locked
ADFS3.0 federating with ADFS1.1 RRS feed

  • Question

  • I have Windows NT token-based application working with ADFS1.1 and already Federate WebSSO with Account partner also using ADFS1.1

    I am testing to move account partner to ADFS3 and still federating SSO with my Resource ADFS1.1

    Is this possible? I added ADFS1.1 to Relying party trust at ADFS3 and changed Account partner setting to use ADFS3 URI and endpoint.

    Open URL of Windows NT Token based, i got redirect to HDR where I selected ADFS3 IDP then redirect back to ADFS1.1 and got error there.

    in ADFS1.1 i am seeing this error in event log

    Transaction ID: {f2605713-f551-4fb1-8a74-d77d45fc6535} 

    This event contains details of the errors encountered while processing the input federation token that was received as part of the referenced transaction. 

    The client presented an invalid inbound token as evidence. The token specified an untrusted issuer. 

    But I am seeing my UPN, user@abc.local 

    no idea why it is not working

    Thanks

    Wednesday, February 22, 2017 6:49 PM

All replies

  • Did you add ADFS3 singing cert into ADFS1.1 configuration?

    As I understand you authentication workflow should work like this: Application -> ADFS1.1 -> ADFS3 -> ADFS1.1 -> Application. Could you please confirm?


    https://exchange12rocks.org | https://about.me/exchange12rocks

    Saturday, February 25, 2017 2:40 AM
  • Yes I added ADFS3 token signing cert to ADFS1.1,  The authentication workflow is Application ->ADFS3 (idP)-> ADFS1.1 (RP)->Application

    I do have see my UPN in ADFS1.1 event log, so ADFS3 is not an issue it sent UPN correctly.

    Thanks

    Saturday, February 25, 2017 6:37 AM
  • Well, the workflow should be as I described above - your application should redirect users to that secure token service (ADFS) which it trusts, i.e. ADFS1.1, not ADFS3. Could you please show us how you have added ADFS3 into ADFS1.1 configuration?

    https://exchange12rocks.org | https://about.me/exchange12rocks

    Saturday, February 25, 2017 10:51 AM
  • I followed this article, https://blogs.technet.microsoft.com/askds/2010/05/25/ad-fs-2-0-and-ad-fs-1-x-interoperability/

    Thanks

    Tuesday, February 28, 2017 4:29 PM
  • Could you please reconfigure your application to trust ADFS 1.1 only (i.e. redirect user and receive tokens only to/from it)?

    https://exchange12rocks.org | https://about.me/exchange12rocks

    Thursday, March 2, 2017 9:26 PM