I have created a test website that I want to login to using an ADFS server connected to a AD. When I use the generated STS-provider project the loing works fine but when I try to use a real ADFS server installed on a win 2008 server I get this error message:
[UriFormatException: Invalid URI: The format of the URI could not be determined.]
System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) +7225919
System.Web.Security.SingleSignOn.SignInResponse.get_Target() +164
[InvalidOperationException: The protocol message in the current request is malformed. The event log on the server contains detailed information.]
System.Web.Security.SingleSignOn.SignInResponse.get_Target() +488
System.Web.Security.SingleSignOn.LSAuthenticationObject.RejectBadMessagesPhase1() +643
System.Web.Security.SingleSignOn.LSAuthenticationObject.EnsureCurrent(HttpContext context) +445
System.Web.Security.SingleSignOn.LSAuthenticationModule.OnEnter(Object o, EventArgs args) +147
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
When I access my website I get redirected to the ADFS server and prompted for credentials. So far so good. But after I supply the correct credentials it seems that it fails when it tries to create the response ticket?
Does anyone got any ideas what I have done wrong or what URI the error message might refer to?
---- Update with more logs and error messages ----
There are two eventlog entries, none of them gives much help:
A sign-in message was received that contains incorrectly formatted data.
Format error: Invalid URI: The format of the URI could not be determined.
This situation can be due to rogue clients; interoperability failure with non-Microsoft, single-sign-on software; or message tampering.
User Action
If you are using non-Microsoft federation software in your environment, verify that the federation software is compatible with AD FS.
And
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 2013-10-01 14:48:09
Event time (UTC): 2013-10-01 12:48:09
Event ID: aa19d901b4af49009aaa65310b7ccf22
Event sequence: 33
Event occurrence: 6
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/adfs-2-130250981254471250
Trust level: Full
Application Virtual Path: /adfs
Application Path: C:\Windows\SystemData\ADFS\sts\
Machine name: WIN-U9HD61HVTHM
Process information:
Process ID: 1344
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
Exception type: UriFormatException
Exception message: Invalid URI: The format of the URI could not be determined.
Request information:
Request URL: https://10.100.13.67:443/adfs/ls/clientlogon.aspx
Request path: /adfs/ls/clientlogon.aspx
User host address: 10.100.13.91
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
Thread ID: 3
Thread account name: NT AUTHORITY\NETWORK SERVICE
Is impersonating: False
Stack trace: at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
at System.Web.Security.SingleSignOn.SignInResponse.get_Target()
Custom event details:
I also enabled all the logging I could find and in the log the sign in response seems to be:
[VERBOSE] Sign In Response Dump
--------------------
wcontext = rm=0&id=passive&ru=%2fdefault.aspx%3f
wresult to follow
XML Data Follows
----------------
<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<wst:RequestedSecurityToken>
<saml:Assertion AssertionID="_c7434b4c-88d6-4648-974d-cf0dc1582958" IssueInstant="2013-10-01T12:49:05Z" Issuer="https://WIN-U9HD61HVTHM.adtest.local/adfs/" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2013-10-01T12:49:05Z" NotOnOrAfter="2013-10-01T13:49:05Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://10.100.13.67/adfs/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2013-10-01T12:49:05Z" AuthenticationMethod="urn:federation:authentication:windows">
<saml:Subject>
<saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">per@adtest.local</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_c7434b4c-88d6-4648-974d-cf0dc1582958">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>3VkZjrL3Lyej2UhVJtiSvL1K7u4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>PEYPQ4FSOvf2LCH1UEPUD9TTd9M7jZT8isw578G7TVgk01HecoaH1p7KCTpcnGpG+aQlmtR6D1oyXYKwwsij9aLVeWT/zxqf1PjxfAfQL19t6KZMwZJOhV2XCfdqfsgEbFHIUU/4KGstwghCHLGMTVUXVx2p2FAs0VO1AV42Ua3M+ZMpx2rWWeEdh9OGMSysFug+D2gFMytcwlbVLBaPMbs8mNfXGm84CWMJ9ctM4XbwkBhfPnhvKyYcNeu1dic13ky4Rb6ODRejZhfwKXr8g2fSkV2QrnZLo8VNBBUD2+tVB/fCIThIiyrHfD7Rou8yChePHKYoYnhY6jmlBUJSrQ==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC4DCCAcigAwIBAgIQZLlKZlHvZrxCk97r+uMNcDANBgkqhkiG9w0BAQUFADAsMSowKAYDVQQDEyFGZWRlcmF0aW9uIFNlcnZlciBXSU4tVTlIRDYxSFZUSE0wHhcNMTMwOTE4MTIzODE2WhcNMTQwOTE4MTgzODE2WjAsMSowKAYDVQQDEyFGZWRlcmF0aW9uIFNlcnZlciBXSU4tVTlIRDYxSFZUSE0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOjCAdqbOyVJjpOeN/z9R2YmcBian7LGDLfmlFzqdETPN8nD7keCETYFAon9BsEObxz685I5pL5Ay7fVOFKmdT9yQ6jLB6T3kEqIVSRPml5EzYoV4/nOxPgALnyTueUc7P+kZJQYBXgKdeCXnCUBX6FiFv/CmtKYuT2RSozSYP0UrM9dK2iXDnR1+Xf2cD7XsC4sitg0YbZyVxfeuoqUCrCKsQO2naKvfdhFWuUBws/1bcES+lvmbympYpZtgHZ98byqiheFUmtvhK666VzcBsWQBSrXAQt5oDHtFl8o9NiRKblZnCt3NfJrogA5RScXrh0e0bTJ6X2H3cxeTZpVCZAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAL9Pxpp3wFZzaH2M2r1jUJt6N12cHtwaDzQc680wqcgFycOww21m/SUlnFAlFU+pyXAR2soLljQkI7Fi+xv85msnvRKoIyHueQKSe4gvtTMfjnQY5BYKfROK+gRyL9sAp+zDgDWLYVML/cDRci2s9+3sYH6qrfV6Rg0kRYgnQvqe5uLlAN0WDZRnoX5+TIRKJW1502HW6eY6FopZZ83GYduvqXDZS/LaX2yhFau7u1z3jDIXQ7umyuidr8QSj/H24v/vBK6znyl94ziHS/syHvbdZiaERtmOhfoWGFjuDt89y3XI3/hris/uvqmh1pGJiPV2P62fRm5+HwMxMctQdS4=</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
</saml:Assertion>
</wst:RequestedSecurityToken>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsa:Address>https://10.100.13.67/adfs/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
</wst:RequestSecurityTokenResponse>
Most probably either the wtrealm or wreply (depending on which you supply) are malformed. The problem could be because these parameters aren't uri escaped.
The correct way of providing the request is
https://your.adfs.example/adfs/ls?wa=wsignin1.0&wtrealm=https%3a%2f%2fyour.app%2fresource