0
votes

I have a Sharepoint site running on Azure virtual Machine. Now i want to authenticate my sharepoint site with Azure AD users.

For this i have followed below link, but getting error after login.

Using Microsoft Azure Active Directory for SharePoint 2013 authentication

I have implemented as given on reference link, but still facing error. When i access my url from browser, it will ask me through which you want to logon.

enter image description here

Then on selection of ACS Provider, it will redirect me to office365 login. After i submit my credentials, it will redirect me to

https://testvm.cloudapp.net/_trust/

and got error. So i checked in sharepoint log and found below error.

Cannot find site lookup info for request Uri urn:sharepoint:spvms.

SPAudienceValidator: Audience uri 'urn:sharepoint:spvms is not valid for the context.

Getting Error Message for Exception Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The Audience URI could not be validated.

SPSaml11SecurityTokenHandler: Audience validation failed for request 'https://testvm.cloudapp.net/_trust/' with the following audience URIs: 'urn:sharepoint:spvms', .

Application error when access /_trust/, Error=The Audience URI could not be validated.
at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

2
Did you manage to solve it?Alex K.
Not yet, still same errorUser5590

2 Answers

0
votes

It sounds like the authentication to Azure AD is working and the redirect to SharePoint is working properly. Use Get-SPTrustedIdentityTokenIssuer and verify the realm... it looks like the realm being sent from Azure ACS does not match the realm you used in PowerShell.

0
votes

I got a working solution for that. The thing is you shouldn't use New-MsolServicePrincipal to connect Azure AD and ACS.

Instead you add your ACS as an App to Azure Id

enter image description here

Then view its endpoints and copy link FEDERATION METADATA DOCUMENT

enter image description here

Paste copied link in URL field of your Identity provider in ACS

enter image description here

NOTE: If you used New-MsolServicePrincipal you will need to use Remove-MsolServicePrincipal. Otherwise Azure won't let you register an app with the same url.