This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 8%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Dear all,
Have a Web Application Proxy with ADFS (both Server 2019). Behind is an IIS with a website (enabled Windows authentication).
ADFS Party trust is configured as non-claims-aware. Now authentication by ADFS form is working like a charme. can login and get to the website.
If I use certificate authentication, I get error "Error details: MSIS7009: The request was malformed or not valid."
ADFS Eventlog:
The incoming sign-in request is not allowed due to an invalid Federation Service configuration.
Request url:
/adfs/ls/?version=1.0&action=signin&realm=urn'%'3AAppProxy'%'3Acom&appRealm=0afb0ee4-63aa-ea11-9cce-00155d010b17&returnUrl=https'%'3A'%'2F'%'2Fextranet.thurnheer.sh'%'2F&client-request-id=4B0FD864-3E6B-0001-62DE-0F4B6B3ED601&pullStatus=0
User Action:
Examine the Federation Service configuration and take the following actions:
Verify that the sign-in request has all the required parameters and is formatted correctly.
Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters.
Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: The request was malformed or not valid. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.ValidateSignInContext(MSISHttpSignInRequestContext msisContext, WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.Protocols.MSISHttp.MSISHttpProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)
I did run the ADFS analyzer, no error so far.
Any idea what I missed? Is there any tutrorial how to do so - I guess the non-claims-aware is the wrong party trust, right?
Thanks,
Chris
It might just be a split brain DNS issue. You need to make sure the clients using this published app also resolve the FQDN of the ADFS farm into the IP address of the WAP. They need to go through the WAP to get a token for the WAP.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 14.000000000000002%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Our Certificates are fine , but users are getting login issues intermittently on Chrome browser and we do have logs on ADFS :Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7009: The request was malformed or not valid. Contact your administrator for details.
Kindly provide your guidelines and comments
I think they do: I only have one external IP address, let's say IPExternal = 213.144.0.1
fs.contoso.com = IPExternal, as well the application = IPExternal. IPExternal going through NAT on the firewall to the WAP. fs.contoso.com on WAP is configured as pass-through to the ADFS server. Only port 49443 (for certifacte auth) goes through NAT to ADFS directly. If I configure 49443 to the WAP I get error 'page could not be found'.
Thoughts?
Update: I get the same error, when I don't have a certifiacte installed on the client. Do I need to set a trust for the certifiacte on ADFS? (Certifcate issued by Windows CA, domain joined).
Update II: wehn I test with the Sing-In page, https://fs.domain.com/adfs/ls/idpinitiatedsignon, it works with username/password. however with the certificate it seems not to work. can select the certificate, the login page does not show an error, it just returns to its initlia status. Don't get an error in the event log nor on the login page. Guess something with the client certificate has to be wrong.
Could not solve the issue with the certificate authentication. Had do setup a new farm, then it worked like a charm.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 54%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Are you having office online server 2019 integrated to Sharepoint 2019 ?