2

Environment:

  • Outlook 2016
  • Windows Server 2016
  • Microsoft Visual Studio Community 2017

Description of problem:

I am working on an Outlook add-in that is supposed to authenticate against an ADFS Server.

After carefully following the steps outlined here: https://tech.greenhouse.io/2016/08/01/create-adfs-instance-on-azure-virtual-machine.html

I am able to login via ADFS successfully in both Internet Explorer and Chrome externally as ADFS users.

However when trying to use the same approach to login via the Outlook add-in I get page that says the following:

ADFS Login
An error occurred
An error occurred. Contact your administrator for more information.
Error details
© 2016 Microsoft

Here are the sample log files.

Outlook Add-in:

Add-in successfully started up.
User interaction in Outlook ribbon happened.
SAML SP login: https://validsslcertdomain.com/saml2/login/?idp=http://adfsserverinazurecloud.com/adfs/services/trust
SAML IDP Url: https://adfsserverinazurecloud.com/adfs/ls/?SAMLRequest=jZJNTxsxEIbv/RWWLzntejcSKrWyiwJR1AhKo2RBKrfBOymWvPbWYxPCr8ebpBQuUa8z7/vM5+TipTPsGT1pZ6tRmRcjhla5Vtvf1eiumWfno4v6y4SgM72cxvBkV/gnIgWWjJbkkKh49FY6IE3SQockg5Lr6Y8bOc4LCUToQ8LzD5b+tKf3LjjlDGfTv+4rZyl26Nfon7XCu9VNxZ9C6EkKETFrqSizAJAHHcButMFcuU4MtcYCFAnOZqlrbWGA/bO+y6HdUI5AIVKujIst9H0Or9EfQENamAGzmFVct9lr2M7nv+J18RDV9a5vtilDFHFhKRFDxcdF+TUri6w8b8pSFmfy7NsDZ8vjZJfa7nd8cg2PBxHJ702zzJY/1w1n98db8STg9f4wcl/Ys7nzHYTTyCGSut/spRJtmn/H6/9dZIcBWgggJuJD4fr4HreJvZgtndFqx6bGuO2VRwhY8Q0YQv7eIGeiPhA+/1T9Bg==&RelayState=/
SAML WIA Url: https://adfsserverinazurecloud.com/adfs/ls/wia?SAMLRequest=jZJNTxsxEIbv/RWWLzntejcSKrWyiwJR1AhKo2RBKrfBOymWvPbWYxPCr8ebpBQuUa8z7/vM5+TipTPsGT1pZ6tRmRcjhla5Vtvf1eiumWfno4v6y4SgM72cxvBkV/gnIgWWjJbkkKh49FY6IE3SQockg5Lr6Y8bOc4LCUToQ8LzD5b+tKf3LjjlDGfTv+4rZyl26Nfon7XCu9VNxZ9C6EkKETFrqSizAJAHHcButMFcuU4MtcYCFAnOZqlrbWGA/bO+y6HdUI5AIVKujIst9H0Or9EfQENamAGzmFVct9lr2M7nv+J18RDV9a5vtilDFHFhKRFDxcdF+TUri6w8b8pSFmfy7NsDZ8vjZJfa7nd8cg2PBxHJ702zzJY/1w1n98db8STg9f4wcl/Ys7nzHYTTyCGSut/spRJtmn/H6/9dZIcBWgggJuJD4fr4HreJvZgtndFqx6bGuO2VRwhY8Q0YQv7eIGeiPhA+/1T9Bg==&RelayState=/&client-request-id=a1209b03-ffed-419c-4904-0080000000f4

ADFS Server:

Error ID: 364

Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:
System.FormatException: Invalid length for a Base-64 char array or string.
   at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength)
   at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
   at System.Convert.FromBase64String(String s)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.DecodeMessageInternal(String message)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
   at Microsoft.IdentityServer.Protocols.Saml.HttpRedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Here is the sample code on the add-in:

// String definitions
string samlAcs = Properties.Settings.Default.samlAcs;
string samlIdp = Properties.Settings.Default.samlIdp;
string serverUrl = Properties.Settings.Default.serverUrl;
string loginUrl = serverUrl + "/saml2/login/?idp=" + samlIdp;
var acsUrl = serverUrl + samlAcs;
string wiaHtmlBody = "";
HttpResponseMessage response;

try
{
    response = await client.GetAsync(loginUrl);
...
try
{
    response = await client.GetAsync(response.Headers.Location);
...
var wiaUrl = response.Headers.Location.ToString();
if (wiaUrl[0] == '/') wiaUrl = serverUrl + wiaUrl;
try
{
    response = await client.GetAsync(wiaUrl);
    response.EnsureSuccessStatusCode();
    wiaHtmlBody = await response.Content.ReadAsStringAsync();
...
var wiaDoc = new XmlDocument();
try
{
    wiaDoc.Load(new StringReader(wiaHtmlBody));
    var samlNode = wiaDoc.DocumentElement.SelectSingleNode("//input[@name='SAMLResponse']");
    string samlResponse = samlNode.Attributes["value"].Value;
...

Which throws the exception when it expects an XML document from the server:

Exception: System.NullReferenceException: Object reference not set to an instance of an object.

A similar issue: https://serverfault.com/questions/753149/ad-fs-3-0-event-id-364-while-creating-mfa-and-sso

Question: What steps would I have to take to resolve this problem?

Thanks in advance.

Tony Abou-Assaleh
  • 3,000
  • 2
  • 25
  • 37
Max Revine
  • 78
  • 6

1 Answers1

2

It appears that wiaUrl is not URL encoded because you are converting it to a string when retrieving it from response.Headers.Location. This would explain why the base-64 decoder is failing because ADFS first tried to URL-decode the SAML request message.

In other words, you must pass either a URL encoded string to client.GetAsync(wiaUrl) or a URI object.

Tony Abou-Assaleh
  • 3,000
  • 2
  • 25
  • 37