ADFS HTTP 400 Bad Request with SSO/Windows Integrated Authentication

Another challenging ADFS issue came to me this week. Here the problem was that internal user were not able to authenticate. They receive a login prompt and after providing credentials they received a “HTTP 400 bad request” error message. When users were external and use FBA they were able to login successfully. Also wen internal and the users used a different browser then Internet Explorer the were also presented with FBA and were able to login. Clearly only the login with Windows Integrated Authentication failed. And of course al was working just fine and stopped working about a week ago.

In this environment the ADFS and resource servers were in a different domain than the user accounts were. For more detail see the picture below. Beware it’s only a part of the authentication process to illustrate the topology.

After some research i ruled out serveral known issue’s like:

Read more

Hyper-V Virtual Switch Internal with NAT

—- UPDATE—- Be sure to check the updated blog for the powershell commands since it has changed in the newer Windows 10 and Windows Server 2016 builds

A will a go Microsoft released Windows Server 2016 TP4 and Windows 10 Build 10586. For Windows 10 it was all about nested virtualization that is a great feature which i use a lot with nano server and containers now days.

But another great feature came with that release that completely  slipped my attention and I stumbled on it exploring the New-VMSwitch powershell Cmdlets. Since that release you have the ability to set you Virtual Switch (VSwitch) not only to External, Internal and Private but also to a fourth option, which is NAT mode.

Let me explain, when you run some VM’s on your local laptop, tablet or test/dev server you probably created a Vswitch which is connected to your LAN or WIFI adapter for outside network acces or internet access. Or when you want them to talk to each other in there own subnet and you requier no internet access you have a VSwitch with a Internal Network connection type. But if you require the VM’s to have internet connection and want multiple subnets you need vlan’s.

Since not everybody has VLAN’s on a home network or you are located in a company network were you do not have controle over the network you cannot use the External Network type VSwitch to get al the VM’s on the internet or the rest of the network. Or when you are like me and are located in several different customer networks, IP’s change all the time when on DHCP or my VM’s need to change IP addresses all the time if i want to test somethings in VM’s.

All that is behind us now because we can create VSwitches for Internal Network and enable NAT on the VSwitch.

Read more