locked
ADFS 2016 SSO Error HTTP/1.1 401 Unauthorized RRS feed

  • Question

  • Hi, I'm trying to get SSO working on my ADFS server, and have run into a problem.

    Whenever I test https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.aspx on the domain client, I get the following result in Fiddler:

    HTTP/1.1 401 Unauthorized
    Content-Length: 0
    Server: Microsoft-HTTPAPI/2.0
    WWW-Authenticate: Negotiate
    WWW-Authenticate: NTLM
    Date: Wed, 21 Nov 2018 00:32:22 GMT
    Proxy-Support: Session-Based-Authentication

    It then prompts me to login, and if I log in, everything works OK. So fundamentally ADFS is working, but SSO isnt.

    Is anyone able to help out with this problem?

    Thanks,

    N

    Wednesday, November 21, 2018 12:35 AM

Answers

  • To answer my own question. The SPN for HOST/adfs.contoso.com was set to the account I specified in the setup wizard.

    However, the wizard created a service account called adfs$ which was used to start up the ADFS services. The account was sitting in the "Managed Service Accounts" OU and was not searchable.

    You can check this by running the following in powershell:

     Get-ADObject -LDAPFilter "(servicePrincipalName=host/adfs.contoso.com)" -Properties name,serviceprincipalname

    This will tell you which object is assigned to that particular SPN entry. If the Object is not the account starting up the services, then you will have problems.

    After that it was a matter of removing it from the nominated account which was incorrect, to the adfs$ account.

    After a restart everything started working.

    Thursday, November 22, 2018 12:36 AM