3

We have a Windows 2016 ADFS 4.0 farm (WID database, not SQL Server) hosted in Azure.

We are working with a new OpenID Connect application, and want to use ADFS to authenticate and populate user profiles from AD. The application is using a shared secret for the JWT config.

This was very easy to configure in our Test environment (single node farm).

When we configured the same application server on our production ADFS server, we were initially successful, but after logging in, we started to intermittently get login errors. After you log in to ADFS, you are sent to the callback URL. This redirects you to a login page, and on that page is a modal dialog box with this error message: Call to IdP failed to get identity

If we hit refresh a few times, eventually, the application will allow us into the application. When we ran a fiddler trace on the bad connection, we found this error:

{"errorCodeString":"camAuthUnrecoverable",
"messages":[{"messageString":"Call to IdP failed to get identity. Status 400\nError: invalid_grant\nError description: MSIS9612: The authorization code received in 'code' parameter is invalid. "}],
"promptInfo":{"captions":["Call to IdP failed to get identity"]}}

I found errors in ADFS event viewer with this sort of message:

Encountered error during OAuth token request. 

Additional Data 

Exception details: 
    Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenInvalidAuthorizationCodeException: 
MSIS9252: The authorization code received is invalid. 
No artifact found for the specified authorization code: '//redacted//'. 
The cause may be that artifact has timed out, or the authorization code was replayed, or the authorization code is invalid. 
   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.RedeemAccessToken(OAuthAccessTokenRequestContext tokenContext)

In every case we were able to log in after we hit reload a number of times.

When we reduced the number of nodes in the farm to 1, the issue appeared to disappear, and reappeared when we re-added the nodes.

Have others run into this issue when setting up openid connect/oAuth2 apps? How did you resolve this?

While SAML2 artifact resolution is not supported in ADFS 4.0 using WID, there isn't anything saying the same issue applies to OpenID Connect, although it's my only guess as to the issue. Is it worth the expense to convert ADFS to use a SQL Server cluster?

RyanM
  • 41
  • 4
  • I don't have an answer to your old question, but were you ever able to figure out a configuration or workaround that fixed this? We are seeing the same behavior using a 3-node farm and WID database and the only OIDC application we have is seeing this behavior when all nodes in the farm are used (they are round-robin, no session persistence). – user631062 Apr 15 '21 at 16:47
  • Yes. The issue was related to the farm configuration. OIDC appears to make two connections, one for authentication, one for attribute collection. If both connections are to the same server, you're good. Otherwise, problem. We had to switch to SQL Server database so connections were known to all farm members. – RyanM Jul 20 '21 at 13:44
  • Yes. The issue was related to the farm configuration. OIDC RPs make their own connection to the database for attribute collection. Switching to SQL Server database eliminated the problem, since all nodes in the farm could access connection information made by any other node. Docs for the WID to SQL Server conversion aren't great either. Sorry for the delay – RyanM Jul 20 '21 at 13:51

1 Answers1

1

This is a problem if you:

  1. have an ADFS farm with multiple nodes.
  2. ADFS Nodes are using WID (SQLExpress/LocalDB)
  3. Using an "Application Groups" (OIDC application) with a Web API configured to issue claims.

Unlike (most) SAML connections, OIDC retrieves data directly from the IDP.

ADFS+SQLexpress only shares configuration between nodes, so if your application tries to retrieve tokens from a different farm node than the one you authenticated to, it will fail.

The quick answer is to switch ADFS from a SQLExpress configuration to a SQL Server implementation. When I did that, OIDC worked consistently.

Documentation for this is hard to come by. My sources have disappeared, I will put my notes online and provide a link to it when I get a chance.

Old links that don't work anymore:

RyanM
  • 41
  • 4