locked
ADFS as IdP and SP RRS feed

  • Question

  • Hi!

    I've created a small home lab just for testing purpose, where I have 2 different domains (compa and compb).

    CompA has a DC, ADFS and WEB-server joined to the domain and a WAP outside domain.
    All of CompA-servers are located in subnet 10.10.10.0/24

    CompB has DC and ADFS joined to the domain and a WAP outside domain.
    All of CompB-servers are located in subbet 10.10.20.0/24

    The domain controllers in each domain are also DNS-servers and I've created conditional forwarders between the domains.

    The WEB-server in domain CompA has IIS and Windows Identity Foundation installed and has a simple claim app configured. (https://technet.microsoft.com/en-us/library/dn280939.aspx)

    The ADFS and claim-app works perfectly fine in CompA domain.


    The problem is when I try to use the ADFS-server in CompB as a Claim Provider Trust (IdP) so I can access the application in CompA with users from CompB domain the ADFS-server in CompB throws an error after the HRD page. 

    Error from the webpage

    An error occurred
    An error occurred. Contact your administrator for more information.
    Error details
    • Activity ID: 00000000-0000-0000-eb00-0080000000ba
    • Error time: Sat, 07 May 2016 09:48:24 GMT


    And if I check the ADFS-eventlog on ADFS-server in CompB it has the following error:

    Encountered error during federation passive request.
    Additional Data
    Protocol Name:
    wsfed
    Relying Party:
    http://<federationservicename>/adfs/services/trust
    Exception details:
    Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust 'http://fs.compa.se/adfs/services/trust' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationSignInContext.ValidateCore()
       at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate()
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.EvaluateHomeRealm(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


    • Edited by Jorrk Saturday, May 7, 2016 10:08 AM
    Saturday, May 7, 2016 10:07 AM

Answers

  • This thread can be closed.
    I've got it to work now and can inform you that it was a real "rookie"-mistake.

    I totally forgot to set up CompA:s ADFS-server as Relying Party Trust on the ADFS-server in CompB.

    So 3 correct steps finally solved the issue:

    1. In CompA, add the web app as a Relying Party Trust in ADFS
    2. In CompA, add the ADFS-server in CompB as a Claims Provider Trust in ADFS
    3. In CompB, add the ADFS-server in CompA as a Relying Party Trust in ADFS

    Saturday, May 7, 2016 4:18 PM