locked
ADFS works, but Relying Party Trust giving "no registered protocol handlers on path /adfs/ls/" RRS feed

  • Question

  • Recently started noticing some 364 errors for ADFS 3.0 on Server 2012R2 that are related to a single Relying Party Trust. Normal ADFS authentication for Office 365 works, and all other trusts appear to be fine. However one trust works 90% of the time but occasionally we are getting the following error:

    Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.

    We can simulate to make the error, but we cannot figure out how a normal user is triggering it as it involves messing with cookies. This error looks like it is starting to happen more and more. I can log in 5 times with no issue, but then the next person who tries will get the error. If they exit and go back into the browser and try to log in again, it will work. Very confusing.

    I have checked that Forms Authentication is turned on for Global Authentication Policy. Certificates for both the ADFS service and the Relying Party Trust are still valid.

    Checked the ADFS service account and saw that the SPNs were all host/url format, so I added in every HTTP/ HTTPS/ version I could think of as that seems to be a common answer. ADFS service is then restarted or server rebooted, and it looks like it is fixed. But 15 minutes later they start appearing again.

    I am out of ideas! Can anyone help? Most solutions seem to be for setting up a new ADFS but I do not want to rebuild for one RPT.

     

    Thanks


    • Edited by CSCTool Wednesday, April 11, 2018 10:29 PM
    Wednesday, April 11, 2018 10:21 PM

All replies

  • Hello,

    This is because a user navigates to the https://<federation.service.url>/adfs/ls/ url instead of one of the configured ADFS endpoint. You can check how endpoints are configured in the ADFS management console under service -> endpoints.

    I have reproduced this in my lab environment. In the screenshot below you can see that the error occurs when navigating to the ~/adfs/ls/ URL.

    Hope this helps!

    Thursday, April 12, 2018 7:03 AM
  • Except the students are clicking on a login button on a 3rd party site (a trusted partner using SAML) that works most of the time. It routes them to our actual ADFS login page. They are not typing in the URL directly to the ADFS site to log in.
    Thursday, April 12, 2018 1:25 PM