sharepointazure-active-directorysharepoint-2013adfs

Configure ADFS on 2nd SharePoint Site - Certificate Error


I have successfully configured ADFS on one SharePoint 2016 On Prem site using this.

Now I am trying to configure the same on another SharePoint Site with a different UPN, similarly two sites are registered on ADFS server as well to route requests to two different SharePoint Site.

When I try to execute the following command, it returns "Certificate Already exists", Although this Certificate is issued to me by infra team:

$signingCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("E:\facilitiesadfstokensigning.cer")

New-SPTrustedIdentityTokenIssuer -Name "TrustedFacilitiesSite.adfs" -Description "TrustedFacilitiesSite.adfs" -Realm $realm -ImportTrustCertificate $signingCert -ClaimsMappings $email, $role -SignInUrl $signinurl -IdentifierClaim $email.InputClaimType

I tried to execute the command without ImportTrustCertificate but it says Certificate is required.

enter image description here

Can any one Help me to resolve this

Thanks in Advance

I have also tried the following:

Used the First identity provider in the second SharePoint Site and Added Second site's trust URL in ADFS Server in the same URN. In this case, the second site is returning the following error URL and unable to communicate with ADFS:

https://facilitiesuat.engro.com/_trust/default.aspx?trust=engro%2Eadfs&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FPages%252FPageNotFoundError%252Easpx%253FrequestUrl%253Dhttps%253A%252F%252Ffacilitiesuat%252Eengro%252Ecom%252F%255Ftrust%252Fdefault%252Easpx&Source=%2FPages%2FPageNotFoundError.aspx%3FrequestUrl%3Dhttps:%2F%2Ffacilitiesuat.engro.com%2F_trust%2Fdefault.aspx

UPDATE:

I have added the URN in the existing Token issuer by following this Article:

enter image description here

It is now stuck on the following URL and the page keeps reloading:

https://facilitiesuat.engro.com/_trust/default.aspx?trust=engro%2Eadfs&ReturnUrl=%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252FPages%252FPageNotFoundError%252Easpx%253FrequestUrl%253Dhttps%253A%252F%252Ffacilitiesuat%252Eengro%252Ecom%252F%255Ftrust%252Fdefault%252Easpx&Source=%2FPages%2FPageNotFoundError.aspx%3FrequestUrl%3Dhttps:%2F%2Ffacilitiesuat.engro.com%2F_trust%2Fdefault.aspx

_trust folder is missing from the web directory although I have enabled ADFS authentication in another zone in the web App, Also, I cannot recreate the Web App because my work will be lost:

enter image description here


Solution

  • If you already have added your ADFS server to SharePoint once, you don't have to call New-SPTrustedIdentityTokenIssuer for every new sharepoint site and don't have to add ADFS certificates to SP again.
    Basically, you should register your ADFS server as TrustedIdentityTokenIssuer within SharePoint farm only once. And then you only have to add new SP web applications or host-named site collections to this existing TokenIssuer:

    1. First find the name of your existing ADFS-provider within SP (probably it will be engro.adfs in your case):

      Get-SPTrustedIdentityTokenIssuer | Select Name, ProviderUri
      
    2. Review your current SharePoint sites linked to this provider:

      $ti = Get-SPTrustedIdentityTokenIssuer "engro.adfs"  
      $ti.ProviderRealms
      
    3. Then add your new site URL to your existing ADFS provider:

       $uri = New-Object System.Uri("https://facilitiesuat.engro.com")  
       $ti.ProviderRealms.Add($uri, "urn:sharepoint:spfacilities")  
       $ti.Update();
      

    Do not forget that your site identifier (urn:sharepoint:spfacilities) should be specified in your Relying Party identifiers on ADFS server with site URL (https://facilitiesuat.engro.com/_trust/) as WS-Federation endpoint in that Relying party.