Skip to main content
Solved

SSO with ADFS - Error 401 Unauthorized from Application Server

  • February 16, 2023
  • 1 reply
  • 1181 views

mkellythegreat
Do Gooder (Customer)
Forum|alt.badge.img+5

Hello,

Currently in our environment we are trying to enable SSO with ADFS. We’re able to login to IFS using AD credentials if we manually input them, but if you select “Sign in as current user” it will prompt to enter credentials, and then returns error 400. Detailed error below:

1Ifs.Fnd.FndSystemException: Unexpected error while calling server method ClientApplication/IdentifyCurrentUser
2
3 at Ifs.Fnd.AccessProvider.FndConnection.InvokeInternal(Object requestBody, Object responseBody, String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Boolean forcedSync, Boolean integrationGateway)
4 at Ifs.Fnd.AccessProvider.FndConnection.InvokeInternal(String intface, String operation, Object requestBody, Object responseBody, FndRequestContext requestContext, Boolean forcedSync, Boolean integrationGateway)
5 at Ifs.Fnd.AccessProvider.Interactive.FndLoginDialog.AuthenticateCredentials(FndLoginCredentials loginCreds) ---> Ifs.Fnd.FndSystemException: 400
6 at Ifs.Fnd.AccessProvider.FndConnection.CallGetResponse(String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Byte[] requestHeaderBytes, Byte[] requestBodyBytes, FndApfAsyncInvoke asyncInvokeHandle, Boolean integrationGateway)
7 at Ifs.Fnd.AccessProvider.FndConnection.InvokeGetResponse(String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Byte[] requestHeaderBytes, Byte[] requestBodyBytes, Boolean& abandoned, Boolean forcedSync, Boolean integrationGateway)
8 at Ifs.Fnd.AccessProvider.FndConnection.InvokeInternal(Object requestBody, Object responseBody, String intface, String operation, FndRequestContext requestContext, FndManualDecisionCollection decisions, Boolean forcedSync, Boolean integrationGateway)
9 --- End of inner exception stack trace ---

I increased the Limit Field Request size per this article and even tried logging in with a new user belonging to no groups, but I received the same error. I did set the HTTP server to trace and saw this error in the logs:

1URL::sendHeaders(): meth='POST' file='/main/default/clientgateway' protocol='HTTP/1.1'
2Header to WLS: [User-Agent]=[IFS .NET Access Provider/1.2]
3Header to WLS: [Os-User]=[domain\\user]
4Header to WLS: [Program]=[Ifs.Fnd.Explorer.exe]
5Header to WLS: [Machine]=[console@userpc.domain.com]
6Header to WLS: [X-Ifs-Capabilities]=[02]
7Header to WLS: [X-Ifs-Timeout]=[30000]
8Header to WLS: [Content-Type]=[application/octet-stream]
9Header to WLS: [Host]=[ifs10devutil.domain.com:58080]
10Header to WLS: [Content-Length]=[0]
11Header to WLS: [ECID-Context]=[1.005x4^Yi9OgFk3o5sVd9iX00062z00000Y;kXjE]
12Header to WLS: [Connection]=[Keep-Alive]
13Header to WLS: [WL-Proxy-SSL]=[true]
14Header to WLS: [X-Forwarded-For]=[xx.x.x.74]
15Header to WLS: [WL-Proxy-Client-IP]=[xx.x.x.74]
16Header to WLS: [WL-Proxy-Client-Port]=[64156]
17Header to WLS: [X-WebLogic-KeepAliveSecs]=[30]
18Header to WLS: [X-WebLogic-Request-ClusterInfo]=[true]
19Header to WLS: [x-weblogic-cluster-hash]=[A4z6JJO09Z2Ycft4x6TZf+W2l84]
20Post data length (not in memory): 0
21sendPostData(): No T-E header, postSize == 0; C-L must have been zero
22About to call parseHeaders
23Reader::fill(): first=0 last=0 toRead=4096
24Reader::fill(): sysRecv returned 2030
25URL::parseHeaders: CompleteStatusLine set to [HTTP/1.1 401 Unauthorized]
26URL::parseHeaders: StatusLine set to [401 Unauthorized]
27URL::parseHeaders: StatusLineWithoutStatusCode set to [Unauthorized]
28Header from WLS:[Cache-Control]=[no-cache, no-store, must-revalidate]
29Header from WLS:[Date]=[Thu, 09 Feb 2023 19:10:35 GMT]
30Header from WLS:[Pragma]=[No-cache]
31Header from WLS:[Content-Length]=[1468]
32Header from WLS:[Content-Type]=[text/html; charset=UTF-8]
33Header from WLS:[Expires]=[Thu, 01 Jan 1970 00:00:00 GMT]
34Header from WLS:[WWW-Authenticate]=[Bearer realm="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx@https://domain-scdb.domain.com/adfs", scope="openid", authorization_uri="https://domain-scdb.domain.com/adfs"]
35Header from WLS:[X-ORACLE-DMS-RID]=[0:1]
36Header from WLS:[X-ORACLE-DMS-ECID]=[005x4^Yi9OgFk3o5sVd9iX00062z00000Y]
37Header from WLS:[X-IFS-OAuth2-Resource]=[api://IFSTEST]
38Header from WLS:[X-IFS-OAuth2-IDP]=[ADFS]
39parsed all headers OK
40Exiting method BaseProxy::sendRequest
41sendResponse() : r->status = '401'
42Hdrs to client (add):[Cache-Control]=[no-cache, no-store, must-revalidate]
43Hdrs to client (add):[Date]=[Thu, 09 Feb 2023 19:10:35 GMT]
44Hdrs to client (add):[Pragma]=[No-cache]
45Hdrs to client (add):[Expires]=[Thu, 01 Jan 1970 00:00:00 GMT]
46Hdrs to client (add):[WWW-Authenticate]=[Bearer realm="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx@https://domain-scdb.domain.com/adfs", scope="openid", authorization_uri="https://domain-scdb.domain.com/adfs"]
47Hdrs to client (add):[X-ORACLE-DMS-RID]=[0:1]
48Hdrs to client (add):[X-ORACLE-DMS-ECID]=[005x4^Yi9OgFk3o5sVd9iX00062z00000Y]
49Hdrs to client (add):[X-IFS-OAuth2-Resource]=[api://IFSTEST]
50Hdrs to client (add):[X-IFS-OAuth2-IDP]=[ADFS]
51AH01502: headers: ap_headers_output_filter()

As far as I’m aware SSO has never worked for our environment with ADFS. I followed the steps in this article, but most of the links are dead. I checked our ADFS server against the Achieving Single Sign-On behavior doc and everything appears to be configured correctly.

 

Does anyone know if there is a fix?

 

Thank you

Best answer by mkellythegreat

As an update, I figured out the issue. Our ADFS server was missing a SPN. I added SPNs to our DC via the Setspn command in powershell.

View original
Did this topic help you find an answer to your question?

1 reply

mkellythegreat
Do Gooder (Customer)
Forum|alt.badge.img+5
  • Author
  • Do Gooder (Customer)
  • 8 replies
  • Answer
  • February 23, 2023

As an update, I figured out the issue. Our ADFS server was missing a SPN. I added SPNs to our DC via the Setspn command in powershell.


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings