locked
MSIS7102: Requested Authentication Method is not supported on the STS RRS feed

  • Question

  • Hi Everyone,

    A User has reported getting the error while trying to access SharePoint Online on a non-domain joined device on the internal LAN (device joined to Azure AD though). User can access Exchange Online without any issue. On checking ADFS Server, I have the error logged: "MSIS7102: Requested Authentication Method is not supported on the STS." . I have checked some articles Online and it seems Enabling Forms Based Authentication will resolve the issue. I will like to try this out, just want to be sure that it will not impact the domain joined users who are currently making use of the Windows Integrated Authentication setting for ADFS Authentication.


    Akinzo

    Thursday, December 29, 2016 5:19 PM

Answers

  • Hi David,

    You can safely enable Forms Based authentication in the Global Authentication policy. I do this on all ADFS environments I build, along with enabling the wstrust13 endpoint, it is necessary for ADAL to work. ADFS will detect based on useragent if the browser supports WIA.

    Note that there might be browsers in your environment that support WIA that are not in the list.

    For example, to add Microsoft Edge to the supported list, backup your ADFS environment and run these commands on your primary ADFS server in an ADFS 3.0 environment.

    $agents = (get-adfsproperties | select -expand wiasupporteduseragents) + "Edge/1"
    set-adfsproperties -wiaSupportedUserAgents $agents
    Good luck!

    Shane


    Friday, December 30, 2016 4:15 AM

All replies

  • Hi David,

    You can safely enable Forms Based authentication in the Global Authentication policy. I do this on all ADFS environments I build, along with enabling the wstrust13 endpoint, it is necessary for ADAL to work. ADFS will detect based on useragent if the browser supports WIA.

    Note that there might be browsers in your environment that support WIA that are not in the list.

    For example, to add Microsoft Edge to the supported list, backup your ADFS environment and run these commands on your primary ADFS server in an ADFS 3.0 environment.

    $agents = (get-adfsproperties | select -expand wiasupporteduseragents) + "Edge/1"
    set-adfsproperties -wiaSupportedUserAgents $agents
    Good luck!

    Shane


    Friday, December 30, 2016 4:15 AM
  • Hello Shane,

    Thank you for the above.

    I'd like to ask based on the script above, why you used

    "Edge/1" for edge and not the full version like "Edge/15.1" etc?

    or does this cover all versions starting with 1?

    kindly shed more light on this.

    Thank you

    Tuesday, February 21, 2017 11:23 PM
  • I'm not sure why this was marked as the answer, when it was not verified as a working solution.  I tried this solution myself and it did not work for me.
    Friday, February 8, 2019 9:28 PM
  • FYI, I fixed this problem using this blog post:

    http://www.mistercloudtech.com/2016/08/22/how-to-resolve-an-error-occurred-in-crm-for-office-365-with-adfs/

    In case the blog link dies, the steps are as follows:

    First, verify which authentication methods your ADFS service is configured to support:

    • Open Server Manager on the primary ADFS for Windows Server 2012 R2 server
    • Click Tools, and then click AD FS Management.
    • In the AD FS snap-in, click Authentication Policies.
    • Review the Global Settings in the Primary Authentication section.
    • To support modern authentication, the Authentication Method for both Intranet and Extranet must have the Forms Authentication option enabled.

    Follow these steps to enable forms-based authentication for both authentication methods:

    • In the AD FS snap-in, select the Authentication Policies branch.
    • Under the Primary Authentication section, click Edit next to Global Settings.
    • In the Edit Global Authentication Policy dialog box, click the Primary tab.
    • In both the Extranet and Intranet sections, ensure the Forms Authentication check box is enabled.

    Though it is not required, I recommend that you restart the ADFS service:

    • Open an elevated PowerShell prompt on the primary ADFS server
    • Run the following Windows PowerShell command:
      Restart-Service adfssrv
    • Repeat this on any secondary ADFS servers

     Many thanks to for finding and authoring this solution!


    • Edited by TS Evans Friday, February 8, 2019 9:42 PM
    Friday, February 8, 2019 9:42 PM