Scenario:
We have an ADFS install on a sub net consisting of a DC, ADFS server and client machine. Azure is hosting the web server that needs to implement SSO using SAMLp 2.0 (SAML tokens over SAML protocol) through the ADFS machine.
Issue:
We have implemented the code necessary to use SAMLp from the Azure web role, and we are getting the requests through to the ADFS machine, however when the request is processed by ADFS, the following error is consistently being reported to the event viewer:
-------------------------------------------------------------------------------------------------------------------------------------------------
An event or events were not traced.
Original event string:
<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Information"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Channels.MessageReceived.aspx</TraceIdentifier><Description>Received
a message over a channel.</Description><AppDomain>Microsoft.IdentityServer.ServiceHost.exe</AppDomain><Source>System.ServiceModel.Channels.ServerSessionPreambleConnectionReader+ServerFramingDuplexSessionChannel/23331197</Source><ExtendedData
xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/MessageTransmitTraceRecord"><MessageProperties><Encoder>application/soap+msbinsession1</Encoder><AllowOutputBatching>False</AllowOutputBatching><Security></Security></MessageProperties></ExtendedData></TraceRecord>
Exception: System.Security.Principal.IdentityNotMappedException: Some or all identity references could not be translated.
at System.Security.Principal.SecurityIdentifier.Translate(IdentityReferenceCollection sourceSids, Type targetType, Boolean forceSuccess)
at System.Security.Principal.SecurityIdentifier.Translate(Type targetType)
at System.Security.Principal.WindowsIdentity.GetName()
at System.Security.Principal.WindowsIdentity.get_Name()
at System.IdentityModel.Claims.WindowsClaimSet.InitializeClaimsCore()
at System.IdentityModel.Claims.WindowsClaimSet.EnsureClaims()
at System.IdentityModel.Claims.WindowsClaimSet.<FindClaims>d__0.MoveNext()
at System.ServiceModel.Security.SecurityUtils.GetPrimaryIdentityClaim(AuthorizationContext authContext)
at System.ServiceModel.ServiceSecurityContext.get_IdentityClaim()
at System.ServiceModel.ServiceSecurityContext.get_IsAnonymous()
at System.ServiceModel.Diagnostics.MessageTraceRecord.WriteTo(XmlWriter xml)
at System.ServiceModel.Diagnostics.MessageTransmitTraceRecord.WriteTo(XmlWriter xml)
at System.ServiceModel.Diagnostics.DiagnosticTrace.BuildTrace(PlainXmlWriter xml, TraceEventType type, TraceCode code, String description, TraceRecord trace, Exception exception, Object source)
at System.ServiceModel.Diagnostics.DiagnosticTrace.BuildTrace(TraceEventType type, TraceCode code, String description, TraceRecord trace, Exception exception, Object source, TraceXPathNavigator& navigator)
at System.ServiceModel.Diagnostics.DiagnosticTrace.TraceEvent(TraceEventType type, TraceCode code, String description, TraceRecord trace, Exception exception, Object source)
Process Name: Microsoft.IdentityServer.ServiceHost
Process ID: 2584
-------------------------------------------------------------------------------------------------------------------------------------------------
and it seems to be accompanied by an entry in the security event log:
-------------------------------------------------------------------------------------------------------------------------------------------------
An account was successfully logged on.
Subject:
Security ID:
NULL SID
Account Name:
-
Account Domain:-
Logon ID:
0x0
Logon Type:3
New Logon:
Security ID:
SYSTEM
Account Name:
ADFS$
Account Domain:DEV
Logon ID:
0x3bd1fc
Logon GUID:
{17bd5d61-51ab-17ea-0736-7d1d7e81143c}
Process Information:
-------------------------------------------------------------------------------------------------------------------------------------------------
Has anyone else seen this, or better yet, resolved this?
Thanks,
J