locked
The same client browser session has made '6' requests in the last '2' seconds RRS feed

  • Question

  • Hi! I am trying to setup ADFS to allow authentication to SharePoint from disparate forests, with no trust. I have two domains, in domain A we have Sharepoint 2016 and AD FS 4.0, all on Windows Server 2016; in domain B - AD FS 4.0.

    In domain A, by the server AD FS i created RP for Sharepoint and CP for AD FS domain B. In domain B i created RP for AD FS domain A.

    But I keep getting the error, when i am logging on Sharepoint site:

    Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '6' seconds. Contact your administrator for details.

    Any idea why this keeps happening?

    Tuesday, October 9, 2018 11:56 AM

Answers

  • It looks like everything works good from an ADFS perspective.

    You connect to Sharepoint.

    You get redirected to ADFS Blue.

    It looks like the RP is configured to use the ADFS Green Claim Provider trust and you get redirected to Blue.

    You are already authenticated with ADFS Green (apparently at 12.10.2018 5:05:59 - so 5 minutes before your capture).

    You get a token for ADFS Green and hit ADFS Green.

    You then get this token:

    <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-10-12T05:06:11.815Z</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-10-12T05:16:11.815Z</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:sharepoint:sp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_44442132-f999-47f4-aed3-096cd18303ef" Issuer="http://adfs.blue.local/adfs/services/trust" IssueInstant="2018-10-12T05:06:11.815Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2018-10-12T05:06:11.815Z" NotOnOrAfter="2018-10-12T05:16:11.815Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:sharepoint:sp</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="isregistereduser" AttributeNamespace="http://schemas.microsoft.com/2012/01/devicecontext/claims" a:OriginalIssuer="http://adfs.green.local/adfs/services/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims"><saml:AttributeValue b:type="tn:boolean" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">true</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="identifier" AttributeNamespace="http://schemas.microsoft.com/2012/01/devicecontext/claims" a:OriginalIssuer="http://adfs.green.local/adfs/services/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims"><saml:AttributeValue>b5f85737-8484-45ee-b45b-65d34611bf42</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2018-10-12T05:04:51.185Z"><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_44442132-f999-47f4-aed3-096cd18303ef"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>GlY7Y00b9BOaJYgfAXar7s75hkW60lZnzxitOjGsIZI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ObOz5G0BOhVRYgWY8AARJCCc9VoCeml0bZ4OjnXJCDJ1zF3fA/fEuF9Uk3QPjJnKh/N6kqSZzBd+g3KomDwCUDLEsdhFkCuzMcsQWDrAYQX9ql10Vu//xOFUJDthBdhjj6+jHfM58QV5YVELcEGLJINFdQl9DjHde92qPydMj1p9K1/ZKIHs5FOkPXYOHtak2PFeoeIWnmiKJ7Xqx4SPcLL8BpSlBSJSS3F2NwbcvkMUo9rgvxK0SO4mju1USn2dXLDenkuHjuPU6Scyq4dAviKh9RU+223lkjMZmDUpyOJuYb7qTpTGYmh0N+EEEWMZZtgcafXQlsszcIzU0ImNZA==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIC2jCCAcKgAwIBAgIQTUUACXiaaJBMJSnneBv/pzANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBhZGZzLmJsdWUubG9jYWwwHhcNMTgwOTI4MDU1NDIzWhcNMTkwOTI4MDU1NDIzWjApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBhZGZzLmJsdWUubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHM15vlguAI3MtO7foh3kOVpGUS7l0WS0TeOozYBxK40ejdWDY+zDy8w0fbqoMedlQkAd2VZ1Bj9iZdnaUDCCXvcKuKDIXSsTbaJNMfFg9EU6XS2RLb5oXbIbeUBLsigxEtYAgNGjVnop4uoJ/COnmL9+nwSyXxE8dS4RAS1AitvpJY65HtOlPY8d6N98W8mcnfR5gOn1BDmGn+t3ljvjwJv+IEVU7DycWFZ4DNw6DuxsK+6hd2UGM84SNDJ7fnInWnW+pqCI5RObwrw6bDHVEP/mJy/e/IT+zrtmf1QiOY7egCKX9AC4iRSeyyVZZgnDlZjU8VfxvzCy02KuDazmpAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEygwPSWxa2VS5YqWxY1z+hp2UImIKybvhVLiZoc1Zw9r3KF5pjixc0euWdpjWveD6gMNhBlZ56YGwpYnz6XqeQWu2wZNevg0LJvWURKz7ZMqCUCmsYbK2F7qc4igKQ1KDpuPOg5wn1gGd7Xehrj3y8NAppqbMNdfm9FYigeRH2BU7fkiYE+J/kFx2rFaqDg+2OOsi7O5YfsRdSgGbm4WY9bD6aPf1hfiVZE5ohhcjclo/+06XJY52jJOLKFxVcnEaWci8fzWIm1YnXQoIBSPRE39EYe2dqkht7+GBBkejKUC8D89OUyYyg7qKaxJvfs6nmpxpPG9It5sdYddaqgr6A=</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>

