Unable to Authenticate agains ADFS

This question is answered This question is answered
I setup an ADFS today for single-signon.  When I am routed through Portal.MicrosoftOnline.Com to my Federation DC and enter my credentials (which are valid, thanks to those who were going to ask) the "Windows Security" box reappears immediatly.  If I were to put in bogus info, say "asdf and asdf" the box goes away for a longer period of time before it returns asking for creds again.  If I insist my information is correct, (which it is) I am finally greated with a not authorized.  If I insist my bogus creds are correct, I am greated with a different 401 page.  Please help,  This is seriously cutting into my Star Trek time... 

Not Authorized

 


 

HTTP Error 401. The requested resource requires user authentication.

 

(bogus creds below)

Server Error

401 - Unauthorized: Access is denied due to invalid credentials.

You do not have permission to view this directory or page using the credentials that you supplied.

Verified Answer
  • Hello Mike,

    Per your description, the problem seems related to the DNS resolution. You may verify your DNS configuration referring to the following article:
    Name Resolution Requirements for Federation Server Proxies
    http://technet.microsoft.com/en-us/library/dd807055(WS.10).aspx

    Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on
    http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx

    Meanwhile, you should add the URL of AD FS server to the trusted zone of IE. This is because IE won’t automatically pass username/password when the ADFS FQDN namespace in the Internet Security zone.

    Sky

  • If IE has default settings you have to put the site in the intranet zone to get auto username/passwrd

    Can change this setting on each zone settings, setting the automatic logon using username and password.

    Not putting the site in a zone, you will get the credential prompt trying to access adfs.

    If when you do external nslookup against the adfs server address and do not get the correct ip, a change in the external dns must be done. Remember the adfs url must match internal and external. So long as you don't have a service like TMG who can translate between external and internal dns

All Replies
  • Hello Mike,

    Based on my experience, this issue may occur if the on-premises Active Directory Federation Services (AD FS) 2.0 Federation server farm is configured incorrectly. Before going further, could you let me know if there is AD FS Proxy server in your environment?

    If you have AD FS Proxy server, please make sure you have enabled “Anonymous Authentication" from IIS Manager on AD FS 2.0 Proxy server . Meanwhile, please confirm that you have enabled “Windows Authentication" and “Forms Authentication" from IIS Manager on AD FS 2.0 Federation server farm.

    To verify these settings above, you can refer to the following steps.

    1.  On the AD FS 2.0 Federation/Proxy server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

    2.  In IIS Manager, expand <Server_Name>, expand Sites, expand Default Web Site, and then expand adfs.

    3.  Click ls, and then double-click Authentication.

    4.  Check if these authentication methods have been enabled. If not, please select the corresponding authentication method, and then click Enable under Actions.

    By the way, when you use single-sign on, we recommend you use Windows Internet Explorer. Other browsers, such as Firefox, Safari, and Chrome do not support Extended Authentication Protection.

    Additional Information
    ==============
    Troubleshooting HTTP 401 errors in IIS
    http://support.microsoft.com/kb/907273/en-us

    You receive an "HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials" error message when you try to access a Web site that is part of an IIS 6.0 application pool
    http://support.microsoft.com/?id=871179

    Thank you.

    Jack Sun

  • Can you please give some more detail of what you are trying to do other that authenticate?

    When you hit the tab after typing in the UPN of the user on portal site, does it grey out the password field?

    This will mean that O365 detected a federated domain.

    Also have you exposed your ADFS to the internet and you can browse adfsserver.yourdomain/adfs/ls (internet facing)?

    This should prompt you for credentials and entering valid credentials gives you 401 after a couple of tires?

    If so can you go to the IIS logs on the ADFS server and see what type of 401 you are getting? (like 401.1 or 401.2)

    I have found that by setting up the adfs server in IE as intranet (push username and password automatic) that IE fails to negotiate correctly with IIS...so I had to remove and only keep NTLM to get this to work externally.

  • Thanks guys, I will reply to both of you.

    I have not setup a proxy yet.  I am working internally right now, proxy will be my next step.

