ADFS redirects User to RelyingPartyTrust although wrong username

ErazerMe 46 Reputation points
2022-07-08T08:46:45.493+00:00

Hello guys,

On our adfs-server we have a few relying-party-trusts - but one have a special behaviour (let it call "App123")

Expected normal behaviour:

  • Open the the website of that App123
  • user will be redirected to our ADFS-server
  • enter your correct username/password
  • redirect to App123

The point is, when entering a wrong username, the ADFS-Server also redirects the user to the App123.
For other relying-party-trusts the ADFS-Server shows message wrong username, but for this RPT the ADFS-Server still redirects to the App123 and there we get an error.

When entering a correct username + wrong password, the ADFS-Server shows an error. But entering a Username i.e. "Notavailable@keyman .com" which does not exist in our "domain.com", then the ADFS-Server redirects that user.

Does someone know how we can crosscheck why the ADFS-Server still redirects the user with wrong username?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,543 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,164 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Limitless Technology 39,181 Reputation points
    2022-07-11T09:50:06.73+00:00

    Hi there,

    It could be any number of things that is causing this issue.

    -Web application is holding onto identity (or cookie isn't getting cleared)
    -ADFS is sending the same user token for both users (unlikely)
    -ADFS is caching user identity
    -Proxy between ADFS and web application is caching token

    You can use fiddler to watch the token move across the wire, and that should tell you what is happening exactly.

    You can try some additional troubleshooting steps grin this article

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/troubleshoot-ad-fs-sso-issue

    I hope this information helps. If you have any questions please let me know and I will be glad to help you out.

    --------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments

  2. Pierre Audonnet - MSFT 10,151 Reputation points Microsoft Employee
    2022-07-12T14:19:15.94+00:00

    AD FS just authenticates the user, issues a token and then redirects the user back to the SP.
    As long as the logon is successful, and the account allowed, you get redirected.

    If you type a wrong username and password and still gets redirected, we have a big issue indeed. But we'll need to see some logs. Ideally a Fiddler trace?

    0 comments No comments