    And get redirected to SharePoint. 

    SharePoint does not seem to be happy with this token and redirect you to ADFS to get another one.

    If you look into the token itself, you don't really have any info in it. So assuming that you have the right cert on SharePoint, maybe your problem is your claim rules. You are not sending claims to SharePoint. What are the rules set on the SharePoint relying party trust on ADFS Blue and the rules set on the ADFS Green claim provider trust on ADFS Blue?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, October 13, 2018 4:32 PM

All replies

  • Let's look at the classics with SharePoint first:

    • Make sure time sync between your ADFS server and the SharePoint servers is working fine
    • Make sure you did not change the maximum token lifetime to 5 minutes

    If both look good to you, then we can have a look at a Fiddler trace. If you go the Fiddler way, please make sure you obfuscate your credentials in the trace.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 9, 2018 1:10 PM
  • PS C:\Users\vlad> $sts | select *time*


    WindowsTokenLifetime        : 00:02:00
    FormsTokenLifetime          : 00:02:00
    CookieLifetime              : 5.00:00:00
    CookieLifetimeRefreshWindow : 4.00:00:00
    ServiceTokenLifetime        : 10:00:00
    ApplicationTokenLifetime    : 1.12:00:00
    AuthenticatorTokenLifetime  : 1.12:00:00
    ImplicitFlowTokenLifetime   : 30.00:00:00
    LoopbackTokenLifetime       : 10:00:00
    ProofTokenLifetime          : 1.00:00:00
    IdentityTokenLifetime       : 00:20:00

    Tuesday, October 9, 2018 1:33 PM
  • Well look at the values for the Share Point RP.

    Regarding the first point? You are good?

    If so, then Fiddler :)


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 9, 2018 6:29 PM
  • In Fiddler i see that request is processed between AD FS servers and then external AD FS get error that "MSIS7042: The same client browser session has made '6' requests in the last '2' seconds"