    I have enabled "Anonymouse Auth" as well as "Windows Authentication"  When I attempted to enable "Forms Auth" it complained about enabling both ... "Challenge-based and login redirect-based authentication cannot be used simultaneously."

    I am attempting this mosty on IE 8 and IE 9.

    The ADFS is exposed (kinda).  We presently have the firewall restriced to only allow Microsoft and my personal/home domain to pass through (my personal domain for testing).

    When hitting the Microsoft Portal and entering my UPN the site does notify me that I must authenticate against my domain (estenson.com)

    When attempting to hit the ADFS directly I receive the following:  (I was recieving the 401 yesterday, but those seem to have faded over night...?)

    elcvmfeddc01.estenson.com

    There was a problem accessing the site. Try to browse to the site again.

    If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

    Reference number: eadb33e9-f214-47a2-ad2f-c7e2987bb62f

    Checking the AD FS 2.0 logs I see this:

    Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: ID3242: The security token could not be authenticated or authorized.  (There is more but I am trying not to make this a novel, can include the rest if needed)

    This IIS logs for this morning look like this:

    2011-08-12 01:05:38 72.201.25.140 49458 10.10.0.63 443 - - - - - Timer_ConnectionIdle -

    2011-08-12 03:23:38 ::1%0 64262 ::1%0 443 - - - - - Timer_ConnectionIdle -

    2011-08-12 04:45:13 10.10.0.64 58743 10.10.0.63 443 - - - - - Timer_ConnectionIdle -

    2011-08-12 14:58:00 10.11.1.103 59266 10.10.0.63 443 - - - - - Timer_ConnectionIdle -

    2011-08-12 15:28:00 10.11.1.108 63472 10.10.0.63 443 - - - - - Timer_ConnectionIdle -

    2011-08-12 16:29:05 10.11.1.120 53664 10.10.0.63 443 - - - - - Timer_ConnectionIdle -

    2011-08-12 16:50:50 10.11.1.127 63517 10.10.0.63 443 - - - - - Timer_ConnectionIdle -

    Again, thanks for any and all help with this!!!

  • Hello Mike,

    Before going further, I would like to clarify that we just need to enable "Windows Authentication" and "Forms Authentication" on AD FS Federation server. The "Anonymous Authentication" is for AD FS 2.0 Proxy server.

    According to the previous post, I noticed that you exposed the AD FS services to internet using your firewall.

    When the AD FS service endpoint is exposed to the Internet, internal corporate clients may become "confused" by the public DNS advertisement of this endpoint, and try to connect to the Internet endpoint by going out through the firewall instead of connecting directly to the AD FS Federation Service. To prevent this, you should create a "split DNS" effect for internal clients. On the internal DNS server, you should create a primary DNS zone for the domain that is advertising the AD FS endpoint name. For example, if the AD FS endpoint name is sts.contoso.com, you must create a primary DNS zone for contoso.com. In the same way, please advertise the Internet IP address of the AD FS endpoint on the external DNS server.

    Meanwhile, please configure an exception for Microsoft Online URLs and applications from the authentication, when you exposed the AD FS services to internet using your firewall. For more information, please refer to the following article:

    Firewall prevents users from using Office 365 services from rich clients
    http://support.microsoft.com/kb/2410859

    Thank you.

    Jack Sun

  • HI Mike, I think you are missing the last part off the IIS logs with the type of authentication failure.

    Just to make things a bit clearer, in IIS management console go to the ADFS node.

    This should only have anonymous authentication activated.

    /adfs/ls node has as of standard install anonymous authentication and Windows Authentication enabled.

    Now depending on what you want to use to authenticate the user with; I am using IWA (Windows Auth).

    So the only thing you need to check is that the user you are trying to authenticate has the correct permissions to browse this node in IIS. Standard the local users group has read access. Check that users that are accessing ADFS is at least a member of that group (standard for a domain joined machine is that the domain users group gets added automatic).

    So if you are accessing ADFS from a client on the internal net (domain with ADFS in), you should also see a logon attempt in the security logs of the ADFS server. Usually you will see the user accessing and what protocol they are using (Kerberos or NTLM). For me Kerberos is working, I have had some problems with Negotiation, Kerberos works but NTLM does not.

