SharePoint AD FS with multiple web applications

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/173124

Question

I have two web applications, both set to authenticate via ADFS. The first one, ConnectTo, works fine. However the second one, MySites, always redirects to the first.

Here are my Relying Party Trustsin ADFS:

Relying Party Trusts

Here are the ConnectTo Relying Party Trust's Identifiers and endpoints. I have tried this with and without the URL identifier (https://connectto.sp2013dev.com/_trust/).

ConnectTo Identifiers ConnectTo Endpoints

Here are the MySites Relying Party Trust's Identifiers and endpoints. I have tried this with and without the URL identifier (https://mysites.sp2013dev.com/_trust/).

MySites Identifiers MySites Endpoints

In SharePoint, I have configured my trustedIdentityTokenIssuer and it works great for the first Web Application, ConnectTo. However, I am unable to add a second Web Application. The second web app, Mysites, is always redirected to ConnectTo once the user is authenticated.

Here are my provider realms as configured in my SPTrustedIdentityTokenIssuer, configured via the following command:

$id1 = "urn:sharepoint:MySites"
$uri1 = new-object System.Uri("https://mysites.sp2013dev.com")
$id2 = "urn:sharepoint:ConnectTo"
$uri2 = new-object System.Uri("https:// connectto.sp2013dev.com")

$ap.ProviderRealms.Add($uri1, $id1)
$ap.ProviderRealms.Add($uri2, $id2)
$ap.Update()

********************** EDIT ********************************

I have since removed the duplicate ConnectTo Provider Realm per @Waqas Sarwar MCSE suggestion.

Provider Realms 2

********************** EDIT ********************************

And here is the rest of my SPTrustedIdentityTokenIssuer, just in case.

SPTrustedIdentityTokenIssuer

The URL when I connect to the MySites WebApp is as follows:

https://sts.sp2013dev.com/adfs/ls?wa=wsignin1.0&wtrealm=urn%3asharepoint%3aConnectTo&wctx=http%3a%2f%2fmysites.sp2013dev.com%2f_layouts%2f15%2fAuthenticate.aspx%3fSource%3d%252F

The wtream is urn:sharepoint:ConnectTo but I assume that is because my default realm in the SPTrustedIdentityTokenIssuer is urn:sharepoint:ConnectTo. Could this be my problem?

If I add the MySites endpoint as the default endpoint to the ConnectTo Relying Party Trust, ConnectTo.sp2013dev.com is redirected to mysites.sp2013dev.com. Thus I feel my issue is with the provider realms of the SPTrustedIdentityTokenIssuer but I really cannot figure out this issue. Could someone provide insight as to why my configuration is incorrect? Thank you!

Was it helpful?

Solution

looks like duplicate entries for connectto, So Please removes duplicate entry using the following PowerShell

$uri2 = new-object System.Uri("https:// connectto.sp2013dev.com")
$ap = ProviderRealms.Remove($uri2)

I would highly recommend that create the separate relying party package for each web application and then configure it in SharePoint.

OTHER TIPS

Add the MySites as a separate relying party, it's one extra roundtrip but any authenticated user will be immediately sent to the MySites without having to log on again.

Actually we had the same issue, and the way we fixed it is by making sure that the alternative access mapping for all of the applications is HTTPS and all mention of HTTP URLs is removed, additionally we did this for those sites in IIS, so they were running on HTTPS only, again with all HTTP urls removed

Licensed under: CC-BY-SA with attribution
Not affiliated with sharepoint.stackexchange
scroll top