Reputation: 1435
I have a Sharepoint site running on Azure virtual Machine. Now i want to authenticate my sharepoint site with Azure AD users.
For this i have followed below link, but getting error after login.
Using Microsoft Azure Active Directory for SharePoint 2013 authentication
I have implemented as given on reference link, but still facing error. When i access my url from browser, it will ask me through which you want to logon.
Then on selection of ACS Provider, it will redirect me to office365 login. After i submit my credentials, it will redirect me to
https://testvm.cloudapp.net/_trust/
and got error. So i checked in sharepoint log and found below error.
Cannot find site lookup info for request Uri urn:sharepoint:spvms.
SPAudienceValidator: Audience uri 'urn:sharepoint:spvms is not valid for the context.
Getting Error Message for Exception Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The Audience URI could not be validated.
SPSaml11SecurityTokenHandler: Audience validation failed for request 'https://testvm.cloudapp.net/_trust/' with the following audience URIs: 'urn:sharepoint:spvms', .
Application error when access /_trust/, Error=The Audience URI could not be validated.
at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Upvotes: 0
Views: 3219
Reputation: 814
I got a working solution for that. The thing is you shouldn't use New-MsolServicePrincipal
to connect Azure AD and ACS.
Instead you add your ACS as an App to Azure Id
Then view its endpoints and copy link FEDERATION METADATA DOCUMENT
Paste copied link in URL field of your Identity provider in ACS
NOTE: If you used New-MsolServicePrincipal
you will need to use Remove-MsolServicePrincipal
. Otherwise Azure won't let you register an app with the same url.
Upvotes: 0
Reputation: 151
It sounds like the authentication to Azure AD is working and the redirect to SharePoint is working properly. Use Get-SPTrustedIdentityTokenIssuer and verify the realm... it looks like the realm being sent from Azure ACS does not match the realm you used in PowerShell.
Upvotes: 0