    A proxy is only optional, so if you have a proxy like a TMG you can publish ADFS as a normal website.

    Good luck

  • I have split DNS setup.  Entry internally and in our external dns.

  • Looking in the security logs, I do not see a single attempt where my enterprise admin account is registering as an attempted login.

  • So something new and fun...

    When Portal.MicrosoftOnline.com redirects me to my ADFS, I have the issue above and it dumps me to a 401 page.  If on that 401 page I remove the machine.domain.com and replace it with the interal IP address... (drum roll) ... it works.  Another thing that is interest is this:  If I attempt the same thing using Firefox, Safari or Chrome on the domain joined machine, I have to replace the name with the ip for authentication to work.  However; if I use a machine that is not a member of our domain but is connected to our domain network, Firefox, Safari and Chrome are prompted for credentials and when supplied sign into 365/ADFS without issue.  

    So to recap, because I am sure you now all beleive I am taking crazy pills.  Non-domain machines are able to use a non Microsoft browswer to authenticate to ADFS.  However, Non-domain and Domain machines are unable to authenticate to ADFS using IE without replacing name with ip. (and this is both IE 8 and 9)

    Now, before anyone asks, ALL machines, both domain and non domain machines resolve the DNS internally.

    -Ping to DNS resolves to correct internal IP

    -Ping -a to IP resolves to correct DNS

    -NSLookup finds correct DNS Server and ADFS machine

    But IE cannot resolve DNS to IP...

  • Hello Mike,

    Per your description, the problem seems related to the DNS resolution. You may verify your DNS configuration referring to the following article:
    Name Resolution Requirements for Federation Server Proxies
    http://technet.microsoft.com/en-us/library/dd807055(WS.10).aspx

    Plan for and deploy Active Directory Federation Services 2.0 for use with single sign-on
    http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652539.aspx

    Meanwhile, you should add the URL of AD FS server to the trusted zone of IE. This is because IE won’t automatically pass username/password when the ADFS FQDN namespace in the Internet Security zone.

    Sky

  • If IE has default settings you have to put the site in the intranet zone to get auto username/passwrd

    Can change this setting on each zone settings, setting the automatic logon using username and password.

    Not putting the site in a zone, you will get the credential prompt trying to access adfs.

    If when you do external nslookup against the adfs server address and do not get the correct ip, a change in the external dns must be done. Remember the adfs url must match internal and external. So long as you don't have a service like TMG who can translate between external and internal dns

  • Hello Mike,

    I am interested in this issue. Would you mind letting us know the result of Sky and Lerun’s suggestions? Can federation works properly after you add the URL of AD FS server to the trusted zone of IE.

    Thank you.

    Jack Sun

  • Mr.Mike:

     I am having a very similar issue, actually.  I've set up a proxy, with external DNS resolution.  I've set up the federation server with internal DNS resolution.

    When i access externally, (both domain and non domain), I am prompted with a form from the proxy server, and i can log in.

    When i am internal, I am prompted with a pop-up dialog box (from the federation server) that refuses my credentials every time.  If I replace the hostname with the IP it works.  (i would not have thought to try that, because DNS is working perfectly).

    Anyway, so what is IE doing?  I've confirmed my DNS settings are correct.  Nslookup, ping, etc all return correctly. IE is doing something itself, and I couldn't trick it with a hosts file.

    FF 5.x works without any form of prompting, or interaction. I clicked "sign in at <my domain>" and it just works, instantly.

    Thanks for any tips!

  • I am having the exact same problem.  I am also able to connect the same by entering the IP in the hostname.  DNS resolution works.

  • I finally determined that this problem was caused by using a CNAME instead of an A record to point to my Federation server.  The CNAME breaks kerberos authentication.  Seems the documentation needs to be much clearer about setting up this component.

    1 out of 1 people found this post helpful.

  • I'm having same problems, and only way to get sign-in working internally is using forms and internal dns adfs.domain.com pointing to adfs proxy server ip which is in dmz. Any ideas where the problem might be?