Azure ADFS MFA

Kumar, Naveen 1 Reputation point
2021-08-20T08:30:07.763+00:00

Hello All,

I have enabled Azure MFA on ADFS. While testing from https://aka.ms/mfasetup I getting below error message. Followed multiple blogs and implemented suggestions like UPN update etc.

Could anyone please suggest solution for this error.

AADSTS50107: The requested federation realm object 'http://sso.xyz.com/adfs/services/trust' does not exist.

Thanks
Naveen

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,209 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,856 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2021-08-20T20:13:54.977+00:00

    This is not an ADFS error. This is an Aure AD error (I added the Azure AD tag).

    This basically says that your the federation settings you have for this domain in Azure AD are not matching the actual ID of your ADFS deployment. Or at least not the ID that ADF issued in its tokens.

    Asusming you don't have a multiple domain environment, the following commands should return the same thing:

    # from a machine with the MSOnline module installed and connected
    (Get-MsolDomainFederationSettings -DomainName <your domain here>).IssuerUri
    
    
    # from an ADFS server
    (Get-ADFSProperties).Identifier
    

    Then you need to proper claim issuance rule. You can generate them with this wizard if you are not sure which one should be set: https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator.

    If you have a multiple domain environment let us know, it might be a bit different. Utlimatly, we use the user's UPN to generate the IssuerID in the token. That also might be why you see post here and there mentionning UPN issues. What is your current UPN situation? Routable domain name? Matching the email address?

    1 person found this answer helpful.

  2. Kumar, Naveen 1 Reputation point
    2021-08-24T08:11:42.523+00:00

    Hello @Pierre Audonnet - MSFT

    Sorry for the delayed response. Thank you very much for the reply. I am getting below details
    I have tried to check from Azure AD connect and was able to see the configuration but getting error message on verify federated login.

    The federation service name sso.abcservice.com cannot be resolved.Confirm that the federation
    service name is registered in DNS and is resolvable from this server.

    Azure -

    http://abcservice.com/adfs/services/trust/

    ADFS -

    AbsolutePath : /adfs/services/trust
    AbsoluteUri : http://sso.abcservice.com/adfs/services/trust
    LocalPath : /adfs/services/trust
    Authority : sso.abcservice.com
    HostNameType : Dns
    IsDefaultPort : True
    IsFile : False
    IsLoopback : False
    PathAndQuery : /adfs/services/trust
    Segments : {/, adfs/, services/, trust}
    IsUnc : False
    Host : sso.abcservice.com
    Port : 80
    Query :
    Fragment :
    Scheme : http
    OriginalString : http://sso.abcservice.com/adfs/services/trust
    DnsSafeHost : sso.abcservice.com
    IdnHost : sso.abcservice.com
    IsAbsoluteUri : True
    UserEscaped : False
    UserInfo :

    Please suggest.

    Thanks
    Naveen

    0 comments No comments