.netadfs

ADFS - Invalid URI: The format of the URI could not be determined


I have created a test website that I want to login to using an ADFS server connected to a AD. When I use the generated STS-provider project the loing works fine but when I try to use a real ADFS server installed on a win 2008 server I get this error message:

[UriFormatException: Invalid URI: The format of the URI could not be determined.]
   System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind) +7225919
   System.Web.Security.SingleSignOn.SignInResponse.get_Target() +164

[InvalidOperationException: The protocol message in the current request is malformed. The event log on the server contains detailed information.]
   System.Web.Security.SingleSignOn.SignInResponse.get_Target() +488
   System.Web.Security.SingleSignOn.LSAuthenticationObject.RejectBadMessagesPhase1() +643
   System.Web.Security.SingleSignOn.LSAuthenticationObject.EnsureCurrent(HttpContext context) +445
   System.Web.Security.SingleSignOn.LSAuthenticationModule.OnEnter(Object o, EventArgs args) +147
           System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

When I access my website I get redirected to the ADFS server and prompted for credentials. So far so good. But after I supply the correct credentials it seems that it fails when it tries to create the response ticket?

Does anyone got any ideas what I have done wrong or what URI the error message might refer to?

---- Update with more logs and error messages ----

There are two eventlog entries, none of them gives much help:

A sign-in message was received that contains incorrectly formatted data. 
Format error: Invalid URI: The format of the URI could not be determined. 

This situation can be due to rogue clients; interoperability failure with non-Microsoft, single-sign-on software; or message tampering. 

User Action 
If you are using non-Microsoft federation software in your environment, verify that the federation software is compatible with AD FS.

And

Event code: 3005 
Event message: An unhandled exception has occurred. 
Event time: 2013-10-01 14:48:09 
Event time (UTC): 2013-10-01 12:48:09 
Event ID: aa19d901b4af49009aaa65310b7ccf22 
Event sequence: 33 
Event occurrence: 6 
Event detail code: 0 

Application information: 
    Application domain: /LM/W3SVC/1/ROOT/adfs-2-130250981254471250 
    Trust level: Full 
    Application Virtual Path: /adfs 
    Application Path: C:\Windows\SystemData\ADFS\sts\ 
    Machine name: WIN-U9HD61HVTHM 

Process information: 
    Process ID: 1344 
    Process name: w3wp.exe 
    Account name: NT AUTHORITY\NETWORK SERVICE 

Exception information: 
    Exception type: UriFormatException 
    Exception message: Invalid URI: The format of the URI could not be determined. 

Request information: 
    Request URL: https://10.100.13.67:443/adfs/ls/clientlogon.aspx 
    Request path: /adfs/ls/clientlogon.aspx 
    User host address: 10.100.13.91 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: NT AUTHORITY\NETWORK SERVICE 

Thread information: 
    Thread ID: 3 
    Thread account name: NT AUTHORITY\NETWORK SERVICE 
    Is impersonating: False 
    Stack trace:    at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at System.Web.Security.SingleSignOn.SignInResponse.get_Target()


Custom event details: 

I also enabled all the logging I could find and in the log the sign in response seems to be:

