Federating with Entra - No registered protocol handlers, anyone federated recently?
Hi All,
It's been a number of years since I've federated a domain with Entra, i'm flipping this back in a home environment to complete some testing. Would appreciate some troubleshooting thoughts.
What from memory was a quick task, I've spent waaaaay to long on this today. I've rebuilt the environment a number of times with the same outcome.
- Install ADFS (Enabled the sign-in page).
- Install WAP.
- Generate Let's Encrypt certificate and provide to the servers.
- Port Forward 443 to the WAP server.
- Use Entra Connect to Federate the domain (AD FS Config looks good and generated as Microsoft Office 365 Identity Platform)
- WAP is configured via AAD Connect (Blank but seems alright talking back to ADFS)
I can hit https://adfs.domain.com/adfs/ls/idpinitiatedsignon.aspx and authenticate with UPN internally/externally.
I can hit https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml internally/externally.
I also setup IAMShowcase to test (SAML 2.0 Test Service Provider) and published the app via the WAP, worked fine for SP and IDP initiated flows.
Interestingly enough, I am chucked the following error from the ADFS redirection with M365 authentication:
Error details: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.
This raises an error on the ADFS server ID#364, I've rebuilt a few times and havent been able to find much in troubleshooting. Would love to hear if someone else has seen something similar,.
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Get-MgFederatedDomainFederationConfiguration -Identity Domain.com
ActiveSignInUri : https://adfs.domain/adfs/services/trust/2005/usernamemixed
IssuerUri : http://domain/adfs/services/trust/
MetadataExchangeUri : https://adfs.domain/adfs/services/trust/mex
PassiveSignInUri : https://adfs.domain/adfs/ls/
PreferredAuthenticationProtocol : wsFed
SignOutUri : https://adfs.domain/adfs/ls/