Sharepoint 2019 OnPremise and ADFS authentication loop

Pablo Alcover 5 Reputation points
2023-02-08T16:17:14.8433333+00:00

Hi,

I'm setting up ADFS for Sharepoint 2019 OnPremise. Sucessfully integrated SPTrustedIdentityTokenIssuer with ADFS endpoint. I can also sucessfully login in ADFS test page.

I'm stuck on the Sharepoint Sing in page loop after succesful ADFS user logon. I can see the eventid 4634 "logoff session" for that user in ADFS events.

I need some assistance or guidelines as I've found nothing useful in forums.

Your help is much appreciated.

SharePoint Server
SharePoint Server
A family of Microsoft on-premises document management and storage systems.
2,227 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,194 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Haoyan Xue_MSFT 19,871 Reputation points Microsoft Vendor
    2023-02-09T02:32:19.2633333+00:00

    Hi @Pablo Alcover ,

    Please check the steps to configure federated authentication in SharePoint 2019 with Active Directory Federation Services (AD FS).

    1. Install ADFS Server
    2. Create a trusted relying party for SharePoint 2019 in ADFS
    3. Configure SharePoint 2019 to trust ADFS

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Pablo Alcover 5 Reputation points
    2023-02-09T09:55:26.3033333+00:00

    I did follow documentation to implement the integration. As said I checked ADFS with it's test page.

    I PREVIOUSLY faced the error "Ensure that the SecurityTokenResolver is populated with the correct key" and figured out that the certificate that has to be imported in Sharepoint has to be exported from the Token-singing of ADFS (really not well explained in documentation). So I'm sure that this is NO MORE THE ISSUE so the behaviour I'm facing now has not to do with that.

    There is a succesfull logon and a subsequent logoff in event viewer as mentioned.

    0 comments
  3. Pablo Alcover 5 Reputation points
    2023-02-09T14:36:55.4833333+00:00

    The loop has been solved adding the email address to the AD profile of the user account trying to login.

    Now I'm getting new certificate issues:

    PartialChain: A certificate chain could not be built to a trusted root authority. RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate. OfflineRevocation: The revocation function was unable to check revocation because the revocation server was offline.

    0 comments
  4. Pablo Alcover 5 Reputation points
    2023-02-09T15:00:41.1533333+00:00

    The last error is easy resolved by importing Sharepoint's root authority into Trusted Root Certificates of every Sharepoint Server.

    Problems solved. Integration working.

    0 comments
  5. Haoyan Xue_MSFT 19,871 Reputation points Microsoft Vendor
    2023-02-10T02:12:29.91+00:00

    Hi @Pablo Alcover

    I'm glad to hear you solve the problem, if you have any issue about SharePoint, you are welcome to raise a ticket in this forum.

    By the way, since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others." and according to the scenario introduced here: Answering your own questions on Microsoft Q&A, I would make a brief summary of this thread:

    [Sharepoint 2019 OnPremise and ADFS authentication loop]

    Issue Symptom:

    I'm stuck on the Sharepoint Sing in page loop after succesful ADFS user logon. I can see the eventid 4634 "logoff session" for that user in ADFS events.

    Certificate issues: PartialChain: A certificate chain could not be built to a trusted root authority. RevocationStatusUnknown: The revocation function was unable to check revocation for the certificate. OfflineRevocation: The revocation function was unable to check revocation because the revocation server was offline.

    Current status:

    The issue has been solved by importing Sharepoint's root authority into Trusted Root Certificates of every Sharepoint Server.

    You could click the "Accept Answer" button for this summary to close this thread, and this can make it easier for other community member's to see the useful information when reading this thread. Thanks for your understanding!

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.