Solved

SSO with ADFS - Error 401 Unauthorized from Application Server

  • 16 February 2023
  • 1 reply
  • 677 views
M
Rank
Badge +4

Hello,

Currently in our environment we are trying to enable SSO with ADFS. We’re able to login to IFS using AD credentials if we manually input them, but if you select “Sign in as current user” it will prompt to enter credentials, and then returns error 400. Detailed error below:

Ifs.Fnd.FndSystemException: Unexpected error while calling server method ClientApplication/IdentifyCurrentUser

   at Ifs.Fnd.AccessProvider.FndConnection.InvokeInternal(Object requestBody, Object responseBody, String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Boolean forcedSync, Boolean integrationGateway)
   at Ifs.Fnd.AccessProvider.FndConnection.InvokeInternal(String intface, String operation, Object requestBody, Object responseBody, FndRequestContext requestContext, Boolean forcedSync, Boolean integrationGateway)
   at Ifs.Fnd.AccessProvider.Interactive.FndLoginDialog.AuthenticateCredentials(FndLoginCredentials loginCreds) ---> Ifs.Fnd.FndSystemException: 400
   at Ifs.Fnd.AccessProvider.FndConnection.CallGetResponse(String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Byte[] requestHeaderBytes, Byte[] requestBodyBytes, FndApfAsyncInvoke asyncInvokeHandle, Boolean integrationGateway)
   at Ifs.Fnd.AccessProvider.FndConnection.InvokeGetResponse(String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Byte[] requestHeaderBytes, Byte[] requestBodyBytes, Boolean& abandoned, Boolean forcedSync, Boolean integrationGateway)
   at Ifs.Fnd.AccessProvider.FndConnection.InvokeInternal(Object requestBody, Object responseBody, String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Boolean forcedSync, Boolean integrationGateway)
   --- End of inner exception stack trace ---

I increased the Limit Field Request size per this article and even tried logging in with a new user belonging to no groups, but I received the same error. I did set the HTTP server to trace and saw this error in the logs:

URL::sendHeaders(): meth='POST' file='/main/default/clientgateway' protocol='HTTP/1.1'
Header to WLS: [User-Agent]=[IFS .NET Access Provider/1.2]
Header to WLS: [Os-User]=[domain\\user]
Header to WLS: [Program]=[Ifs.Fnd.Explorer.exe]
Header to WLS: [Machine]=[console@userpc.domain.com]
Header to WLS: [X-Ifs-Capabilities]=[02]
Header to WLS: [X-Ifs-Timeout]=[30000]
Header to WLS: [Content-Type]=[application/octet-stream]
Header to WLS: [Host]=[ifs10devutil.domain.com:58080]
Header to WLS: [Content-Length]=[0]
Header to WLS: [ECID-Context]=[1.005x4^Yi9OgFk3o5sVd9iX00062z00000Y;kXjE]
Header to WLS: [Connection]=[Keep-Alive]
Header to WLS: [WL-Proxy-SSL]=[true]
Header to WLS: [X-Forwarded-For]=[xx.x.x.74]
Header to WLS: [WL-Proxy-Client-IP]=[xx.x.x.74]
Header to WLS: [WL-Proxy-Client-Port]=[64156]
Header to WLS: [X-WebLogic-KeepAliveSecs]=[30]
Header to WLS: [X-WebLogic-Request-ClusterInfo]=[true]
Header to WLS: [x-weblogic-cluster-hash]=[A4z6JJO09Z2Ycft4x6TZf+W2l84]
Post data length (not in memory): 0
sendPostData(): No T-E header, postSize == 0; C-L must have been zero
About to call parseHeaders
Reader::fill(): first=0 last=0 toRead=4096
Reader::fill(): sysRecv returned 2030
URL::parseHeaders: CompleteStatusLine set to [HTTP/1.1 401 Unauthorized]
URL::parseHeaders: StatusLine set to [401 Unauthorized]
URL::parseHeaders: StatusLineWithoutStatusCode set to [Unauthorized]
Header from WLS:[Cache-Control]=[no-cache, no-store, must-revalidate]
Header from WLS:[Date]=[Thu, 09 Feb 2023 19:10:35 GMT]
Header from WLS:[Pragma]=[No-cache]
Header from WLS:[Content-Length]=[1468]
Header from WLS:[Content-Type]=[text/html; charset=UTF-8]
Header from WLS:[Expires]=[Thu, 01 Jan 1970 00:00:00 GMT]
Header from WLS:[WWW-Authenticate]=[Bearer realm="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx@https://domain-scdb.domain.com/adfs", scope="openid", authorization_uri="https://domain-scdb.domain.com/adfs"]
Header from WLS:[X-ORACLE-DMS-RID]=[0:1]
Header from WLS:[X-ORACLE-DMS-ECID]=[005x4^Yi9OgFk3o5sVd9iX00062z00000Y]
Header from WLS:[X-IFS-OAuth2-Resource]=[api://IFSTEST]
Header from WLS:[X-IFS-OAuth2-IDP]=[ADFS]
parsed all headers OK
Exiting method BaseProxy::sendRequest 
sendResponse() : r->status = '401'
Hdrs to client (add):[Cache-Control]=[no-cache, no-store, must-revalidate]
Hdrs to client (add):[Date]=[Thu, 09 Feb 2023 19:10:35 GMT]
Hdrs to client (add):[Pragma]=[No-cache]
Hdrs to client (add):[Expires]=[Thu, 01 Jan 1970 00:00:00 GMT]
Hdrs to client (add):[WWW-Authenticate]=[Bearer realm="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx@https://domain-scdb.domain.com/adfs", scope="openid", authorization_uri="https://domain-scdb.domain.com/adfs"]
Hdrs to client (add):[X-ORACLE-DMS-RID]=[0:1]
Hdrs to client (add):[X-ORACLE-DMS-ECID]=[005x4^Yi9OgFk3o5sVd9iX00062z00000Y]
Hdrs to client (add):[X-IFS-OAuth2-Resource]=[api://IFSTEST]
Hdrs to client (add):[X-IFS-OAuth2-IDP]=[ADFS]
AH01502: headers: ap_headers_output_filter()

As far as I’m aware SSO has never worked for our environment with ADFS. I followed the steps in this article, but most of the links are dead. I checked our ADFS server against the Achieving Single Sign-On behavior doc and everything appears to be configured correctly.

 

Does anyone know if there is a fix?

 

Thank you

icon

Best answer by mkellythegreat 23 February 2023, 21:01

View original

1 reply

M
Rank
Badge +4

As an update, I figured out the issue. Our ADFS server was missing a SPN. I added SPNs to our DC via the Setspn command in powershell.

Reply


Terms & ConditionsCookie settings