none
Problems using federated auth. for the WAP Admin portal

    Question

  • Hi

    I'm completely new to WAP and followed Marc van Eijk TechEd presentation on how to set up a test environment: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/DCIM-B317#fbid=

    The only difference is that I used my existing ADFS server (which also has a proxy). This went smoothly and I could log into the Tennant site with my domain account. I then tried to repeat the steps from the presentation to set up federated login for the admin site, but I run into problems and I’m not sure on how to troubleshoot this.

    I go to https://wapadmin.mydomain.com , is redirected, log in to ADFS and I’m redirected back. I then briefly see the same “progress circle” as you normally would, but then I get:

    “Access Denied

    User does not have permissions to access the Service Management API”

    If I Google that message, I end up for example here:

    http://contoso.se/blog/?p=4004

    I’ve tried to run the command and I also checked that the user is listed in the mp.AdminUsers/mp. AuthorizedAdminUsers in the Microsoft.MgmtSvc.Store database.

    Both the AdminSite and TenantSite is set up on port 443 with a proper wildcard certificate. The rest of the sites are on the same ports as when WAP was installed. All servers are 2012 R2.

    Any tips on how to solve this or to troubleshoot is will be greatly appreciated.

    Tuesday, September 02, 2014 7:51 PM

Answers

  • Hey Frank,

    I suspect you added the username in the format 'domain\alias'. AD FS, if you followed Marc's session will give you the UPN in the format username@domain.com. can you please double check this and add the UPN of the user?

    Please let me know if this is not the case and if so, it would be useful if you can give me the exact values you added.

    Thanks

    --

    Shri

    • Marked as answer by Frank Wiggum Tuesday, September 02, 2014 10:28 PM
    Tuesday, September 02, 2014 9:47 PM

All replies

  • Hey Frank,

    I suspect you added the username in the format 'domain\alias'. AD FS, if you followed Marc's session will give you the UPN in the format username@domain.com. can you please double check this and add the UPN of the user?

    Please let me know if this is not the case and if so, it would be useful if you can give me the exact values you added.

    Thanks

    --

    Shri

    • Marked as answer by Frank Wiggum Tuesday, September 02, 2014 10:28 PM
    Tuesday, September 02, 2014 9:47 PM
  • Hi

    Thank you!!! You are 100% correct, I added the user as 'domain\user' and by changing it to 'username@domain.com', I could log in successfully to the admin site.

    Tuesday, September 02, 2014 10:45 PM