I spent waaayyyyy too much time trying to resolve this problem so am capturing it here in case any of the rest of you run up against this. I installed a new ADFS 3.0 on Windows Server 2012 R2 machine in my environment, and then configured a new SharePoint SPTrustedIdentityTokenIssuer for it. Every time I tried to authenticate to it I entered my credentials, and then I would get a 400 bad request back and the whole thing came to a grinding halt. I was getting no errors in any of the event logs on the ADFS server. What was also weird is that if I configured ADFS to use forms based authentication instead of Windows, I could log in just fine.
I suspected Kerberos SPN issues, but when I had tried to set it after setting up ADFS (using setspn) it said that the SPN was set. Well, guess what – turns out that was not true. I finally just went in to adsiedit.msc on my domain controller and looked at my service account. If you go into the properties you can scroll down to servicePrinicpalName and see exactly what’s configured for it, and sure enough, my ADFS server was not listed there. So, I just added the SPN needed for it – http/yourFqdnAdfsServer – saved it, and authentication started working then. As always, note that the SPN is NOT a Url, like http://myserver, it’s just the protocol and host name, so http/myserver.
Hopefully this will save you some time, I know a lot of folks build all this out in their labs at home so start by double-checking your service account SPNs.
You Sir are a scholar and gentleman.
You Just saved me 3 days of pain 🙂
LikeLike
Really Thank you very much,
LikeLike
I have question, in real production environment how many SSL certificate required and what is required for internet users to access CRM all I know it will be IFD, public IP, Web application proxy in DMZ, but I’m not sure
LikeLike
Thanks so much Steve
You saved my time
LikeLike
[…] 400 Bad Request Error with ADFS […]
LikeLike
Saved me so much time and got me out of a real pickle! Thank you!
LikeLike
Thank you so much. You are a blessing. God bless.
LikeLike
Thanks, helped me a lot! You saved me hours of looking a needle in a haystack.
LikeLike
THAAAANK You! Also saved me…… Thanks for sharing!
LikeLike
e2Thank you, I apicpreate it. Your post has an eloquence of its own, as do the comments. I will also link to yours as I think it’s important that we, as human beings, express ourselves, share, mourn, and move on.21
LikeLike
THANK YOU VERY MUCH
LikeLike
Hello,
Can you tell me in which part of ADSI do you find the service account ? I don’t find it.
Which Naming Context ?
Thanks,
LikeLike
[…] 400 Bad Request Error with ADFS: https://samlman.wordpress.com/2015/03/02/400-bad-request-error-with-adfs/ […]
LikeLike
This post really helped me, thanks for it.
I had to uncheck “Windows Integrated Authentication” in IE settings otherwise.
LikeLike
You sir.. are a effing genius
LikeLike
Great post and thanks, Just thought i would share my experience:
Be careful when load balancing ADFS.
In my case – i was using ADFS in an AWS environment.
I had ADFS installed on two domain controllers and i used an elb {elastic load balancer}.
I used a classic elb and used HTTPS (443) – had the adfs cert on it.
I set internal DNS for ADFS to a CNAME for the elb.
So domain joined hosts would hit this CNAME to use ADFS windows auth.
This would periodically produce 401 bad request errors. [ interestingly it was an approx 20% error rate ].
The issue did not occur all the time – so worked most of the time.
The fix for me was to set the SPN(add an entry) of the ADFS service account to include http/%CNAME_used%
e.g
http/internal-elb-98876663.ap.elb.amazonaws.com
This fixed the 401 bad request errors – 50 logins and no errors!
Hope this helps someone!
Cheers,
Dan
LikeLike
what command exactly you executed for creating SPN for the adfs service account, please suggest.
LikeLike