I'm trying to setup active federation for ADFS Proxy 2.0. Passive federation works fine (and therefore I expect that I have configured ADFS proxy correctly), but when I use active federation, I get the following exception: "The HTTP request was forbidden with client authentication scheme 'Anonymous'".
I'm using the following code:
var factory = new WSTrustChannelFactory(new UserNameWSTrustBinding(
SecurityMode.TransportWithMessageCredential,
HttpClientCredentialType.Digest),
"https://adfs-proxy/adfs/services/trust/13/usernamemixed");
factory.Credentials.UserName.UserName = username;
factory.Credentials.UserName.Password = password;
factory.Credentials.HttpDigest.AllowedImpersonationLevel =
TokenImpersonationLevel.Impersonation;
factory.TrustVersion = TrustVersion.WSTrust13;
var rst = new RequestSecurityToken {
RequestType = RequestTypes.Issue,
AppliesTo = new EndpointAddress(relyingPartyIdentifier),
KeyType = KeyTypes.Bearer
};
var channel = factory.CreateChannel();
return channel.Issue(rst);
Fiddler displays the following response (I get the same error without Fiddler as well):
HTTP/1.1 403 Forbidden
Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
Date: Mon, 01 Jun 2015 13:06:16 GMT
0
There is the following message in ADFS trace log:
WSTrustProxyListener.ProcessRequest: Rejected front-end request to resource https://adfs-proxy:443/adfs/services/trust/13/usernamemixed/.
If I change the url to point to the original ADFS server, not proxy, the code above works fine (sending the same request to ADFS).
/adfs/services/trust/13/usernamemixed endpoint is allowed in the ADFS server for the proxy.
I have also found out that when I access the following link pointing to ADFS proxy server:
https://adfs-proxy/federationmetadata/2007-06/federationmetadata.xml
I get 403 Forbidden response as well. I see the same message in ADFS trace log:
WSTrustProxyListener.ProcessRequest: Rejected front-end request to resource https://adfs-proxy:443/FEDERATIONMETADATA/2007-06/FEDERATIONMETADATA.XML.
Wireshark shows me that there is no network request from ADFS proxy to main ADFS server.
If I specify original ADFS server (not proxy) for this link, everything is fine, the correct xml is returned. Actually, for ADFS proxy I get 403 Forbidden for any request to the following listeners (if I hit them in IE) regardless of whether they are allowed for ADFS proxy or not:
https://+:443/FederationMetadata/2007-06/
http://+:80/adfs/services/trust/
https://+:443/adfs/services/trust/
I tried running ADFS Proxy service under various accounts, including Network Service and local administrator.
How can I get rid of this error and setup Active Federation for ADFS Proxy?