It’s my first time deploying AD FS in a test environment and this particular error wasted hours of my time. Anyway, I’m sharing with you what I did to solve the problem.
DISCLAIMER: I am not an AD FS expert. I just need to have a working AD FS environment (a very simple one) just to get an application running.
First, here’s the environment that I have:
- Active Directory (AD) server
- Active Directory Federation Services (AD FS) server
- Database server (but that this is irrelevant in this article)
One of the things to do to verify that your AD FS is running is by browsing to:
https://FQDN of the federation server/adfs/ls/idpinitiatedsignon.aspx
There’s nothing wrong accessing that site. It prompted me to type my credentials, so I did. However, it redirected me to /adfs/ls/wia with an HTTP 400 error, saying “The webpage cannot be found.”
Surprisingly, this error only happens in Internet Explorer. It WORKS on Firefox.
- Log in to the domain controller (where AD is installed).
- Run ADSI Edit (Active Directory Services Interfaces Editor). Just search it on the Start menu.
- On the left pane, right-click on ADSI Edit and click Connect to…
- There’s nothing to change in the default values so you can click OK.
- On the left pane, click on the “Default naming context” to load its contents, then expand it.
- Click on DC=xxxxx,DC=xxxxx (this depends on your domain name), then expand.
- In my case, I used Group Managed Service Account during AD FS configuration, so I would click on CN=Managed Service Accounts. Expand it afterwards.
- Right click on CN=xxxx (the name of your service account) the click Properties.
- You will see the attributes under the Attribute Editor.
- Scroll down until you see the servicePrincipalName attribute.
- Double-click on it to bring up the Multi-valued String Editor dialog.
- In the Value to add: field, type the FQDN of the federation server (where AD FS is installed).
- Click OK for both of the dialog boxes.
- You can now check if the error is gone after logging in to /adfs/ls/idpinitiatedsignon.aspx. In my case, it did.