I have ADFS on Server 2012 R2 configured with a custom attribute store. This causes ADFS to call a WCF Service that is hosted within a Windows Service. While debugging Microsoft.IdentityServer.ServiceHost.exe
, the following code throws a CommunicationException
:
var channel = trustChannelFactory.CreateChannel();
rawToken = channel.Issue(rst, out rstr);
trustChannelFactory.Close();
The exception details are:
The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate'.
Inspecting rst
above, I can see ADFS is attempting to call the Windows Service hosted WCF:
net.tcp://<url>:8002/service/endpoint
I made sure the windows service is running and listening on TCP 8002 via powershell:
netstat -aonp TCP | Select-String 8002
Get-Process -Id
But what's strange is that I get this error whether the Windows Service is running or not. It's like outbound connections from ADFS is getting blocked somewhere.
I've tried turning Windows Firewall Off but it makes no difference.
As this version of ADFS doesn't rely on IIS and it's a Windows Service, a lot of the answer on SO aren't applicable (I think).
I've reached the bottom of my debugging skills and ADFS knowledge. Unfortunately I didn't setup this system and I don't have access to people that did.
Any suggestions would be very much appreciated.
It turns out, the 401 Unauthorised was on the windows endpoint of ADFS https://<ADFS_HOST>/adfs/services/trust/13/windowstransport
.
And it was nothing to do with the ADFS configuration, certificates, permissions etc.
I followed the steps in https://www.risual.com/2011/10/28/adfs-2-0-401-unauthorized-access/ to disable the LookBackCheck in the registry and it all worked.