windows authentication with ADFS on standalone application

Question

I have this Windows console application which is trying to perform windows authentication against ADFS. I'm already able to authenticate by using username/password but I don't want to do it this way since the user has already been authenticated in Windows.

I have this code:

        //Setup the connection to ADFS

        const string adfsEndpoint = "https://iis.dev.lab/adfs/services/trust/13/windowsmixed";

        var factory = new WSTrustChannelFactory(new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(adfsEndpoint))
        {
            TrustVersion = TrustVersion.WSTrust13
        };

        //Setup the request object 
        var rst = new RequestSecurityToken
        {
            RequestType = RequestTypes.Issue,
            KeyType = KeyTypes.Bearer,
            AppliesTo = new EndpointReference(relyingPartyId)
        };

        //Open a connection to ADFS and get a token for the logged in user
        var channel = factory.CreateChannel();

        var genericToken = channel.Issue(rst) as GenericXmlSecurityToken;

and when it tries to get the token I have this exception:

Security Support Provider Interface (SSPI) authentication failed. The ser ver may not be running in an account with identity 'host/iis.dev.lab'. If the se rver is running in a service account (Network Service for example), specify the account's ServicePrincipalName as the identity in the EndpointAddress for the se rver. If the server is running in a user account, specify the account's UserPrin cipalName as the identity in the EndpointAddress for the server.

The thing is:

• The user is already authenticated in dev.lab domain
• ADSF service is running under an admin user account in dev.lab domain
• In the error message I have iis.dev.lab domain for some reason and it may be the reason..

Questions:

1. Should I use this url ("../adfs/services/trust/13/windowsmixed")to perform this kind of authentication ? Or should I use kerberosmixed ? Can someone point out some documentation concerning the goal of each service available in ADFS?
2. Is there a way to set the domain of the user before making the request? I've tried this factory.Credentials.Windows.ClientCredential.Domain = "dev.lab"; but it didn't work out.
3. Do I still need to define the credentials even if doing win auth? Like this for instance: factory.Credentials.Windows.ClientCredential = CredentialCache.DefaultNetworkCredentials; ?

Any help is appreciated.

Answer 1

Just stumpled across this question while I was looking for an answer to the same question.

I just managed to solve my issue by doing the following:

        EndpointIdentity identity = new SpnEndpointIdentity("your spn");

        //Setup the connection to ADFS
        var factory = new WSTrustChannelFactory(new WindowsWSTrustBinding(SecurityMode.TransportWithMessageCredential), new EndpointAddress(new Uri(adfsEndpoint), identity))
        {
            TrustVersion = TrustVersion.WSTrust13
        };

Note that the endpoint address is now an URI, and that I parse along the spn identity of my service account.

Answer 2

So the "probable" reason for this error message is that you probably have ADFS configured incorrectly.

Look here for the definition of a SPN: https://msdn.microsoft.com/en-us/library/ms677949(v=vs.85).aspx

To resolve this you will either need to set an SPN on the ADFS service account or the Server itself.

SETSPN -a HTTP/{THE URL OF THE ADFS SERVER} DOMAIN/SERVICENAME

SETSPN -a HTTP/{THE URL OF THE ADFS SERVER} COMPUTERNAME

and then restart the ADFS services. One note on the service accounts, if you're running using the network or system account then you will still need to use the computer name as those are local server accounts. An example, if you have an ADFS url of iis.dev.lab then you do this:

SETSPN -a HTTP/IIS.DEV.LAB ADFSServer

Also - to test your adfs setup: https://iis.dev.lab/adfs/ls/IdpInitiatedSignon.aspx