Login failed always returned

[CodeCactuar]

I've tried configuring this and all i get is Login failed after I've submitted my credentials to ADFS. I get t a long code response in the browser but nothing else.

[jobec]

First of all, thanks for checking out this package and for giving feedback!

Do you have a bit more info?

• What's your config in settings.py?
• What's the URL with the long code in your browser?
• What redirect URI did you configure in ADFS?
• What are the claims you configured in ADFS? Is there a claim that corresponds with the value of ADFS_USERNAME_CLAIM?
• What's your python version?
• What's you django version?

[CodeCactuar]

Okay so here is my settings.py
settings.txt

URL is http://10.5.39.141/oauth2/login?code=PB0YC5RKT0G236wxsT8oFA.j-tuN4M30wgKAHidypqLs6xF25M.dJvAYIA40wVeje4cz4khAQlQVOgV47M9l-pYyaGaHERu0Aj5dg_MHtlJEK4T8mzpp9QGyT0ozJhWJzIBlwE9loSQZ7QM3j_liLLPULMqddVvFViXRIsSBxxnR4KSs53yCo50LrycEsbfSK2k0NQgBfy3foSaKO84WKU1KAyrzUNA3HT8moGDPa602WW3evCNy_BGBjbqRkOi2QLGRmr9b0kSxfspV9NApXAPrLuABUiAof0uwb3WrWAageWppscSvnB29wWFfVg35yldMAD8QwVTlzRKkaL2di-ziOheV-M7RYUNlVdMHPNvZjn_I_cDIm7m13li--0jO_0yAA7n4A
Redirect URL in adfs is http://10.5.39.141/oauth2/login

Claims are:

I'm using python 2.7.5
django is 1.9.2

I'm sure it's something simple but unfortunately i'm new to both adfs and django.

Thanks for your help.

[jobec]

Everything looks configured ok.
A few things can trigger this:

• The ADFS_AUDIENCE setting is wrong somehow. Try removing it from the config once.
• The certificate is wrong, make sure you use the one configured as token signing certificate. See the first screenshot here. The bottom one is the signing certificate.
• The response from you ADFS server is somehow invalid (eg, not a 200 status code). This can be because of:
  • a wrong configured ADFS_CLIENT_ID
  • the redirect uri can't be built automatically. Try setting ADFS_REDIR_URI manually to https://sts.xws.local/api/oauth2

I'm setting an error message when raising the PermissionDenied exception in AdfsBackend.authenticate()but I found out that message is not showing anywhere. I was already planning to add logging to the code to identify such issues. But I haven't been able to do so already.

[CodeCactuar]

I tried all of your recommendations but still couldn't get it to work. Still the same error.
i'm also getting an error in adfs if i refresh the page
Encountered error during OAuth token request.

Encountered error during OAuth token request. Additional Data Exception details: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenInvalidAuthorizationCodeException: MSIS9247: Received invalid OAuth access token request. The authorization code is invalid. ---> Microsoft.IdentityServer.Service.ArtifactResolutionService.ArtifactServiceStorageGetException: MSIS3101: A SQL error occurred during processing of the artifact. ---> Microsoft.IdentityServer.Service.ArtifactResolutionService.ArtifactNotFoundException: MSIS3106: SQL command returns no result when looking for artifact. at Microsoft.IdentityServer.Service.ArtifactResolutionService.SqlArtifactStorage.OnQueryComplete(IAsyncResult asyncResult) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result) at Microsoft.IdentityModel.Threading.TypedAsyncResult1.End(IAsyncResult result) at Microsoft.IdentityServer.Service.ArtifactResolutionService.SqlArtifactStorage.EndGet(IAsyncResult asyncResult) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.FetchArtifactFromLocalDatabase(OAuthAccessTokenRequestContext tokenContext) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.TryReadOAuthArtifact(OAuthAccessTokenRequestContext tokenContext, Byte[]& ArtifactId, String& ClientID, String& ClientRedirectUri, String& ResourceIdentifier, String& serializedTokenResponse) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.TryReadOAuthArtifact(OAuthAccessTokenRequestContext tokenContext, Byte[]& ArtifactId, String& ClientID, String& ClientRedirectUri, String& ResourceIdentifier, String& serializedTokenResponse) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.RedeemAccessToken(OAuthAccessTokenRequestContext tokenContext) Microsoft.IdentityServer.Service.ArtifactResolutionService.ArtifactServiceStorageGetException: MSIS3101: A SQL error occurred during processing of the artifact. ---> Microsoft.IdentityServer.Service.ArtifactResolutionService.ArtifactNotFoundException: MSIS3106: SQL command returns no result when looking for artifact. at Microsoft.IdentityServer.Service.ArtifactResolutionService.SqlArtifactStorage.OnQueryComplete(IAsyncResult asyncResult) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result) at Microsoft.IdentityModel.Threading.TypedAsyncResult1.End(IAsyncResult result) at Microsoft.IdentityServer.Service.ArtifactResolutionService.SqlArtifactStorage.EndGet(IAsyncResult asyncResult) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.FetchArtifactFromLocalDatabase(OAuthAccessTokenRequestContext tokenContext) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.TryReadOAuthArtifact(OAuthAccessTokenRequestContext tokenContext, Byte[]& ArtifactId, String& ClientID, String& ClientRedirectUri, String& ResourceIdentifier, String& serializedTokenResponse) Microsoft.IdentityServer.Service.ArtifactResolutionService.ArtifactNotFoundException: MSIS3106: SQL command returns no result when looking for artifact. at Microsoft.IdentityServer.Service.ArtifactResolutionService.SqlArtifactStorage.OnQueryComplete(IAsyncResult asyncResult)

