400 Bad Request Error with ADFS
I spent waaayyyyy too much time trying to resolve this problem so am capturing it here in case any of the rest of you run up against this. I installed a new ADFS 3.0 on Windows Server 2012 R2 machine in my environment, and then configured a new SharePoint SPTrustedIdentityTokenIssuer for it. Every time I tried to authenticate to it I entered my credentials, and then I would get a 400 bad request back and the whole thing came to a grinding halt. I was getting no errors in any of the event logs on the ADFS server. What was also weird is that if I configured ADFS to use forms based authentication instead of Windows, I could log in just fine.
I suspected Kerberos SPN issues, but when I had tried to set it after setting up ADFS (using setspn) it said that the SPN was set. Well, guess what - turns out that was not true. I finally just went in to adsiedit.msc on my domain controller and looked at my service account. If you go into the properties you can scroll down to servicePrinicpalName and see exactly what's configured for it, and sure enough, my ADFS server was not listed there. So, I just added the SPN needed for it - http/yourFqdnAdfsServer - saved it, and authentication started working then. As always, note that the SPN is NOT a Url, like https://myserver, it's just the protocol and host name, so http/myserver.
Hopefully this will save you some time, I know a lot of folks build all this out in their labs at home so start by double-checking your service account SPNs.
Comments
- Anonymous
January 01, 2003
The comment has been removed - Anonymous
January 01, 2003
You are a rockstar... thought I was in for a long Sunday trying to figure this one out (I migrated from ADFS 2.1 to ADFS 3.0) and could not understand why it wasn't working. So simple. Thanks so much. - Anonymous
January 01, 2003
Brilliant, that just saved me a huge headache :) - Anonymous
January 01, 2003
Awesome! Thanks for sharing. - Anonymous
January 01, 2003
Steve, bingo. This should be the first result on bing with ADFS 3.0 HTTP 400. :) Thanks as always. - Anonymous
September 18, 2014
Thanks. Saved the day. - Anonymous
September 18, 2014
The comment has been removed - Anonymous
October 24, 2014
Dude! YOU ROCK!! What a life saver. I wish Microsoft, the producer, published this type of info! - Anonymous
October 24, 2014
Is it possible your ADFS server name was the same name as the federation farm? I just ran into this issue where that was the case, turns out it's not recommended. I manually entered the HTTP endpoint as you suggested and that worked for me - but it leads me to believe that if the two weren't the same, then the SPN might have been set for you. - Anonymous
January 08, 2015
m88 : http://m88en.com
M88.com offer online sports games Asia, Sports Betting Asia, Sports Betting Sites Asia.
m88asia : http://m88en.net
Link to M88BET phone: m88en.com. – Register and Open Betting Account and Membership M88BET.
m88bet : http://www.linkm88vip.com
MANSION88 the house is one of the largest and most prestigious. Appeared quite early in the Asian market, the so-MANSION88 currently attracts more players.
link m88 : http://m88wiki.com
Home the M88 is the official sponsor of the football club in the Premier League
Wish you happy with the new M88
m88 casino online : http://m88free.com - Anonymous
January 27, 2015
Thanks, did the trick for us too - Anonymous
January 29, 2015
I wish I had Googled before I opened a case with Microsoft....this fixed it while waiting on a call back. Thank you! - Anonymous
February 04, 2015
seriously? that fixed my problem...I could kiss you..Thanks so much...but cmon Microsoft! - Anonymous
February 17, 2015
I was so happy to see this post. until it didn't work for me :( I still receive the 400 errors.
question, after my setup I did have
host/fqdnmyserver
there already. I added the necessary http/fqdnmyserver but no go. - Anonymous
February 25, 2015
Thank you, you saved the day.