ADFS 3.0 double login prompt issue

I have a 2012 R2 ADFS 3.0 server on my internal network and a 2012 R2 Windows Application Proxy in my DMZ. I have published two web apps. My issue is a double login prompt at the ADFS login page. I enter my email and password and login. It immediately reloads the same login page. I enter my creds again, and then it takes me to the web app. Both logins appear successful. There is no indication of incorrect creds.

This issue only happens for one of my web apps. The other web app only prompt once like its supposed to do. Both web apps are hosted on the same internal server.
Tim WardlowSenior Information Systems SpecialistAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zaheer IqbalTechnical Assurance & ImplementationCommented:
Hi

Is there any difference in the coding of both the web apps ?
Are these delivered on an IIS webserver ?
Tim WardlowSenior Information Systems SpecialistAuthor Commented:
I'm not sure of any differences, but I'm also not sure what I'd be looking for. Are there certain settings I should inspect for differences?

Yes, they are delivered via IIS 7 on a 2008 R2 server. They are in different app pools, but both are running .NET v4.0. The problem one is using NetworkService identity, while the other one without the issue is using ApplicationPoolIdentity.
Tim WardlowSenior Information Systems SpecialistAuthor Commented:
We also tried moving the problem app to the other pool, but it didn't resolve the issue. Is there something specific to the app I could check?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

AmitIT ArchitectCommented:
If you open IDP url, is it prompting you to enter credential twice? If not, then that rules out ADFS and you need to focus on your app you configured for SSO with ADFS. Also, as your one app is working fine, I don't see this as ADFS issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim WardlowSenior Information Systems SpecialistAuthor Commented:
Not sure what you mean by IDP URL. What is that?

How can I tell if the app is configured for SSO. This particular app has its own login page. The only reason I have the ADFS login is to protect this internal web app from the outside world.

I also noticed, the client request ID in the URL changes with the 2nd prompt. Not sure if that helps.
Tim WardlowSenior Information Systems SpecialistAuthor Commented:
What additional information is needed?

I asked "what does IDP URL mean?" and "how can I tell if the app is configured for SSO?". There was no response.
AmitIT ArchitectCommented:
Thanks for your reply. IDP stands for Identity Provider login.
Tim WardlowSenior Information Systems SpecialistAuthor Commented:
OK, thank you.

I've located the IDP URL and successfully logged in and only got prompted once.
AmitIT ArchitectCommented:
So, that rules out ADFS. Now you need to check application part, how it is configured to use claims. I am not an app expert, you might need to check with app experts.
Tim WardlowSenior Information Systems SpecialistAuthor Commented:
Updated topic list to include IIS and Web Apps.
AmitIT ArchitectCommented:
Try this, add the site into internet explorer trusted site. Then select custom level and drag down till end, select Automatic logon with current user name and password.

Close IE and open again. Test it and let me know, if that works.
Tim WardlowSenior Information Systems SpecialistAuthor Commented:
OK, I tried that. It did not work.

I should also note, this issue also occurs on iOS using the Chrome browser. Primary testing is being done in Windows though.
AmitIT ArchitectCommented:
I see this more application issue, which you are trying to connect with ADFS. As you are not getting error with other application. Check with app developer.
Tim WardlowSenior Information Systems SpecialistAuthor Commented:
I sit next to the app developer. They don't have a clue either. The question was submitted for both sides.
AmitIT ArchitectCommented:
Ask your developer, how he or she is using the claims sent by ADFS.
Tim WardlowSenior Information Systems SpecialistAuthor Commented:
My developer said they use NetSQLazman and some pages do a check to see who the user is to determine which content to display.
AmitIT ArchitectCommented:
What does that mean here. Are  you saying it is application issue? Or something else?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.