How to troubleshoot ADFS OIDC connectivity

Will Adams 96 Reputation points

I'm currently having a challenge trying to authenticate via OpenID Connect against an ADFS instance hosted in Azure. I have a server-based ASP.NET Core MVC app hosted on its own VM in Azure along with a proxy service (hosted on the same VM) that I'm using to route requests through from the app to ADFS. I can run the app and proxy on localhost and successfully connect to ADFS and display the login page, however, when I run my app and proxy from the Azure VM I get the error: "IDX20804: Unable to retrieve document from: [ADFS server]/adfs/.well-known/openid-configuration". I can directly browse to the OpenID Connect discovery document being served from my ADFS instance and display it. In terms of setup, I've registered my proxy as both a Server application and a Web API under Application Groups in ADFS. The Redirect URI in each case correctly points back to my proxy. Redirect URI is in the format: https://[public DNS name]:port. My MVC app has also been registered as a Relying Party Trust in ADFS. I did also try registering my MVC app as a Server application under Application Groups but this didn't make a difference. I did try and enable the Trace Log as outlined in MS docs but didn't get any logged information related to this issue.

Would really appreciate any info on how to troubleshoot this error and identify the root cause.

FYI - my ADFS product version is: 10.0.14393.4046

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,208 questions
0 comments No comments
{count} votes

Accepted answer
  1. Will Adams 96 Reputation points

    Problem solved. Had to update the inbound rules for the NIC on my ADFS VM to allow the request coming from the public IP of the VM hosting my MVC app. Once I did that, I was presented with the ADFS login screen via the OIDC request created from my proxy.

    0 comments No comments

0 additional answers

Sort by: Most helpful