Issues with login via ADFS (from Wordpress)

riverbank
riverbank used Ask the Experts™
on
We have ADFS configured for authenticating an internal Wordpress site and this was working flawlessly for users to enter their credentials for login.

We were trying to enable automated logon using Windows credentials and followed the ADFS instructions at:
https://www.ibm.com/support/knowledgecenter/en/SSKTMJ_9.0.1/admin/secu_creating_the_spn.html
and then:
https://www.ibm.com/support/knowledgecenter/SSKTMJ_9.0.1/admin/secu_enabling_iwa_adfs30.html
To enable this, however following these changes we now cannot logon to the Wordpress site.

At the URL, it now provides a Windows logon prompt and entering valid credentials returns the same prompt (i.e. logon does not work).

There are events 364, 111, 238 and 1000 logged for the failed attempts:

Event 238:
The Federation Service failed to find a domain controller for the domain NT AUTHORITY.

Additional Data
Domain Name: NT AUTHORITY
Error: 1212


Event 111:
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue 

Additional Data
Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS3173: Active Directory account validation failed. ---> Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.AttributeStoreDSGetDCFailedException: Exception of type 'Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.AttributeStoreDSGetDCFailedException' was thrown.

Event 1000:
An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.  

Additional Data

Caller:
NT AUTHORITY\ANONYMOUS LOGON


Event 364:
Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
https://domainname.co.uk/wp-content/plugins/miniorange-saml-20-single-sign-on/ 

Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS3173: Active Directory account validation failed. ---> Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.AttributeStoreDSGetDCFailedException: Exception of type 'Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.AttributeStoreDSGetDCFailedException' was thrown.



Can anyone advise what we are missing with regards to both getting logon working again and enabling automated sign-in with Windows credentials?

Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Hardware Tester and Debugger
Commented:
Hi there! :)

There is a lot going on here.. Have you tried contacting support? You can email the at info@xecurify.com or contact them at https://www.miniorange.com/contact

It looks like it may be a certificate problem.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial