Everytime I experience ADFS sign in problems I first test if the ADFS service itself is working through the IdpInitiatedSignon.aspx page. With this page you can test the ADFS service itself with out the dependencies from other products and their trusts or relying parties.
With the new Windows Server 2016 ADFS and WAP (Windows Azure Pack) on 2016 I experienced an issue, so I wanted to use the IdpInitiatedSignon.aspx test page. Strangely I received an error on the test page.
The eventlog gave me a an error which was not really helping at first.
Log Name: AD FS/Admin Source: AD FS Date: 2-1-2017 09:16:45 Event ID: 364 Task Category: None Level: Error Keywords: AD FS User: CONTOSOadministrator Computer: ADFS01.contoso.local Description: Encountered error during federation passive request. Additional Data Protocol Name: Relying Party: Exception details: Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest) at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext) at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request) at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
But when I looked closely I noticed the line Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException.
Well it turns out that this feature is by default disabled in the ADFS properties on Windows Server 2016.
You can enable the test page by using the following powershell command:
set-AdfsProperties -EnableIdPInitiatedSignonPage $true
If we try the https://domain.local/adfs/ls/IdpInitiatedSignon.aspx again we now receive a known web page with a Sign In button 🙂
Turns out that ADFS was working so I needed to look some were else to resolve my issue, but beware that you need to enable the EnableIdPInitiatedSignonPage feature if you want to use the build in test page.