I have successfully configured ADFS on one SharePoint 2016 On Prem site using this.
Now I am trying to configure the same on another SharePoint Site with a different UPN, similarly two sites are registered on ADFS server as well to route requests to two different SharePoint Site.
When I try to execute the following command, it returns "Certificate Already exists", Although this Certificate is issued to me by infra team:
$signingCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("E:\facilitiesadfstokensigning.cer")
New-SPTrustedIdentityTokenIssuer -Name "TrustedFacilitiesSite.adfs" -Description "TrustedFacilitiesSite.adfs" -Realm $realm -ImportTrustCertificate $signingCert -ClaimsMappings $email, $role -SignInUrl $signinurl -IdentifierClaim $email.InputClaimType
I tried to execute the command without ImportTrustCertificate but it says Certificate is required.
Can any one Help me to resolve this
Thanks in Advance
I have also tried the following:
Used the First identity provider in the second SharePoint Site and Added Second site's trust URL in ADFS Server in the same URN. In this case, the second site is returning the following error URL and unable to communicate with ADFS:
https://facilitiesuat.engro.com/_trust/default.aspx?trust=engro%2Eadfs&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FPages%252FPageNotFoundError%252Easpx%253FrequestUrl%253Dhttps%253A%252F%252Ffacilitiesuat%252Eengro%252Ecom%252F%255Ftrust%252Fdefault%252Easpx&Source=%2FPages%2FPageNotFoundError.aspx%3FrequestUrl%3Dhttps:%2F%2Ffacilitiesuat.engro.com%2F_trust%2Fdefault.aspx
UPDATE:
I have added the URN in the existing Token issuer by following this Article:
It is now stuck on the following URL and the page keeps reloading:
_trust folder is missing from the web directory although I have enabled ADFS authentication in another zone in the web App, Also, I cannot recreate the Web App because my work will be lost:
If you already have added your ADFS server to SharePoint once, you don't have to call New-SPTrustedIdentityTokenIssuer
for every new sharepoint site and don't have to add ADFS certificates to SP again.
Basically, you should register your ADFS server as TrustedIdentityTokenIssuer within SharePoint farm only once.
And then you only have to add new SP web applications or host-named site collections to this existing TokenIssuer:
First find the name of your existing ADFS-provider within SP (probably it will be engro.adfs in your case):
Get-SPTrustedIdentityTokenIssuer | Select Name, ProviderUri
Review your current SharePoint sites linked to this provider:
$ti = Get-SPTrustedIdentityTokenIssuer "engro.adfs"
$ti.ProviderRealms
Then add your new site URL to your existing ADFS provider:
$uri = New-Object System.Uri("https://facilitiesuat.engro.com")
$ti.ProviderRealms.Add($uri, "urn:sharepoint:spfacilities")
$ti.Update();
Do not forget that your site identifier (urn:sharepoint:spfacilities
) should be specified in your Relying Party identifiers on ADFS server with site URL (https://facilitiesuat.engro.com/_trust/
) as WS-Federation endpoint in that Relying party.