locked
ADFS 3.0 Windows integrated authentication not working. RRS feed

  • Question

  • I have setup an AD FS server running on Windows 2012 R2. The AD FS server is working, except for Windows integrated authentication is not working. I have found the below error.

    The SSL certificate does not contain all UPN suffix values that exist in the enterprise. Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices.

    Might this be part of the issue?

    Thursday, January 28, 2016 7:02 PM

Answers

  • It is not. This is a generic event that will warn you that if you wanted to do Workplace Joined, you might have to update your certificate to make it work. Nothing to do with WIA (Windows Integrated Auth).

    Couple of things to check there.

    1. The authentication policy. Make sure it is configured to perform WIA for the intranet client:

    2. Make sure that the user agent of your browser is listed as supported for WIA by your ADFS farm:

    (Get-AdfsProperties).WIASupportedUserAgents

    If you don't see the MSIE IE matching your version of IE, then add it. If you want to add support for FireFox or Chrome, please refer to the following post: https://social.technet.microsoft.com/Forums/windowsserver/en-US/cef5044f-9da7-4356-b11f-7a281796eafd/sso-with-office-365-adfs-logon-web-site-authentication-browser-support?forum=ADFS If IE, also make sure the FQDN of your ADFS server is listed as Intranet Site List in the Internet options:

    3. Check the SPN of your ADFS farm. If the FQDN of your farm is adfs.piaudonn.com, the SPN should be: host/adfs.piaudonn.com. The following query on your domain should return only one object:

    Get-ADObject -LDAPFilter "(servicePrincipalName=host/adfs.piaudonn.com)" -Properties name,serviceprincipalname
    
    
    DistinguishedName    : CN=svc_adfs,OU=Service Accounts,OU=Accounts,DC=ad,DC=piaudonn,DC=com
    Name                 : svc_adfs
    ObjectClass          : user
    ObjectGUID           : 239c0e4a-d146-490c-b03e-8a5811df49c5
    serviceprincipalname : {host/adfs.piaudonn.com}
    

    If it returns something different than the service account you are using for ADFS, you have a problem and should correct it. Delete the value of the SPN attribute of the account and create it on the right account.

    If it returns 0 object, you have a problem and you have to add the SPN on the service account used by your farm.

    If it returns more than 1 object, you also have a problem and you should delete the value from the illegitimate account.

    Tell us how it goes!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by nzpcmad1 Tuesday, February 2, 2016 1:45 AM
    • Marked as answer by Carl M5646813 Wednesday, February 3, 2016 10:03 PM
    Friday, January 29, 2016 4:30 PM

All replies

  • It is not. This is a generic event that will warn you that if you wanted to do Workplace Joined, you might have to update your certificate to make it work. Nothing to do with WIA (Windows Integrated Auth).

    Couple of things to check there.

    1. The authentication policy. Make sure it is configured to perform WIA for the intranet client:

    2. Make sure that the user agent of your browser is listed as supported for WIA by your ADFS farm:

    (Get-AdfsProperties).WIASupportedUserAgents

    If you don't see the MSIE IE matching your version of IE, then add it. If you want to add support for FireFox or Chrome, please refer to the following post: https://social.technet.microsoft.com/Forums/windowsserver/en-US/cef5044f-9da7-4356-b11f-7a281796eafd/sso-with-office-365-adfs-logon-web-site-authentication-browser-support?forum=ADFS If IE, also make sure the FQDN of your ADFS server is listed as Intranet Site List in the Internet options:

    3. Check the SPN of your ADFS farm. If the FQDN of your farm is adfs.piaudonn.com, the SPN should be: host/adfs.piaudonn.com. The following query on your domain should return only one object:

    Get-ADObject -LDAPFilter "(servicePrincipalName=host/adfs.piaudonn.com)" -Properties name,serviceprincipalname
    
    
    DistinguishedName    : CN=svc_adfs,OU=Service Accounts,OU=Accounts,DC=ad,DC=piaudonn,DC=com
    Name                 : svc_adfs
    ObjectClass          : user
    ObjectGUID           : 239c0e4a-d146-490c-b03e-8a5811df49c5
    serviceprincipalname : {host/adfs.piaudonn.com}
    

    If it returns something different than the service account you are using for ADFS, you have a problem and should correct it. Delete the value of the SPN attribute of the account and create it on the right account.

    If it returns 0 object, you have a problem and you have to add the SPN on the service account used by your farm.

    If it returns more than 1 object, you also have a problem and you should delete the value from the illegitimate account.

    Tell us how it goes!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Proposed as answer by nzpcmad1 Tuesday, February 2, 2016 1:45 AM
    • Marked as answer by Carl M5646813 Wednesday, February 3, 2016 10:03 PM
    Friday, January 29, 2016 4:30 PM
  • I already had the site in the intranet zone.

    i fixed the SPN but no change in behavior.

    Monday, February 1, 2016 8:44 PM
  • The name for the ADFS server was a CNAME, it needed an A record.
    Wednesday, February 3, 2016 10:03 PM