ADFS 3.0 Error Event ID 511 & 364 When Using Web Application Proxy
We are trying to set up our development environment and we are facing an issue where WAP comes into play with ADFS. We still live below.
Our ADFS server is tied to Active Directory and works great with one of the trusted parties we trust.
But when we installed Web Application Proxy for this ADFS Server and published this RPM with WAP Claim Information, the ADFS Challenge no longer works. Below is the stream
- I have to contact the external address of this published application.
- The user is redirected to the ADFS call screen with an error on it.
When I went to ADFS 3.0 Event Viewer, I see two errors with Event ID 511, 364.
A few notes - I am using a certificate issued by our internal CA for the ADFS Server. The published WAP application uses a certificate issued by our internal certification authority. Should this certificate of this published application issued by a public CA be issued even though it is dev. environment setup?
Error with event id 511 -
Inbound inbound request is not allowed due to incorrect configuration of the Federation Service.
Request url: /adfs/ls?version=1.0&action=signin&realm=urn'%'3AAppProxy'%'3Acom&appRealm = masked it specifically and returned url = specifically for masking, and client-request-id = masked it with purpose
User Response: Review the federation service configuration and complete the following steps: Verify that the sign-in request has all the required parameters and is formatted correctly. Make sure the Web Application Trusted Proxy Power of Attorney exists, is enabled, and has IDs that match the login request parameters. Verify that the target relying party trust object exists, is published through the Web Application Proxy, and has IDs that match the parameters of the login request.
Error with event id 364 -
An error was encountered during a passive federation request.
Additional information
Protocol name:
Supporter:
Exception Details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: The request was malformed or invalid. For more information, contact your administrator. in Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext (MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request) in Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext (WrappedHttpListenerRequest request) in Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler ( WrappedHttpListenerRequest request, ProtocolContext & protocolContext, PassiveProtocolHandler & protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext (WrappedHttpListenerContext context)
Any help would be greatly appreciated !!! Please let me know if you need more information.
source to share
The root of this problem for me was writing a host file on my development machine that pointed my federation server domain name to a specific ADFS machine in our farm, not the NLB-IP of our web application farm. Thus, make sure your federation server domain name resolves to your web application proxy.
I was led to this by a comment in the following forum,
http://community.spiceworks.com/topic/593638-sharepoint-2013-web-application-proxy
source to share