[VERBOSE] Sign In Response Dump
--------------------
wcontext = rm=0&id=passive&ru=%2fdefault.aspx%3f
wresult to follow
XML Data Follows
----------------
<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
  <wst:RequestedSecurityToken>
    <saml:Assertion AssertionID="_c7434b4c-88d6-4648-974d-cf0dc1582958" IssueInstant="2013-10-01T12:49:05Z" Issuer="https://WIN-U9HD61HVTHM.adtest.local/adfs/" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
      <saml:Conditions NotBefore="2013-10-01T12:49:05Z" NotOnOrAfter="2013-10-01T13:49:05Z">
        <saml:AudienceRestrictionCondition>
          <saml:Audience>https://10.100.13.67/adfs/</saml:Audience>
        </saml:AudienceRestrictionCondition>
      </saml:Conditions>
      <saml:AuthenticationStatement AuthenticationInstant="2013-10-01T12:49:05Z" AuthenticationMethod="urn:federation:authentication:windows">
        <saml:Subject>
          <saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">per@adtest.local</saml:NameIdentifier>
        </saml:Subject>
      </saml:AuthenticationStatement>
      <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <SignedInfo>
          <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <Reference URI="#_c7434b4c-88d6-4648-974d-cf0dc1582958">
            <Transforms>
              <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
              <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>3VkZjrL3Lyej2UhVJtiSvL1K7u4=</DigestValue>
          </Reference>
        </SignedInfo>
        <SignatureValue>PEYPQ4FSOvf2LCH1UEPUD9TTd9M7jZT8isw578G7TVgk01HecoaH1p7KCTpcnGpG+aQlmtR6D1oyXYKwwsij9aLVeWT/zxqf1PjxfAfQL19t6KZMwZJOhV2XCfdqfsgEbFHIUU/4KGstwghCHLGMTVUXVx2p2FAs0VO1AV42Ua3M+ZMpx2rWWeEdh9OGMSysFug+D2gFMytcwlbVLBaPMbs8mNfXGm84CWMJ9ctM4XbwkBhfPnhvKyYcNeu1dic13ky4Rb6ODRejZhfwKXr8g2fSkV2QrnZLo8VNBBUD2+tVB/fCIThIiyrHfD7Rou8yChePHKYoYnhY6jmlBUJSrQ==</SignatureValue>
        <KeyInfo>
          <X509Data>
            <X509Certificate>MIIC4DCCAcigAwIBAgIQZLlKZlHvZrxCk97r+uMNcDANBgkqhkiG9w0BAQUFADAsMSowKAYDVQQDEyFGZWRlcmF0aW9uIFNlcnZlciBXSU4tVTlIRDYxSFZUSE0wHhcNMTMwOTE4MTIzODE2WhcNMTQwOTE4MTgzODE2WjAsMSowKAYDVQQDEyFGZWRlcmF0aW9uIFNlcnZlciBXSU4tVTlIRDYxSFZUSE0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOjCAdqbOyVJjpOeN/z9R2YmcBian7LGDLfmlFzqdETPN8nD7keCETYFAon9BsEObxz685I5pL5Ay7fVOFKmdT9yQ6jLB6T3kEqIVSRPml5EzYoV4/nOxPgALnyTueUc7P+kZJQYBXgKdeCXnCUBX6FiFv/CmtKYuT2RSozSYP0UrM9dK2iXDnR1+Xf2cD7XsC4sitg0YbZyVxfeuoqUCrCKsQO2naKvfdhFWuUBws/1bcES+lvmbympYpZtgHZ98byqiheFUmtvhK666VzcBsWQBSrXAQt5oDHtFl8o9NiRKblZnCt3NfJrogA5RScXrh0e0bTJ6X2H3cxeTZpVCZAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAL9Pxpp3wFZzaH2M2r1jUJt6N12cHtwaDzQc680wqcgFycOww21m/SUlnFAlFU+pyXAR2soLljQkI7Fi+xv85msnvRKoIyHueQKSe4gvtTMfjnQY5BYKfROK+gRyL9sAp+zDgDWLYVML/cDRci2s9+3sYH6qrfV6Rg0kRYgnQvqe5uLlAN0WDZRnoX5+TIRKJW1502HW6eY6FopZZ83GYduvqXDZS/LaX2yhFau7u1z3jDIXQ7umyuidr8QSj/H24v/vBK6znyl94ziHS/syHvbdZiaERtmOhfoWGFjuDt89y3XI3/hris/uvqmh1pGJiPV2P62fRm5+HwMxMctQdS4=</X509Certificate>
          </X509Data>
        </KeyInfo>
      </Signature>
    </saml:Assertion>
  </wst:RequestedSecurityToken>
  <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
    <wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
      <wsa:Address>https://10.100.13.67/adfs/</wsa:Address>
    </wsa:EndpointReference>
  </wsp:AppliesTo>
</wst:RequestSecurityTokenResponse>

Solution

  • Most probably either the wtrealm or wreply (depending on which you supply) are malformed. The problem could be because these parameters aren't uri escaped.

    The correct way of providing the request is

    https://your.adfs.example/adfs/ls?wa=wsignin1.0&wtrealm=https%3a%2f%2fyour.app%2fresource