Match users browsers while validating
One time I came across an issue where we were able to authenticate via ADFS when using SAMAccount Name but failed when using UPN.
We eventually found that users were failing to authenticate using UPN because the AD had 2 users with the same UPN.
Here one can either correct the User’s UPN in AD, to match the related user’s logon name or change the Logon name of the related user in the Online directory, using cmdlet - “Set-Msol User Principal Name -User Principal Name [Existing UPN] -New User Principal Name [Domain UPN-AD]”It might also be that you are using AADsync to sync ‘MAIL as UPN’ and ‘EMPID as Source Anchor’, but the Relying Party claim rules at ADFS level have not been updated to send ‘MAIL as UPN’ and ‘EMPID as Immutable ID’This is one of the most common issues.
ADFS uses the Token signing certificate to sign the Token sent to the user or application.
If you see Redirection happening but it does NOT take you to your STS / ADFS for sign-in, then check if the STS / ADFS service name is resolving to the correct IP and if it can connect to that IP on TCP port 443.
If AD replication is broken, changes made to user/group may not be in sync across DCs.
When you add a new Token-Signing certificate, you receive a warning reading: "Ensure that the private key for the chosen certificate is accessible to the service account for this Federation Service on each server in the farm": b. Extended protection enhances the existing Windows Authentication functionality to mitigate authentication relay or "man in the middle" attacks.
Certain browsers/fiddler cannot work with “Extended protection”, it would throw repeated prompts followed by access denied.
This should help prevent credentials prompt for some time, but may cause a problem after the user password has changed and the credentials manager is not updated.
The authentication may fail with NO_SUCH_USER error in Audit logs. Add Read access for your AD FS 2.0 service account and click OK j.
For you to enable ADFS to find a user for authentication using an Attribute other than UPN or SAMaccountname, like Email, you need to configure it to support Alternate Logon ID.a. Close the Certificates MMCWhen Extended Protection for Authentication is enabled, authentication requests are bound to both the Service Principal Names (SPN) of the server to which the client tries to connect and to the outer Transport Layer Security (TLS) channel over which Integrated Windows Authentication happens.
Between DCs, we may have password/upn/groupmembersip/proxyaddress mismatch that will affect the ADFS response (authentication and claims), as it may go to different DCs for Authentication and LDAP query.o Computer configuration\Windows Settings\Security setting\Local Policy\Security Option – “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.” – Disabled Ensure that SPN HOST/ADFSservicename is added under the Service account running the ADFS service, in an ADFS Farm setup.
For ADFS standalone setup, where the service is running under the ‘Network Service’, the SPN need to be under the server computer account, hosting ADFS.