adfs works from inside, but not outside RRS feed

  • Question

  • ADFS 3 is used
    I have a certificate issued to adfs.c.ca
    I have a Windows 2012 R2 server ADFS 3 proxy c-adfs-proxy (not on the domain, in the DMZ)
    I have a Windows 2012 R2 server ADFS server called    adfs.p.local on the domain
    The domain is p.local
    External name resolution for c.ca is in place

    I have a DNS entry on our domain controllers for adfs.c.ca point to the internal ip of the   c-adfs.p.local

    https://adfs.c.ca/adfs/ls/idpinitiatedsignon shows the page internally and allows sign in and sign out

    Proxy is in DMZ  (different subnet than .local with firewall)  

    cc-adfs.p.local can resolve the c-adfs-proxy (an internal address)

    TCP ports 443 and 49443 go to the cc-adfs

    https://adfs.c.ca/adfs/ls/idpinitiatedsignon displays the picture from the Login page externally, but says "An error has occurred"

    -error in ADFS log-
    Exception details: 
    Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/idpiniatedlogin to process the incoming request.
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    Activity ID: 00000000-0000-0000-4100-0080000000e7
    Error time: Mon, 21 Nov 2016 18:14:39 GMT
    Cookie: enabled
    User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 10.0; WOW64; Trident/8.0; Touch; .NET4.0C; .NET4.0E; Tablet PC 2.0; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729

    Should one of the servers be called adfs like the certificate?
    how do I troubleshoot this?

    Monday, November 21, 2016 6:37 PM


  • MSIS7065: There are no registered protocol handlers on path /adfs/ls/idpiniatedlogin to process the incoming request.

    The page you are trying to reach does not exist. Try with the URL https://ADFSFQDN/adfs/ls/idpinitiatedsignon.aspx note that the URL will be the same to reach out the WAP, you will need a split brain DNS (aka split DNS horizon) to ensure that ADFSFQDN resolve to the internal IP address of your ADFS server for internal clients but to the external IP address of the WAP server for the users connected externally.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, November 22, 2016 12:53 PM