ADFS on W2016 idpinitiatedsignon.aspx page is by default disabled

Everytime I experience ADFS sign in problems I first test if the ADFS service itself is working through the IdpInitiatedSignon.aspx page. With this page you can test the ADFS service itself with out the dependencies from other products and their trusts or relying parties.

With the new Windows Server 2016 ADFS and WAP (Windows Azure Pack) on 2016 I experienced an issue, so I wanted to use the IdpInitiatedSignon.aspx test page. Strangely I received an error on the test page.

adfserrorie

The eventlog gave me a an error which was not really helping at first.

adfserroreventlogid364

Log Name:      AD FS/Admin
Source:        AD FS
Date:          2-1-2017 09:16:45
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          CONTOSOadministrator
Computer:      ADFS01.contoso.local
Description:
Encountered error during federation passive request. 
Additional Data 
Protocol Name: 

Relying Party: 
 
Exception details: 
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

But when I looked closely I noticed the line Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException.
Well it turns out that this feature is by default disabled in the ADFS properties on Windows Server 2016.

adfsproperties1

You can enable the test page by using the following powershell command:


set-AdfsProperties -EnableIdPInitiatedSignonPage $true

If we try the https://domain.local/adfs/ls/IdpInitiatedSignon.aspx again we now receive a known web page with a Sign In button 🙂

adfssigninie

Turns out that ADFS was working so I needed to look some were else to resolve my issue, but beware that you need to enable the EnableIdPInitiatedSignonPage feature if you want to use the build in test page.

Good luck!

Regards
Pascal


Leave a Comment