AD FS: HTTP 400 Error in adfs/ls/wia

It’s my first time deploying AD FS in a test environment and this particular error wasted hours of my time. Anyway, I’m sharing with you what I did to solve the problem.

DISCLAIMER: I am not an AD FS expert. I just need to have a working AD FS environment (a very simple one) just to get an application running.

First, here’s the environment that I have:

  • Active Directory (AD) server
  • Active Directory Federation Services (AD FS) server
  • Database server (but that this is irrelevant in this article)

One of the things to do to verify that your AD FS is running is by browsing to:

https://FQDN of the federation server/adfs/ls/idpinitiatedsignon.aspx

There’s nothing wrong accessing that site. It prompted me to type my credentials, so I did. However, it redirected me to /adfs/ls/wia with an HTTP 400 error, saying “The webpage cannot be found.”

Surprisingly, this error only happens in Internet Explorer. It WORKS on Firefox.

SOLUTION

  1. Log in to the domain controller (where AD is installed).
  2. Run ADSI Edit (Active Directory Services Interfaces Editor). Just search it on the Start menu.
  3. On the left pane, right-click on ADSI Edit and click Connect to…
  4. There’s nothing to change in the default values so you can click OK.
  5. On the left pane, click on the “Default naming context” to load its contents, then expand it.
  6. Click on DC=xxxxx,DC=xxxxx (this depends on your domain name), then expand.
  7. In my case, I used Group Managed Service Account during AD FS configuration, so I would click on CN=Managed Service Accounts. Expand it afterwards.
  8. Right click on CN=xxxx (the name of your service account) the click Properties.
  9. You will see the attributes under the Attribute Editor.
  10. Scroll down until you see the servicePrincipalName attribute.
  11. Double-click on it to bring up the Multi-valued String Editor dialog.
  12. In the Value to add: field, type the FQDN of the federation server (where AD FS is installed).
  13. Click OK for both of the dialog boxes.
  14. You can now check if the error is gone after logging in to /adfs/ls/idpinitiatedsignon.aspx. In my case, it did.
Advertisements