This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

ADFS 2016 SSO Error HTTP/1.1 401 Unauthorized

Question
0

Sign in to vote

Hi, I'm trying to get SSO working on my ADFS server, and have run into a problem.

Whenever I test https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.aspx on the domain client, I get the following result in Fiddler:
HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Wed, 21 Nov 2018 00:32:22 GMT
Proxy-Support: Session-Based-Authentication

It then prompts me to login, and if I log in, everything works OK. So fundamentally ADFS is working, but SSO isnt.

Is anyone able to help out with this problem?

Thanks,

N

Wednesday, November 21, 2018 12:35 AM

Answers

0

Sign in to vote
To answer my own question. The SPN for HOST/adfs.contoso.com was set to the account I specified in the setup wizard.

However, the wizard created a service account called adfs$ which was used to start up the ADFS services. The account was sitting in the "Managed Service Accounts" OU and was not searchable.

You can check this by running the following in powershell:

Get-ADObject -LDAPFilter "(servicePrincipalName=host/adfs.contoso.com)" -Properties name,serviceprincipalname

This will tell you which object is assigned to that particular SPN entry. If the Object is not the account starting up the services, then you will have problems.

After that it was a matter of removing it from the nominated account which was incorrect, to the adfs$ account.

After a restart everything started working.
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Thursday, November 22, 2018 10:26 PM
Thursday, November 22, 2018 12:36 AM