ADFS pre-authenticating Non-Claims-Aware Web API with OAuth RRS feed

  • Question

  • We have an internal backend webserver that is using Windows Integrated Authentication (Non-claims-aware) to authenticate domain users to web services. We wish to expose these web services to Native Clients on mobile devices on the internet. Without making any alterations to the web services.

    My idea is to use ADFS to authenticate user in the internal domain with the added security option to use multifactor authentication. And use a Web Application Proxy to publish the web services on the internet.

    The webserver also have a browser-based client. So I set this up to be pre-authenticated by ADFS (WS-Trust type/Add-AdfsNonClaimsAwareRelyingPartyTrust) and configured the required User delegation rights for Kerberos so the WAP can impersonate a domain user on the backend web server. And published the Web-application on the WAP as a Non-Claims-Based application.

    This all works fine. So I know that the basic ADFS and WAP is configured properly.

    Now I need the Native Mobile App (iOS) to be able to use a Non-browser based authentication method, which is pre-authenticated by ADFS, and then the WAP will be able to still impersonate an internal domain user on the backend web server.

    For this we chose OAuth.

    I have added an AdfsClient in PowerShell on the ADFS server. The rest of the RelyingPartyTrust config I left unchanged.

    I then configured the OAuthAuthenticationURL on the WAP server. And published the application again using the -UseOAuthAuthentication parameter.

    Now the Native Mobile Apps are able to connect to the AdfsClient and start the OAuth token flow using the ADAL SDK toolkit. They are able to get a OAuth token, but when they try to use this token to get access to the web service published on the WAP, we get the following error in the event log on the WAP server:

    Event ID: 13014

    Web Application Proxy received a request with a nonvalid edge token. The token is not valid because it could not be parsed.
    Error: Edge Token validation failed. Failed to serialize JSON object. Exception: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters. . Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkUxUUVyeUJxUzd0ZkF3WHA4Qm5KUDJfakN5TSJ9.eyJhdWQiOiJodHRwczovL3dvcmt6b25lLmNvbm5lY3R6b25lLmRrIiwiaXNzIjoiaHR0cDovL2Nsb3VkbGFiLmNvbm5lY3R6b25lLmRrL2FkZnMvc2VydmljZXMvdHJ1c3QiLCJpYXQiOjE0Nzc0ODMwMjgsImV4cCI6MTQ3NzQ4NjYyOCwiYXV0aF90aW1lIjoiMjAxNi0xMC0yNlQxMTo1NzowOC4yOTBaIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwidmVyIjoiMS4wIiwiYXBwaWQiOiIwYzgxMTQzMy1iZWEzLTRlMDEtYmRjMC0xZTNiMDk1N2UyNWMifQ.dYnHP3AVUmxfda0yuz4gcQbkWxPvjNqixsx2qbjTRbFjYma6r_OIz-LPAWY1UeZNao1BDHy8G6cQG2tsNejhPTfWhDUuMVFpNSX9v4tHMuCLmXyDu3w0U-0dEOerYEjdBAiEqPeSCDisW5jiKlgfr6sD8T4KZ_5IpkOdmYSIcGiH9AWFkoTOHiHcp2ue-Dnf82YgTv0eeVtsInLZvD50EUmCHX3Ktg6Df_vh3GqltPV2bcQs9HXnk39eT_1E5DFAPp7mCHVIkS_6E3QsFmOfV98OCaYygM9jJaJ09s4CghBcV513qw7IwB3Ne_3fjQ_T5QtxSYRWrJhsZiFdAWq9sw
    Received token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IkUxUUVyeUJxUzd0ZkF3WHA4Qm5KUDJfakN5TSJ9.eyJhdWQiOiJodHRwczovL3dvcmt6b25lLmNvbm5lY3R6b25lLmRrIiwiaXNzIjoiaHR0cDovL2Nsb3VkbGFiLmNvbm5lY3R6b25lLmRrL2FkZnMvc2VydmljZXMvdHJ1c3QiLCJpYXQiOjE0Nzc0ODMwMjgsImV4cCI6MTQ3NzQ4NjYyOCwiYXV0aF90aW1lIjoiMjAxNi0xMC0yNlQxMTo1NzowOC4yOTBaIiwiYXV0aG1ldGhvZCI6InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0IiwidmVyIjoiMS4wIiwiYXBwaWQiOiIwYzgxMTQzMy1iZWEzLTRlMDEtYmRjMC0xZTNiMDk1N2UyNWMifQ.dYnHP3AVUmxfda0yuz4gcQbkWxPvjNqixsx2qbjTRbFjYma6r_OIz-LPAWY1UeZNao1BDHy8G6cQG2tsNejhPTfWhDUuMVFpNSX9v4tHMuCLmXyDu3w0U-0dEOerYEjdBAiEqPeSCDisW5jiKlgfr6sD8T4KZ_5IpkOdmYSIcGiH9AWFkoTOHiHcp2ue-Dnf82YgTv0eeVtsInLZvD50EUmCHX3Ktg6Df_vh3GqltPV2bcQs9HXnk39eT_1E5DFAPp7mCHVIkS_6E3QsFmOfV98OCaYygM9jJaJ09s4CghBcV513qw7IwB3Ne_3fjQ_T5QtxSYRWrJhsZiFdAWq9sw

    Transaction ID: {f3534b4e-2ed0-0001-534c-53f3d02ed201}
    Session ID: {f3534b4e-2ed0-0001-534c-53f3d02ed201}
    Published Application Name: WorkzoneOAuth
    Published Application ID: 02A7D76D-4CA7-E172-3628-9D5C4279C03F
    Published Application External URL: https://workzone.connectzone.dk/
    Published Backend URL: https://workzone.connectzone.dk/
    User: <Unknown>
    User-Agent: <Not Found>
    Device ID: <Not Applicable>
    Token State: Invalid
    Cookie State: NotFound
    Client Request URL: https://workzone.connectzone.dk/Process/Process.svc/Assets/Keys
    Backend Request URL: <Not Applicable>
    Preauthentication Flow: PreAuthWindowsStoreApp
    Backend Server Authentication Mode:
    State Machine State: Idle
    Response Code to Client: <Not Applicable>
    Response Message to Client: <Not Applicable>
    Client Certificate Issuer: <Not Found>

    I have re-installed the ADFS and WAP server from scratch, only configuring the bare minimum to keep it as "default" setup as possible. But the issue persists.

    I have a distinct suspicion that we are doing something basically wrong. I am not an expert of OAuth and ADFS implementation and token flows, but I can explain the setup in further detail if required.

    Wednesday, October 26, 2016 1:50 PM

All replies

  • Hi can I ask was you ever able to get the OAuth tokens to work through the WAP? 

    We are facing the same issue and cannot seem to find a definitive answer on this. We have the same set up using ADFS 3, WAP ADAL.

    Thursday, June 28, 2018 12:17 PM
  • Yes. We had a long session with Microsoft ADFS/WAP team, and it turns out that this specific configuration is not supported on the on-premises WAP product. Don't qoute me on this, but the message we got was that there was no plans to further develop this product as the future was to be concentrating on the WAP service in Azure. So we ended up using Passthrough Windows authentication - to make it work.
    Friday, June 29, 2018 1:22 PM