We are trying to set up our Development environment and we are facing issue's when WAP comes in play with ADFS. Below is what we have so far.
Our ADFS Server is tied to Active Directory and is working fine with one of the Claims aware relying party we have.
But when we installed the Web Application Proxy for this ADFS server and published this Claims aware RP in the WAP the ADFS Challenge is no longer working. Below is the flow
- I'm to reach the External Url of this published app
- User is getting re-directed to the ADFS Challenge screen with Error on it.
When I went to the ADFS 3.0 event viewer, I see two errors with Event ID 511, 364.
Few things to note- I'm using a certificate issued by our Internal CA for ADFS Server. The published application in the WAP is using a certificate issued by our Internal CA. Does this certificate of this published app must be issued issued by public CA even though this is a dev. environment setup ?
Error with Event ID 511-
The incoming sign-in request is not allowed due to an invalid Federation Service configuration.
Request url: /adfs/ls?version=1.0&action=signin&realm=urn'%'3AAppProxy'%'3Acom&appRealm= masked it on purpose&returnUrl=masked it on purpose&client-request-id= masked it on purpose
User Action: Examine the Federation Service configuration and take the following actions: Verify that the sign-in request has all the required parameters and is formatted correctly. Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters. Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.
Error with Event ID 364-
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: The request was malformed or not valid. Contact your administrator for details. at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request) at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Any help would be greatly appreciated!!! Please let me know if you need more information.
