I'm trying to do a lab exercise to federate authentication between two domains.
The domain hosting the application is yjb.gov.uk:
- yjb-DC (10.0.0.1) is DC with ADDS and ADCS. It also hosts ADFS on sts1.yjb.gov.uk (10.0.0.20)
- app.yjb.gov.uk (10.0.0.2) hosts the quickstart WFE claims-aware application
- yjb1 is a client
The domain hosting the claims provider is hmp.gov.uk
- hmp-DC (10.0.0.101) is DC with ADDS and ADCS. it also hosts ADFS on sts2.hmp.gov.uk (10.0.0.120)
- hmp1 is a client
I've done: setspn -a host/sts1.yjb.gov.uk adfssrvc and similar for sts2.hmp.gov.uk
adfssrvc is set up as a domain user in each domain each with Administrator and Domain Admin membership.
The ADFS service is running with adfssrvc as the Logon user on both STSs.
All server certificates are domain certs generated by the respective ADCS.
On yjb-DC IIS uses a wildcard domain cert to cover *.yjb.gov.uk.
On hmp-DC IIS uses a domain cert covering just sts2.hmp.gov.uk.
I've swapped CA root certs between the two DCs and installed them using the Group Policy Editor so they deploy to clients.
On yjb1 I browse to https://app.yjb.gov.uk/WFE. I get prompted by sts1 to authenticate and I get a list of Claim Types and Claim Values from WFE
On hmp1 I browse to https://app.yjb.gov.uk/WFE. I get prompted first to choose my organization. I choose HMP. I get prompted by sts2 to authenticate. I enter a valid HMP domain user but get the following error message:
An error occurred during processing of the request.
MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.
This error is displayed in the browser and appears in the AD FS 2.0 Eventing log for sts1.
I get nothing in the Eventing log for sts2.
I'm stumped...
I've added all referenced websites to the Local Intranet zone for hmp1 and dropped security to permit all cookies.
I've tried with a newly created HMP domain user account to eliminate possibility of cached tokens.
Any suggestions would be gratefully received!
regards
jks