5

I setup a test Server 2008 box with Active Directory and ADFS 2.0. I have an ASP.NET app which uses WIF to federate identity. ADFS is configured to use Active Directory for identity info. I used WIF to configure the client app to use the ADFS endpoint.

When I attempt to load the ASP.NET app as a user from the browser I am redirected to the ADFS endpoint and am prompted for credentials. I have attempted to login with several users accounts, even resetting passwords but the credentials never seem to be correct and a 401 Unauthorized is returned. I can login to other systems successfully with the same credentials.

I have enabled debug trace in verbose mode and enabled auditing in verbose mode but I can't find any errors or info to help me figure out the issue.

How can I get more info to narrow down the problem?

UPDATE:

I found that this issue is caused by my testing environment. My dev machine is on our corporate domain (acme.com). I created two 2008R2 VMs for a test Domain Controller (notacme.com) and Web Server.

If I attempt to access the website from a computer on the acme.com domain the error described above occurs. If I attempt to access the website from a computer on the notacme.com domain it works.

What can I do to access the website from a computer on the acme.com domain?

chief7
  • 14,263
  • 14
  • 47
  • 80
  • How is your ADFS authentication mode configured? Forms or Integrated? – shizik Jul 21 '11 at 08:54
  • I think it is configure for integrated. How can I make sure? – chief7 Jul 21 '11 at 19:59
  • 1
    Integrated mode doesn't work in browsers other than IE. You can check the configuration in the web.config file for the adfs web application which is usually in C:\inetpub\adfs\ls in the microsoft.identityServer configuration section. – shizik Jul 21 '11 at 22:34
  • I'm using Internet Explorer 8. – chief7 Jul 22 '11 at 12:45

2 Answers2

5

Apparently this was caused by the Extended Protection feature built into ADFS. In trying to troubleshoot this issue I had Fiddler running to track the requests/responses but at one point I swear I turned it off to test as well but it still didn't work. Apparently I didn't fully remove the Fiddler proxy because after a IE reboot and with Fiddler not running it worked in IE but found it still didn't work in Firefox or Chrome. This led me to a TechNet article which described the behavior I've been seeing in conjuction with using Fiddler.

http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx

chief7
  • 14,263
  • 14
  • 47
  • 80
0

In my experience, every sign-in failure in IIS (including AD FS) is logged in the 'Security' event log as an 'Audit Failure' event, which contains more details. So I would search in the event viewer on the AD FS system, and see what those events have to say. Also in the event viewer, check the 'Applications and Services Logs' -> 'AD FS 2.0' -> Admin event log.

It looks like you did try to look at the HTTP traffic, e.g., using Fiddler. That's good. I presume the problem also occurs when Fiddler is not used?

(Do you perhaps have the problem of a repeated sign-in form, after you entered correct user name and password? Then look at the following answer: ADFS authentication - IE8 works, Chrome fails.)

(I have also seen a case where the initial authentication was successful, resulting in 'Audit Success' events, and then a 401 resulted from a later redirect. Also in this case the event logs on the AD FS system helped.)

Community
  • 1
  • 1
MarnixKlooster ReinstateMonica
  • 9,640
  • 14
  • 54
  • 108
  • I'm not seeing any failures in any of these logs. Any ideas? – chief7 Jul 25 '11 at 14:30
  • So you see no 'Audit Success' and no 'Audit Failure' events in the Security event log on your AD FS system, corresponding to the time when you try the failing sign-in? If so, then I'm at a loss. In my experience those events are always there, at least if AD FS is installed correctly (and it seems to be, since it looks like you use this same AD FS instance successfully from another web app). Also, as suggested, look at the HTTP traffic. – MarnixKlooster ReinstateMonica Jul 25 '11 at 16:54
  • No, I'm seeing the audit success messages. If I enter the wrong password I see Audit Failures. I'm also seeing Kerberos Service Ticket operations and Kerberos Authentication Service events. Either way I'm continually presented with the credentials input popup and a 401. – chief7 Jul 25 '11 at 19:15
  • In Fiddler, the requested URL isn't changed regardless of whether I put in valid credentials or not. – chief7 Jul 25 '11 at 19:21
  • Perhaps (just perhaps) your browser does not send cookies? Does the host name have an underscore in it, causing IE not to send cookies? In any case, if you could post a Fiddler trace somewhere, I would take a look at it. – MarnixKlooster ReinstateMonica Jul 26 '11 at 12:23