Setup ADFS in my home lab. There’s a single server called rak1adfs01.raxnet.global. The ADFS service is called adfs.raxnet.global and in DNS this is a CNAME to the server.
When I go to https://adfs.raxnet.global/adfs/ls/IdpInitiatedSignon.htm I get a login prompt and even though I enter the correct credentials it doesn’t let me in. This is unlike what I am used to at work where we get a forms based screen and that works.
To troubleshoot this I went to the authentication options on ADFS and under the Intranet section I unticked Windows Authentication and Microsoft Passport Authentication, leaving only Forms Authentication ticked.
Restarted the ADFS service and went back to ADFS page again – voila! it signs in. So the issue is definitely the WIA authentication.
I noticed that when the prompt comes up it has my server name in it (rak1adfs.raxnet.global) rather than the ADFS service name (adfs.raxnet.global). That didn’t make sense – sounded like my browser was trying to authenticate against the server directly.
Could be an SPN issue? According to this article I am supposed to have an SPN of the form host/adfs.raxnet.gloabal and that does exist.
1 2 3 4 5 6 |
C:\Windows\system32>setspn -Q host/adfs.raxnet.global Checking domain DC=raxnet,DC=global CN=msvc_ADFS,CN=Managed Service Accounts,DC=raxnet,DC=global host/adfs.raxnet.global Existing SPN found! |
Looking at the SPNs of rak1adfs01.raxnet.global (my ADFS server) I don’t see anything tying it to my service account. I came across another article, for a single ADFS server, which suggests setting up an SPN for http/<servername>.
1 2 3 4 5 6 |
C:\Windows\system32>setspn -s HTTP/rak1adfs01.raxnet.global msvc_ADFS Checking domain DC=raxnet,DC=global Registering ServicePrincipalNames for CN=msvc_ADFS,CN=Managed Service Accounts,DC=raxnet,DC=global HTTP/rak1adfs01.raxnet.global Updated object |
Once I did that WIA started working. (If I delete this SPN and create one for http/adfs.raxnet.global WIA fails again. I guess my issue is that since it’s a single server currently it is being treated as a single server case rather than an ADFS farm).
I went back and enabled the Forms Authentication and everything works as usual.
Lessons learnt: 1) WIA takes precedence over Forms Based Authentication; and 2) SPNs must be created against the single server if you have a single server install (even though you might be thinking of it as a farm install because you plan on installing more servers later).
As an aside, some useful links:
- Here’s an example of a simple authentication app you can setup that uses ADFS
- If you don’t want to install an app but just want to test ADFS authentication you can always go to https://fqdn.domain.com/adfs/ls/IdpInitiatedSignon.aspx. This will only work on ADFS 2016 if you enable it.
- Lastly, one more SAML test app that you can install.
- The two SPNs that are required for ADFS.