ACS & ADFS 3.0 on Windows 2012 R2 / Trusted Identity provider
I have a SharePoint 2013 farm and ADFS 3.0 deployed to Azure VMs.
I have also setup 2 different trusted identities in SP 2013. One points to ADFS directly. The other is ACS w/ the same ADFS server configured as an IDP.
When authenticating against the ADFS trusted identity provider everything works as expected.
When using the ACS trusted identity provider, the request is authenticated but it tries to re-authenticate on every request.
This does not with a local SP 2013 farm with the exact same trusted identity configuration.
I read somewhere that it might have something to do w/ the clocks / timeserver on the machines. Azure VMs are setup to use UTC time on all servers in the network environment.
Any help is appreciated.
January 10th, 2014 12:24am
Hi,
I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
Thanks for your understanding!
Best Regards
January 10th, 2014 10:43am
What do you mean by "it tries to re-authenticate on every request"? Do you mean the user needs to type their username/password everytime a new request is made? Or do you mean the user is redirected to ACS which recogonizes the user has been authenticated?
Or something else? And are you using SharePoint's web UI or programmatically working with SharePoint?
Anyway, if you're using SharePoint UI, check the browser cookie. For more information, please post on SharePoint ITPro forum, as this is an IT issue rather than development issue. If you're programmatically working with SharePoint, check if the security token
is correct, and whether it has expired or not. You may also want to use WAAD.
January 12th, 2014 8:16pm
What do you mean by "it tries to re-authenticate on every request"? Do you mean the user needs to type their username/password everytime a new request is made? Or do you mean the user is redirected to ACS which recogonizes the user has been authenticated?
Sorry let me clarify what I meant. SharePoint 2013 redirects to http://webappurl/_trust for every request. The user is then prompted to select one of 2 Trusted Identity providers. Once the ACS IDP is selected, ACS redirects to ADFS and then back to SharePoint
without asking for credentials. It's even worse if I only have the ACS IDP configured in SharePoint. It just loops authentication every request until ADFS throws an error.
And are you using SharePoint's web UI or programmatically working with SharePoint?
Use UI, Powershell and programmatically using farm solutions and apps for SP 2013 The browser cookies are fine. As I stated, if I remove ACS as the IDP and go directly to ADFS everything works fine. Also, if ADFS is on premise (Not hosted on Azure VM), everything
works fine.
- Edited by
Ashkan1974
6 hours 17 minutes ago
January 15th, 2014 12:00am
Thank you.
I'lll be patient.
January 15th, 2014 12:02am
What do you mean by "it tries to re-authenticate on every request"? Do you mean the user needs to type their username/password everytime a new request is made? Or do you mean the user is redirected to ACS which recogonizes the user has been authenticated?
Sorry let me clarify what I meant. SharePoint 2013 redirects to http://webappurl/_trust for every request. The user is then prompted to select one of 2 Trusted Identity providers. Once the ACS IDP is selected, ACS redirects to ADFS and then back to SharePoint
without asking for credentials. It's even worse if I only have the ACS IDP configured in SharePoint. It just loops authentication every request until ADFS throws an error.
And are you using SharePoint's web UI or programmatically working with SharePoint?
Use UI, Powershell and programmatically using farm solutions and apps for SP 2013 The browser cookies are fine. As I stated, if I remove ACS as the IDP and go directly to ADFS everything works fine. Also, if ADFS is on premise (Not hosted on Azure VM), everything
works fine.
- Edited by
Ashkan1974
Wednesday, January 15, 2014 5:26 AM
January 15th, 2014 7:59am
What do you mean by "it tries to re-authenticate on every request"? Do you mean the user needs to type their username/password everytime a new request is made? Or do you mean the user is redirected to ACS which recogonizes the user has been authenticated?
Sorry let me clarify what I meant. SharePoint 2013 redirects to http://webappurl/_trust for every request. The user is then prompted to select one of 2 Trusted Identity providers. Once the ACS IDP is selected, ACS redirects to ADFS and then back to SharePoint
without asking for credentials. It's even worse if I only have the ACS IDP configured in SharePoint. It just loops authentication every request until ADFS throws an error.
And are you using SharePoint's web UI or programmatically working with SharePoint?
Use UI, Powershell and programmatically using farm solutions and apps for SP 2013 The browser cookies are fine. As I stated, if I remove ACS as the IDP and go directly to ADFS everything works fine. Also, if ADFS is on premise (Not hosted on Azure VM), everything
works fine.
- Edited by
Ashkan1974
Wednesday, January 15, 2014 5:26 AM
January 15th, 2014 7:59am
Hi,
I am from Azure Support and would like to help you find a resolution for your issue.
Can you take a fiddler trace of the issue and share with me?
January 16th, 2014 3:06pm
January 16th, 2014 7:30pm
Absolutely.
- Edited by
Ashkan1974
17 hours 33 minutes ago
Removed fiddler capture log
January 17th, 2014 3:28am
I figured out the solution.
ACS Timeout was set to 10 minutes. I increased to 1 hour and no longer get re-authenticated on every request.
Maybe the clocks are over 10 minutes off between ACS and the IaaS hosted ADFS / SharePoint servers.
January 27th, 2014 1:17pm