User keeps prompting for password

RST 86 Reputation points
2020-08-18T13:48:00.943+00:00

Hello Expert,

I am facing some issues in one of the scenaio, From one of the server in DMZ running windows 2012R2 done below steps.

Network diagram is F5 VIP > 1 WAP server >Internal FW > 1 ADFS server

On W2K12 R2 > open IE > Portal.azure.com > Enter credential, account is from Onprem > Redirect to STS address "FQDN/adfs/ls" > Enter password > no error message but keep asking to enter password and it goes on......

Checked WAP and see event indicating the incoming request for this user, but no event logged on ADFS, wondering whether the traffic is terminating at WAP itself.

Is it something blocking at WAP itself or some sort of rules? tried netmon trace but didnt help. Appreciate if could lead with your advises

Thanks in advance

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,240 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,181 Reputation points Microsoft Employee
    2020-08-18T16:50:44.63+00:00

    I'd suspect that you use custom certificates (as opposed as the default self-signed) and that the Token Encrypting certificate you use in your ADFS deployment does not have the proper KeySpec. If the KeySpec is not set to 1 (AT_KEYEXCHANGE), you can't use Form Based Authentication as ADFS can't encrypt stuff. This will fail because ADFS used that certificate in the process. It will just loop. This certificate is not used when you use Windows Integrated Authentication. Hence you don't have the problem internally if the browser support Windows SSO (Kerberos/NTLM).

    Anyhow, run the following PowerShell cmdLets on your primary ADFS server to determine the KeySpec of your Token Decrypting cert: 

    $cert = (Get-AdfsCertificate -CertificateType Token-Decrypting).Thumbprint
certutil -v -store My $cert | Where-Object {$_ -like "*KeySpec*"}

    If the output is not: 

        KeySpec = 1 -- AT_KEYEXCHANGE

    Then we found our problem. And we can fix it by re-importing the certificate. You would delete from the store (you can use the MMC) and re-import it with specifying the KeySpec like: 

    certutil -importpfx Token-Decrypting.pfx AT_KEYEXCHANGE

    Let us know! 🤞

    1 person found this answer helpful.
    0 comments
  2. RST 86 Reputation points
    2020-08-20T07:09:09.33+00:00

    Hi @Pierre Audonnet - MSFT

    Thank you for the advise, its really worth information. In our case we are using self-signed certificate for Token and signining (which doesnt have kepspec attribute it seem) and we do have our CA generated certificate (KeySpec = 1 -- AT_KEYEXCHANGE) but this is set as secondary. Primary is the self signed one.

    Could the issue be because this attribute is not present on the self signed? Also the wap is being used by MDM when user access email from mobile but it uses Activesync so i guess is not modern auth, and so no browser authentication, correct me if wrong.

    May I know what could be other cause if not related to Keyspec

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.