ADFS 2.0 with SharePoint not recognized as trusted application and throwing

0
votes

I am configuring a POC for SharePoint with authentication to third party account provider and running into several issues and following the documentation provided by microsoft at http://technet.microsoft.com/en-us/library/cc731443(v=ws.10).aspx. Most of the documentation which I have seen are for ADFS 2.0 RTW

The issue is when I am a trying to the access the SharePoint site, I get redirected to the account provider ADFS site with NTLM prompt pop up. Once when I enter my credentials I get the following error

The token request for application with URL "https://spadfsweb.spdev.com/_layouts/Authenticate.aspx?Source=/" cannot be fulfilled because the URL does not identify any known trusting application.

Here is my setup

ADFS account provider (ADFS Role and DC are in separate machines)

  • Windows 2008 R2
  • ADFS role added
  • Has the following parameters for the ADFS
    • token signing certificate "sts.adfsaccount.spaccount.com"
    • Federation Service URI
      • urn:federation:accountprovider
    • Federation service endpoint url
      • https://sts.adfsaccount.spaccount.com/adfs/ls/
  • Exported the token signing certificate and imported that in resource partner ADFS

ADFS Resource Partner (ADFS role and DC are in separate machines)

  • Windows 2008 R2
  • ADFS role added
  • Has the following parameters for the ADFS
    • Token signing certificate "sts.staging.spresource.com"
    • Federation Service URI
      • urn:federation:resourceprovider
    • Federation service endpoint url
      • https://sts.staging.spresource.com/adfs/ls/
  • Has the following trusted application which is sharepoint
  • Exported the token signing certificate and imported that into account partner ADFS

And below is the steps how I have configured the SharePoint site

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\Data\Certs\stsadfsaccount_exporttokensign.cer")
New-SPTrustedRootAuthority -Name "Account Token Signing Cert" -Certificate $cert
$map = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" -IncomingClaimTypeDisplayName "EmailAddress" -SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" -IncomingClaimTypeDisplayName "Role" –SameAsIncoming
$ap = New-SPTrustedIdentityTokenIssuer -Name "Staging Provider"-Description "User account domain from adfs to provide authenitcation" -Realm "urn:federation:resourceprovider" -ImportTrustCertificate $cert -ClaimsMappings $map,$map2 -SignInUrl "https://sts.adfsaccount.spaccount.com/adfs/ls/" -IdentifierClaim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

---SharePoint has the uri of resource provider, signing certificate of the account partner and adfs url of the account partner

Please let me know if I am doing something wrong.

Thanks Deepak

1
sharepointssladfs

1 Answers

3
votes

You seem to suggest you're using ADFS 1.0. And indeed, if you followed http://technet.microsoft.com/en-us/library/cc731443%28v=ws.10%29.aspx as you say, then you've configured ADFS 1.0, as opposed to the successor AD FS 2.0. In my opinion any new deployment should be using AD FS 2.0.

Your error message is described on the ADFS 1.0 troubleshooting page; quoting:

Condition: server error

Error: The token request for application with URL https://... cannot be fulfilled because the URL does not identify any known trusting application

Solution: This error is returned by the resource Federation Service when the application URL does not identify any known application. Make sure that the application has been added to the trust policy for the Federation Service. For more information about how to do this, see Complete the Add Applications Wizard.

For a claims-aware application, verify that the return URL is typed correctly in the application’s web.config file and that it matches the application URL that is specified in the trust policy of the Federation Service.

For a Windows NT token-based application, verify that the return URL is typed correctly on the ADFS Web Agent tab of IIS and that it matches the application URL in the trust policy of the Federation Service.

Also, in case you don't know already, for ADFS 1.0 Microsoft created the ADFS Diagnostic Tool; see this blog post to download. This tool might prove useful in tracking down this specific problem.

Hope this helps...