We have a WCF service that uses active federation to authenticate callers via AD FS 2.0 and it's working fine internally. Now we want to expose it to the outside world, so our server team set up a server in the DMZ for the service and an AD FS Proxy server.
When the WCF service is called, we get the following exception:
System.ServiceModel.Security.SecurityNegotiationException: SOAP security negotiation with 'https://adfs-dev.example.com/adfs/services/trust/2005/kerberosmixed' for target 'https://adfs-dev.example.com/adfs/services/trust/2005/kerberosmixed' failed. See inner exception for more details.`
---> System.IdentityModel.Tokens.SecurityTokenValidationException: The NetworkCredentials provided were unable to create a Kerberos credential, see inner exception for details.
---> System.IdentityModel.Tokens.SecurityTokenException: InitializeSecurityContent failed. Ensure the service principal name is correct.
--> System.ComponentModel.Win32Exception: The specified target is unknown or unreachable.
- The internal AD FS server is a single server configured as a farm vs. stand-alone and the AD FS service runs under a service account.
- The proxy AD FS server is a single server configured as a stand-alone and the AD FS service runs as Network Service.
- A host file entry on the app server in the DMZ points the AD FS service name to the IP of the proxy server.
- The firewall allows SSL traffic on port 443 from the proxy to the internal AD FS server.
- The HOST/adfs-dev.example.com SPN is registered for the service account.
What might I be missing?
