Jaa


Using Fiddler With SAML and SharePoint to Get Past the Three Authentication Prompts

Eric Lawrence touches on this topic in one of his Fiddler blog posts, but unless you know what you're looking for it can be hard to track down so I am going to add the SharePoint twist on it here. We often tell folks to use Fiddler to get an idea of what's going on when they are having issues with their web sites. Especially with SAML authentication, it can be a good tool to help understand auth issues. The problem though is that changes we made around 2010 in how we handle authenication bindings make this kind of an impossible task, out of the box. As a result, if you are running Fiddler and try to authenticate with SAML to a SharePoint site, you will just get prompted three times for your credentials and then we'll throw up an error page in IIS.

To work around it there is some script you need to add to Fiddler. To do this, open up Fiddler (I'm using version 4.4.1.1 - it changes pretty frequently so your UI might be slightly different). Go into the Rules...Customize Rules menu; scroll down the script until you find the OnPeekAtResponseHeaders function. UPDATE: In newer builds of Fiddler this code goes in the OnBeforeRequest function. In there you can add a little code to get you past this authentication issue. First let me start with the code you add:

if (oSession.isHTTPS && oSession.responseCode == 401)
{
// To use creds other than your Windows login credentials,
// set X-AutoAuth to "domain\\username:password"
oSession["X-AutoAuth"] = "default";
oSession["ui-backcolor"] = "pink";
}

The main thing to note here is that what it is going to do is to try and use your Windows credentials to the authentication request. It's also going to set the backcolor of the authentication prompts to pink the Fiddler window, but you can obviously change or remove that part. If you want to use a different set of credentials when authenticating then you can plug in domain\\username instead of "default", as is explained in the script. This isn't perfect, but it at least works for ADFS and is a lot more useful than not having any Fiddler tracing possible at all.

If you want to see more details on this you can visit Eric's post about this at https://blogs.msdn.com/b/fiddler/archive/2011/09/04/fiddler-http-401-authentication-workaround-to-support-channel-binding-tokens-removing-endless-prompts.aspx.

Comments