    #	Result	Protocol	Host	URL	Body	Caching	Content-Type	Process	Comments	Custom	
    19	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d50d9bd6-509e-47d4-b58b-dd1c9de1c782	29,642	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    20	304	HTTPS	adfs.green.local	/adfs/portal/css/style.css?id=0A13280A86E7DFA6949BD016EA848912FCAFC05E88CBEDF538AC325B27041205	0	Expires: Sat, 10 Nov 2018 10:48:23 GMT	text/css	firefox:6924			
    21	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d50d9bd6-509e-47d4-b58b-dd1c9de1c782&client-request-id=d354ff4a-70c4-4065-2900-0080000000f1&pullStatus=0	17,527	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    22	404	HTTPS	adfs.green.local	/favicon.ico	315		text/html; charset=us-ascii	firefox:6924			
    23	200	HTTP	Tunnel to	adfs.green.local:443	0			firefox:6924			
    24	404	HTTPS	adfs.green.local	/favicon.ico	315		text/html; charset=us-ascii	firefox:6924			
    25	200	HTTP	Tunnel to	adfs.green.local:443	0			firefox:6924			
    26	302	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d50d9bd6-509e-47d4-b58b-dd1c9de1c782&client-request-id=d354ff4a-70c4-4065-2900-0080000000f1&pullStatus=0	0		text/html; charset=utf-8	firefox:6924			
    27	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d50d9bd6-509e-47d4-b58b-dd1c9de1c782&client-request-id=d354ff4a-70c4-4065-2900-0080000000f1&pullStatus=0	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    28	502	HTTP	Tunnel to	safebrowsing.googleapis.com:443	512	no-cache, must-revalidate	text/html; charset=UTF-8	firefox:6924			
    29	200	HTTPS	adfs.blue.local	/adfs/ls/	4,929	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    30	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
    31	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
    32	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
    33	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
    34	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
    35	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=e018883d-3694-4d1f-844a-eb2cf7e86725	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    36	404	HTTPS	adfs.blue.local	/favicon.ico	315		text/html; charset=us-ascii	firefox:6924			
    37	200	HTTP	Tunnel to	adfs.blue.local:443	648			firefox:6924			
    38	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    39	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
    40	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
    41	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
    42	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
    43	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
    44	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=9fe6e6f0-93ce-4eb4-87e8-31f1f7c47f1f	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    45	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    46	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
    47	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
    48	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
    49	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
    50	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
    51	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=e3f05dcc-1c87-4b13-ac35-2bcc5630ecf4	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    52	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    53	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
    54	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
    55	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
    56	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
    57	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
    58	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=07267496-fc65-420a-bc97-5547863ca2eb	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    59	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    60	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
    61	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
    62	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
    63	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
    64	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
    65	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=f48acd3a-d27b-4bba-b374-fb8c11125e98	8,529	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    66	200	HTTPS	adfs.blue.local	/adfs/ls/	4,940	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			
    67	302	HTTPS	sp.blue.local	/_trust/	169		text/html; charset=utf-8	firefox:6924			
    68	302	HTTPS	sp.blue.local	/_layouts/15/Authenticate.aspx?Source=%2F%5Ftrust%2F	242	private	text/html; charset=utf-8	firefox:6924			
    69	302	HTTPS	sp.blue.local	/_login/default.aspx?ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F%5Ftrust%2F	255	private, no-store	text/html; charset=utf-8	firefox:6924			
    70	302	HTTPS	sp.blue.local	/_trust/default.aspx?trust=ADFS&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F&Source=%2F_trust%2F	301	private, no-store	text/html; charset=utf-8	firefox:6924			
    71	302	HTTPS	adfs.blue.local	/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3asp&wctx=https%3a%2f%2fsp.blue.local%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F%255Ftrust%252F	0		text/html; charset=utf-8	firefox:6924			
    72	200	HTTPS	adfs.green.local	/adfs/ls/?wa=wsignin1.0&wtrealm=http%3a%2f%2fadfs.blue.local%2fadfs%2fservices%2ftrust&wctx=d52a4031-1b53-48ed-a53c-f37b6e47d189	10,617	no-cache,no-store; Expires: -1	text/html; charset=utf-8	firefox:6924			

    As i understand it i can't log in AD FS with Sharepoint RP

    Thursday, October 11, 2018 10:50 AM
  • Why is the trace starting on ADFS? If it is WS-Fed, it should start on Sharepoint.

    Also, can you share the actual trace file?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, October 11, 2018 4:39 PM
  • https://drive.google.com/file/d/1pgUAEPvO0xSwpvLgVQd5Mx03Uh9M50zF/view?usp=sharing
    Friday, October 12, 2018 5:14 AM
  • It looks like everything works good from an ADFS perspective.

    You connect to Sharepoint.

    You get redirected to ADFS Blue.

    It looks like the RP is configured to use the ADFS Green Claim Provider trust and you get redirected to Blue.

    You are already authenticated with ADFS Green (apparently at 12.10.2018 5:05:59 - so 5 minutes before your capture).

    You get a token for ADFS Green and hit ADFS Green.

    You then get this token:

