The workaround is for me to restart adfs service and then everything works again for a few days untill the  problem arises again.

    Tuesday, March 14, 2017 1:40 AM

All replies

  • I forgot to mention I had this problem on ADFS 3.0 (srv2012r2) and so i upgraded to adfs 4.0 (srv2016) and symptoms and problem still remains identically 

    Tuesday, March 14, 2017 1:41 AM
  • Can you share more details on your configuration? What does mean "a page sitting behind ADFS"? Using ADFS for authentication or published with WAP? What federation protocol are they using? Do you see any error message in the AD FS Admin logs (event viewer of your ADFS server)?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 14, 2017 12:46 PM
  • Hi Pierre,

    Thank you for assisting. Let me add more detail

    Currently I have a website https://library.xxx.xxx.au

    In my setup I have a rule setup on my Web application proxy (WAP)  (which sits on server 2016) that is located in the dmz

    The rule on WAP is

    1.        Use adfs preauthentication
    2.        Web and MSOFBa
    3.        Use a relying party trust which I created on adfs

    This then passes through to adfs

    Where I have a created, a relying party trust non-claims aware relying party trust

                    https://library.xxx.xxx.au

                I am getting errors in adfs

               Event id 511 followed by 364


    Event 511

    The incoming sign-in request is not allowed due to an invalid Federation Service configuration. 

    Request url:

     /adfs/ls?version=1.0&action=signin&realm=urn'%'3AAppProxy'%'3Acom&appRealm=8d6abddd-0d29-e611-80bf-0050568c7ef2&returnUrl=https'%'3A'%'2F'%'2Flibrary.xxx.xxx.xxx.au'%'2Flibero'%'2FWebOpac.cls'%'3FVERSION'%'3D2'%'26amp'%'3BACTION'%'3DOPACTIMEOUT'%'26amp'%'3BDATA'%'3D'%'26amp'%'3BTOKEN'%'3DPiqgD0Hr7W4766'%'26amp'%'3BMGWCHD'%'3D0&client-request-id=2412183c-f384-0000-3541-122484f3d101

    User Action:

     Examine the Federation Service configuration and take the following actions:

      Verify that the sign-in request has all the required parameters and is formatted correctly.

      Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters.

      Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.

    Event 364

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:

     

    Relying Party:

     

    Exception details:

    Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust '8d6abddd-0d29-e611-80bf-0050568c7ef2' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.

       at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)

       at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)

       at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)

       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    However even though I see the above errors it will still work for a few days ,

    Then all of sudden it stops working

    that is to say a user gets through to adfs and is requested to enter their credentials and no matter how many times they try they do not get passed through.

    The workaround is for me to restart adfs service and then everything works again for a few days untill the  problem arises again.




    • Edited by Monty101 Wednesday, March 15, 2017 2:22 AM
    Tuesday, March 14, 2017 10:11 PM
  • Can anyone help please ??
    Wednesday, March 22, 2017 9:08 PM
  • When you say it does not work anymore, it is like nothing is working or just this Relying Party?

    How many clients are connecting to your WAP server? Is there a correlation with the number of active connexions? Maybe it is an issue of the number of ephemeral ports available if it is correlated to the load.

    Also, I guess you tried this, but ensure that you have all latest updates on both ADFS and WAP.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, March 23, 2017 12:24 PM
  • Hi Pierre,

    in answer to your questions

    When you say it does not work anymore, it is like nothing is working or just ?

    the only thing that appears to stop working is 

    the ability to accept any credentials at the logon page . The second i restart the adfs service and then re- enter credentials i can get through to the site .

    "How many clients are connecting to your WAP server"

    very few like 20 people at most .. it is a new setup and not many people know of it yet.

    I alos have the latest updates

    Thursday, March 23, 2017 9:15 PM
  • When a user sees this problem, what happens when they clear out all the cookies?

    Thursday, March 23, 2017 11:04 PM
  • Hi i have tried clearing the cookies

    and even when  i try

    https://adfs.xx.xx.xx/adfs/ls/IdpInitiatedSignon.aspx

    It wont allow me to sign on.

    the second after I restart adfs service on adfs server I can then sign in

    Please someone help

    Monday, March 27, 2017 1:36 AM