[jobec]

What happens if you manually perform the steps outlined in this blog? http://blog.scottlogic.com/2015/03/09/OAUTH2-Authentication-with-ADFS-3.0.html

You can start from part D. Access Token using the authorization code your browser address bar displays on the page showing login failed. For making the requests you can user Curl or a REST client like http://restclient.net/

I'll see whether I can implement issue #2 ASAP to assist in troubleshooting.

[CodeCactuar]

I've tried this manually and id didn't work, it just returned the login failed message.
I set up a dummy one with a different redirect url and that one worked.

[jobec]

So it's working now?
If so, what exactly did you change?
Could be worth mentioning in the documentation.

[CodeCactuar]

Apologies for the confusion - no it still doesn't work. When I change the redirect url in adfs to a page that doesn't attempt to use he code returned via a rest client I can then get the access token. If I do it so that it points to the correct page the token becomes invalid. I'm assuming that as its a one use code that it's being used before I can test it.

[jobec]

stupid thought: are the clocks in sync between the adfs server and the machine running Django?

Any way, I'll try working on the debug logging so we can narrow down the issue.

[CodeCactuar]

Yes they are and are both set to UTC.

That would be awesome.

[jobec]

I managed to replicate your issue.

Change your value of ADFS_AUDIENCE to https://sts.xws.local/api/oauth2.
ADFS behaves differently when your relying party trust identifier is a URL.

If the identifier is a URL, is sets the aud claim to the URL.
If it's something else (e.g. something like my-rpt-id) it prefixes it with microsoft:identityserver:

I'll update the documentation accordingly.

The extra debugging output is on it's way.

[CodeCactuar]

Okay so I've changed the target ADFS audience to https://sts.xws.local/api/oauth2 but still not playing ball. I'm going to try recreating a new endpoint and relaying party to make sure something isn't amiss there.

[CodeCactuar]

Still getting the same error with a new relaying party and endpoint.

[jobec]

There's logging added in a separate branch of this repo. You should be able to install it like so:

pip uninstall django-auth-adfs
pip install https://github.com/jobec/django-auth-adfs/archive/issue_2_logging.zip

You'll have to activate logging in your settings.py

LOGGING = {
    'version': 1,
    'disable_existing_loggers': False,
    'formatters': {
        'verbose': {
            'format': '%(levelname)s %(asctime)s %(name)s %(message)s'
        },
    },
    'handlers': {
        'console': {
            'class': 'logging.StreamHandler',
            'formatter': 'verbose'
        },
    },
    'loggers': {
        'django_auth_adfs': {
            'handlers': ['console'],
            'level': 'DEBUG',
        },
    },
}

[jobec]

FYI, you can now also just download v0.0.3 from https://pypi.python.org/pypi/django-auth-adfs

[CodeCactuar]

I've managed to get it working now.
Turns out that my trust issuer was wrong. Id set it to be https whereas it needed to be http

Thanks for all your help

[jobec]

Great to see you got it working.

I hope the new debugging output was of any help?

[mulgurul]

Hi, I got a similar error event in ADFS but in another context. Would you mind explaining what "my trust issuer " is. Maybe it can help me in a very difficult troubleshooting of a new ADFS installation.

Thanks a lot.

[jobec]

What do you refer to when you say “my trust issuer”? Where did you see it/read it?

Without more context helping will be difficult.

[mulgurul]

Sorry, it's mentioned in the reply: shadoweski commented on 22 Feb 2016

It says:
I've managed to get it working now.
Turns out that my trust issuer was wrong. Id set it to be https whereas it needed to be http

Thanks

[jobec]

The setting he is referring to is this one: http://django-auth-adfs.readthedocs.io/en/latest/configuration.html#issuer

Also see here: http://django-auth-adfs.readthedocs.io/en/latest/adfs_config_guide.html#step-4-determine-configuration-settings