I have a SharePoint 2013 farm and ADFS 3.0 deployed to Azure VMs.

I have also setup 2 different trusted identities in SP 2013. One points to ADFS directly. The other is ACS w/ the same ADFS server configured as an IDP.

When authenticating against the ADFS trusted identity provider everything works as expected.

When using the ACS trusted identity provider, the request is authenticated but it tries to re-authenticate on every request.

This does not with a local SP 2013 farm with the exact same trusted identity configuration.

I read somewhere that it might have something to do w/ the clocks / timeserver on the machines. Azure VMs are setup to use UTC time on all servers in the network environment.

Any help is appreciated.

Hi,
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thanks for your understanding!
Best Regards

What do you mean by "it tries to re-authenticate on every request"? Do you mean the user needs to type their username/password everytime a new request is made? Or do you mean the user is redirected to ACS which recogonizes the user has been authenticated? Or something else? And are you using SharePoint's web UI or programmatically working with SharePoint?
 
Anyway, if you're using SharePoint UI, check the browser cookie. For more information, please post on SharePoint ITPro forum, as this is an IT issue rather than development issue. If you're programmatically working with SharePoint, check if the security token is correct, and whether it has expired or not. You may also want to use WAAD.

What do you mean by "it tries to re-authenticate on every request"? Do you mean the user needs to type their username/password everytime a new request is made? Or do you mean the user is redirected to ACS which recogonizes the user has been authenticated?

Sorry let me clarify what I meant. SharePoint 2013 redirects to http://webappurl/_trust for every request. The user is then prompted to select one of 2 Trusted Identity providers. Once the ACS IDP is selected, ACS redirects to ADFS and then back to SharePoint without asking for credentials. It's even worse if I only have the ACS IDP configured in SharePoint. It just loops authentication every request until ADFS throws an error.

And are you using SharePoint's web UI or programmatically working with SharePoint?

Use UI, Powershell and programmatically using farm solutions and apps for SP 2013 The browser cookies are fine. As I stated, if I remove ACS as the IDP and go directly to ADFS everything works fine. Also, if ADFS is on premise (Not hosted on Azure VM), everything works fine.

• Edited by Ashkan1974 6 hours 17 minutes ago

Thank you.

I'lll be patient.

What do you mean by "it tries to re-authenticate on every request"? Do you mean the user needs to type their username/password everytime a new request is made? Or do you mean the user is redirected to ACS which recogonizes the user has been authenticated?

Sorry let me clarify what I meant. SharePoint 2013 redirects to http://webappurl/_trust for every request. The user is then prompted to select one of 2 Trusted Identity providers. Once the ACS IDP is selected, ACS redirects to ADFS and then back to SharePoint without asking for credentials. It's even worse if I only have the ACS IDP configured in SharePoint. It just loops authentication every request until ADFS throws an error.

And are you using SharePoint's web UI or programmatically working with SharePoint?

Use UI, Powershell and programmatically using farm solutions and apps for SP 2013 The browser cookies are fine. As I stated, if I remove ACS as the IDP and go directly to ADFS everything works fine. Also, if ADFS is on premise (Not hosted on Azure VM), everything works fine.

• Edited by Ashkan1974 Wednesday, January 15, 2014 5:26 AM

What do you mean by "it tries to re-authenticate on every request"? Do you mean the user needs to type their username/password everytime a new request is made? Or do you mean the user is redirected to ACS which recogonizes the user has been authenticated?

Sorry let me clarify what I meant. SharePoint 2013 redirects to http://webappurl/_trust for every request. The user is then prompted to select one of 2 Trusted Identity providers. Once the ACS IDP is selected, ACS redirects to ADFS and then back to SharePoint without asking for credentials. It's even worse if I only have the ACS IDP configured in SharePoint. It just loops authentication every request until ADFS throws an error.

And are you using SharePoint's web UI or programmatically working with SharePoint?

Use UI, Powershell and programmatically using farm solutions and apps for SP 2013 The browser cookies are fine. As I stated, if I remove ACS as the IDP and go directly to ADFS everything works fine. Also, if ADFS is on premise (Not hosted on Azure VM), everything works fine.

• Edited by Ashkan1974 Wednesday, January 15, 2014 5:26 AM

Hi,

I am from Azure Support and would like to help you find a resolution for your issue.

Can you take a fiddler trace of the issue and share with me?

Absolutely.

Fiddler Capture

Absolutely.

• Edited by Ashkan1974 17 hours 33 minutes ago Removed fiddler capture log

I figured out the solution.

ACS Timeout was set to 10 minutes. I increased to 1 hour and no longer get re-authenticated on every request.

Maybe the clocks are over 10 minutes off between ACS and the IaaS hosted ADFS / SharePoint servers.