A week ago I was confronted to an issue with ADFS with Forms Based Authentication(FBA) and Windows Azure Pack.
The environment was setup several months ago for a Proof of Concept of Windows Azure Pack and only working with ADFS and Windows Authentication because there was no requirement to used FBA and there was also no Web Application Proxy involved. All was working fine but the customer decided to setup FBA and a web application proxy. Unfortunately, the web application proxy was not working and keeps prompting the FBA login page.
After several hours of troubleshooting the issue was drilled down to a problem with the FBA on the ADFS server. But why was Windows Authentication working and FBA not. To exclude possible Windows Azure Pack/relying pary issue’s I started testing with the https://auth-azure.domain.com/adfs/ls/IdpInitiatedSignon.aspx page.
Eventually it turned out that the Federations Service FQDN had changed. From https://auth.domain.com to https://auth-azure.domain.com. The rename was not done correctly and since I had a lot of trouble figuring it out with some colleague’s i decided to write a blog about it.
So when renaming the ADFS FQDN from https://auth.domain.com to https://auth-azure.domain.com the SPN was forgotten for the ADFS Service account. The SPN was left on http/auth.domain.org and needed to be changed to http/auth-azure.domain.org.
After this was fixed, I still received logon screens on the FBA page and could not login. Next problem, the Token-Signing and Token-Decrypting certificates were incorrect. Since there are lots of blogs discussing how to update the Token Certificates in ADFS I will not discuss this but I renewed the Token-Signing en Token-Decrypting certificates. Restarted the ADFS service
Read moreADFS Federations Service rename with Azure Pack as Relying Party Trust