    <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><t:Lifetime><wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-10-12T05:06:11.815Z</wsu:Created><wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2018-10-12T05:16:11.815Z</wsu:Expires></t:Lifetime><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:sharepoint:sp</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><t:RequestedSecurityToken><saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_44442132-f999-47f4-aed3-096cd18303ef" Issuer="http://adfs.blue.local/adfs/services/trust" IssueInstant="2018-10-12T05:06:11.815Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2018-10-12T05:06:11.815Z" NotOnOrAfter="2018-10-12T05:16:11.815Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:sharepoint:sp</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="isregistereduser" AttributeNamespace="http://schemas.microsoft.com/2012/01/devicecontext/claims" a:OriginalIssuer="http://adfs.green.local/adfs/services/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims"><saml:AttributeValue b:type="tn:boolean" xmlns:tn="http://www.w3.org/2001/XMLSchema" xmlns:b="http://www.w3.org/2001/XMLSchema-instance">true</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="identifier" AttributeNamespace="http://schemas.microsoft.com/2012/01/devicecontext/claims" a:OriginalIssuer="http://adfs.green.local/adfs/services/trust" xmlns:a="http://schemas.xmlsoap.org/ws/2009/09/identity/claims"><saml:AttributeValue>b5f85737-8484-45ee-b45b-65d34611bf42</saml:AttributeValue></saml:Attribute></saml:AttributeStatement><saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2018-10-12T05:04:51.185Z"><saml:Subject><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_44442132-f999-47f4-aed3-096cd18303ef"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>GlY7Y00b9BOaJYgfAXar7s75hkW60lZnzxitOjGsIZI=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>ObOz5G0BOhVRYgWY8AARJCCc9VoCeml0bZ4OjnXJCDJ1zF3fA/fEuF9Uk3QPjJnKh/N6kqSZzBd+g3KomDwCUDLEsdhFkCuzMcsQWDrAYQX9ql10Vu//xOFUJDthBdhjj6+jHfM58QV5YVELcEGLJINFdQl9DjHde92qPydMj1p9K1/ZKIHs5FOkPXYOHtak2PFeoeIWnmiKJ7Xqx4SPcLL8BpSlBSJSS3F2NwbcvkMUo9rgvxK0SO4mju1USn2dXLDenkuHjuPU6Scyq4dAviKh9RU+223lkjMZmDUpyOJuYb7qTpTGYmh0N+EEEWMZZtgcafXQlsszcIzU0ImNZA==</ds:SignatureValue><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIC2jCCAcKgAwIBAgIQTUUACXiaaJBMJSnneBv/pzANBgkqhkiG9w0BAQsFADApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBhZGZzLmJsdWUubG9jYWwwHhcNMTgwOTI4MDU1NDIzWhcNMTkwOTI4MDU1NDIzWjApMScwJQYDVQQDEx5BREZTIFNpZ25pbmcgLSBhZGZzLmJsdWUubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDHM15vlguAI3MtO7foh3kOVpGUS7l0WS0TeOozYBxK40ejdWDY+zDy8w0fbqoMedlQkAd2VZ1Bj9iZdnaUDCCXvcKuKDIXSsTbaJNMfFg9EU6XS2RLb5oXbIbeUBLsigxEtYAgNGjVnop4uoJ/COnmL9+nwSyXxE8dS4RAS1AitvpJY65HtOlPY8d6N98W8mcnfR5gOn1BDmGn+t3ljvjwJv+IEVU7DycWFZ4DNw6DuxsK+6hd2UGM84SNDJ7fnInWnW+pqCI5RObwrw6bDHVEP/mJy/e/IT+zrtmf1QiOY7egCKX9AC4iRSeyyVZZgnDlZjU8VfxvzCy02KuDazmpAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAEygwPSWxa2VS5YqWxY1z+hp2UImIKybvhVLiZoc1Zw9r3KF5pjixc0euWdpjWveD6gMNhBlZ56YGwpYnz6XqeQWu2wZNevg0LJvWURKz7ZMqCUCmsYbK2F7qc4igKQ1KDpuPOg5wn1gGd7Xehrj3y8NAppqbMNdfm9FYigeRH2BU7fkiYE+J/kFx2rFaqDg+2OOsi7O5YfsRdSgGbm4WY9bD6aPf1hfiVZE5ohhcjclo/+06XJY52jJOLKFxVcnEaWci8fzWIm1YnXQoIBSPRE39EYe2dqkht7+GBBkejKUC8D89OUyYyg7qKaxJvfs6nmpxpPG9It5sdYddaqgr6A=</X509Certificate></X509Data></KeyInfo></ds:Signature></saml:Assertion></t:RequestedSecurityToken><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType></t:RequestSecurityTokenResponse>

    And get redirected to SharePoint. 

    SharePoint does not seem to be happy with this token and redirect you to ADFS to get another one.

    If you look into the token itself, you don't really have any info in it. So assuming that you have the right cert on SharePoint, maybe your problem is your claim rules. You are not sending claims to SharePoint. What are the rules set on the SharePoint relying party trust on ADFS Blue and the rules set on the ADFS Green claim provider trust on ADFS Blue?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, October 13, 2018 4:32 PM
  • Monday, October 15, 2018 5:07 AM
  • I added other claim rule on my Sharepoint RP AD FS Blue and authorization works:


    Monday, October 15, 2018 12:17 PM
  • So it works now?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, October 15, 2018 2:35 PM
  • Yes, thank you so much
    Tuesday, October 16, 2018 4:59 AM
  • Well, you've done all the work :)

    Thanks!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, October 16, 2018 7:03 PM