locked
Facing issues while using Custom Authentication Provider with AD FS for MFA RRS feed

  • Question

  • Hello,

    We're trying to build a custom authentication provider to use with AD FS for MFA.

    We're using Windows 2012 R2 with AD FS 3.0.

    Below are the steps which we have followed.


    After creating Custom Authentication Provider. We have registered the dll into GAC and also published it in AD FS using "Register-AdfsAuthenticationProvider" powershell cmdlet.

    After that we got our provider listed in AD FS Global Authentication Policy dialog.

    After that we've created a relying party trust and created claim rules.

    (We configured relying party web.config with FedUtil.exe)

    Now when we try to load our web application in browser, we first get asked for user credentials (AD Creds). Upon providing AD credentials we get error.

    Following is the error we get in Event Log.
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    	<System>
    		<Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" /> 
    		<EventID>364</EventID> 
    		<Version>0</Version> 
    		<Level>2</Level> 
    		<Task>0</Task> 
    		<Opcode>0</Opcode> 
    		<Keywords>0x8000000000000001</Keywords> 
    		<TimeCreated SystemTime="2017-05-22T07:51:41.948383000Z" /> 
    		<EventRecordID>8664</EventRecordID> 
    		<Correlation ActivityID="{00000000-0000-0000-0D00-0080020000E3}" /> 
    		<Execution ProcessID="6028" ThreadID="752" /> 
    		<Channel>AD FS/Admin</Channel> 
    		<Computer>BobsecAB_SERVER.bob.local</Computer> 
    		<Security UserID="S-1-5-21-2263536488-390553313-4233475668-500" /> 
    	</System>
    	<UserData>
    		<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
    			<EventData>
    				<Data>wsfed</Data> 
    				<Data>https://localhost/webapplication18/</Data> 
    				<Data>System.IO.InvalidDataException: The identity information provided does not contain a Windows account name. at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)</Data> 
    			</EventData>
    		</Event>
    	</UserData>
    </Event>

    Can please point out where we could making a mistake.

    We've followed steps from: [https://blogs.technet.microsoft.com/cloudpfe/2014/02/01/how-to-create-a-custom-authentication-provider-for-active-directory-federation-services-on-windows-server-2012-r2-part-2/]

    Thanks in advance.

    Sunil Gohel

    Monday, May 22, 2017 1:21 PM

All replies

  • Have you ever found the solution? have the same issue
    Saturday, June 10, 2017 8:24 AM
  • What Claim do you use for your IdentityClaims properties?

    It has to be one of the following:

    • "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
    • "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
    • "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    • "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, June 11, 2017 3:07 PM