Configuring ADFS with Host Name Site Collections

Article
06/14/2011

Body:

In this post I will walk through additional steps required for getting host named site collections correctly working within a web application that is running in claims mode and configured for SAML token based authentication with ADFS V2. I’m going to assume that you have configured SharePoint 2010 with ADFS V2, if you have not done this I highly recommend reading Steve Peschka’s “configuring ADFS V2 with SharePoint end to end” article -https://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx

If you are not familiar with host header site collections have a look at this TechNet article https://technet.microsoft.com/en-us/library/cc424952.aspx

Issue:

Once you have configured ADFS V2 with SharePoint 2010 you’ll notice that you are able to access site collections that you have access to after a successful authentication to AD through ADFS V2, Now the problem starts after you create a host named site collection in this web application and try to access the host name site collection using the fully qualified URL you used when the host name site collection was created.

If you open event viewer on your ADFS server you will see an error entry with Event ID 364 which based on ADFS troubleshooting document has to do with incorrect passive request.

For more information on federation passive request failures see https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-fedpassive-request-failures(WS.10).aspx. If you look at the WCTX parameter that SharePoint sends to ADFS via query string when the token request was made, this will be the URL of host header site collection and my guess is since it doesn’t match up to the RP definition, IDP ends up throwing an exception.

Fixing it:

For illustration purpose I created a web application with URL “https://hostheadersites.contoso.local” in claims mode and configured with ADFS V2 for SAML token based authentication. I then created three host header site collections “https://hr.contoso.local”, “https://finance.contoso.local”, “https://it.contoso.local”. Host Header Site collections were created using following power shell script

 Add-PSSnapin Microsoft.SharePoint.PowerShell -errorAction SilentlyContinue
  
 New-SPSite https://hr.contoso.local -OwnerAlias "i:05.t|adfs|scott@contoso.local" 
 -HostHeaderWebApplication https://hostheadersites.contoso.local
 New-SPSite https://finance.contoso.local -OwnerAlias "i:05.t|adfs|scott@contoso.local" 
 -HostHeaderWebApplication https://hostheadersites.contoso.local
 New-SPSite https://it.contoso.local -OwnerAlias "i:05.t|adfs|scott@contoso.local" 
 -HostHeaderWebApplication https://hostheadersites.contoso.local

Next step is create relying party trust in ADFS for each host named site collection you will need to create in your claims web application which is configured with ADFS V2, this is pretty much same steps as described in Steve’s article with few differences

First you will need to specify Host Header URL for your site collection with an “/_trust/” concatenated to it, you can see in the image below values I used for creating RP Trust in ADFS V2 for “https://hr.contoso.local” host header site collection

Next you will need to specify a realm that web application will pass to ADFS during authentication process, note down this realm as we will need to modify the Trusted Identity Token issuer to add the realms to “ProviderRealms” collection

In the image below you can see three relying party trust that I created in ADFS for the host named site collections I created.

Final step is updating the token issuer to add realms to “ProviderRealms” collection, PowerShell script below shows how to add additional realms to trusted identity token issuer’s “ProviderRealms” collection

 Add-PSSnapin Microsoft.SharePoint.PowerShell -errorAction SilentlyContinue
  
 $ap = Get-SPTrustedIdentityTokenIssuer "ADFS"
  
 $uri = New-Object System.Uri("https://hr.contoso.local")
 $ap.ProviderRealms.Add($uri, "urn:sharepoint:contosohr")
  
 $uri = New-Object System.Uri("https://finance.contoso.local")
 $ap.ProviderRealms.Add($uri, "urn:sharepoint:contosofinance")
  
 $uri = New-Object System.Uri("https://it.contoso.local")
 $ap.ProviderRealms.Add($uri, "urn:sharepoint:contosoit")
  
 $ap.Update()

Image below shows Contoso HR host named site collection after logging in through ADFS

There you have it, hope that walk through was helpful, stay tuned for Part 2 of this article

Cheers,

</Ram>

Technorati Tags: SharePoint 2010,ADFS,Claims

Published: 3/11/2011 9:36 AM

Configuring ADFS with Host Name Site Collections

Additional resources