Forum Discussion

Miike's avatar
Miike
Brass Contributor
Nov 28, 2024
Solved

Federation Issues - No protocol handlers?

Hi All, It's been a number of years since I've federated a domain with Entra, i'm flipping this back in a home environment to complete some testing. Would appreciate some troubleshooting thoughts. ...
ADFS
Authentication
  • LijuV's avatar
    LijuV
    Dec 09, 2024

    I'm running into the same issue with v2.4.27.0 of Entra Connect. v2.3.8.0 works fine.

VasilMichev's avatar
VasilMichev
MVP
Dec 01, 2024

I've seen a couple of these over the past few weeks, looks like something changed, possibly on MS side. I haven't bothered to test it on my own though, nor have I seen a solution being mentioned anywhere.

If you do feel like wasting more time on this, here are few things to test. First, try configuring the RPT outside of AAD Connect, as that seems to be the common denominator in all similar threads I've seen. If nothing changes, enable trace logging on the AD FS server and check one failure event, hopefully it will spill out the actual issue. A Fiddler trace wouldn't hurt either.

Miike's avatar
Miike
Brass Contributor
Dec 04, 2024

Thanks for the tips and direction of troubleshooting VasilMichev I have identified the issue in further detail after manually configuring the RPT without success.

It looks like some of the components on the redirection URL are missing - wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline, when I add them back into the URL internally, I can authenticate and redirect back to M365 as expected. I can auth externally through the WAP when I do this, but it gets stuck in a loop, I'm thinking the WAP doesn't like me modifying the URL on the fly. 

Not sure why this isn't provided in the redirection from M365 as expected, I'm guessing without this, the query won't hit the RPT and you end up with the same error as if you went straight to /adfs/ls. Might be a service side thing, maybe for recently federated tenants, still looking to see what I can dig up on this. 

An example of the before URL - https://adfs.domain.com/adfs/ls/?wctx=LoginOptions%3D3%26&cbcxt=&username=test.user%40domain.com&mkt=en-US&lc=

An example of the after URL - https://adfs.domain.com/adfs/ls/?wa=wsignin1.0&wtrealm=urn%3afederation%3aMicrosoftOnline&wctx=LoginOptions%3D3%26&cbcxt=&username=test.user%40domain.com&mkt=en-US&lc=

 

  • VasilMichev's avatar
    VasilMichev
    MVP
    Dec 04, 2024

    Interesting. Are you certain it's M365 that's not providing the parameters, might also be something on the WAP side? In fact, have you tried this without WAP - the less moving parts involved, the better.

    On M365 side, are you getting the same experience regardless on which workload you initiate the login? I.e. do you have the same experience when accessing the "home" page vs OWA vs SharePoint or any other "passive" one? If the issue is on M365 side, it would be nice to understand whether it's purely on Entra side, or dependent on the resource. 

    In any case, might want to open a service request for this one. I tried pining some folks, hoping to get additional info, but no dice :(

Resources