Authentication against ACS->WAAD returns HTTP status 404: Not Found

Category: azure security

Question

Michael G. Park on Wed, 13 Feb 2013 16:39:41


I've been working with the "AAL - Native Application to REST service - Authentication via User Credentials" sample trying to authenticate against WAAD.

However, when I attempt to authenticate my request is being sent to:

https://accounts.accesscontrol.windows.net:443/adfs/services/trust/13/usernamemixed

Which returns a HTTP status 404: Not Found

What does one have to do to get ACS to authenticate against WAAD using sample above?

Replies

Steve Syfuhs on Wed, 13 Feb 2013 20:24:20


Which sample is that? Can you provide a link?

That particular endpoint is an ADFS endpoint. You would have to authenticate against the WAAD STS endpoint, which can be found in the metadata here: https://accounts.accesscontrol.windows.net/yourdomain.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml

Michael G. Park on Thu, 14 Feb 2013 04:07:55


Here's the link: http://code.msdn.microsoft.com/windowsazure/AAL-Native-Application-to-f8971f47 (sorry it's not a link but for forum hasn't/won't verify my account).

My understand is that ACS is suppose to redirect to the correct WAAD endpoint but it's not.

I do have an AD FS 2.0 endpoint for another domain and have it configured as an Identity Provider for the ACS namespace I'm currently hitting. ACS properly redirects to the proper AD FS 2.0 endpoint and I'm able to authenticate successfully. 

Tino Donderwinkel on Wed, 27 Feb 2013 20:33:50


The endpoint you mention in the original post (adfs/services/trust/13/usernamemixed) is an endpoint for WS-Trust, used, for example, by proxy authentication.

This is not an endpoint where the client should be redirected to.

Most probable cause is an incorrectly configured Redirect URL.

Tino

Michael G. Park on Wed, 27 Feb 2013 20:47:21


The WS-Trust endpoint (adfs/services/trust/13/usernamemixed) is returned as part of the negotiation. I don't have control over that.

I'll go back to my original question: how do you authenticate against WAAD using "AAL - Native Application to REST service - Authentication via User Credentials" sample?

Tino Donderwinkel on Wed, 27 Feb 2013 21:27:20


Windows Azure Authentication Library: a Deep Dive
http://blogs.msdn.com/b/vbertocci/archive/2012/08/01/windows-azure-authentication-library-a-deep-dive.aspx

Introducing a New Capability in the Windows Azure AD Developer Preview: the Windows Azure Authentication Library
http://blogs.msdn.com/b/windowsazure/archive/2012/08/01/introducing-a-new-capability-in-the-windows-azure-ad-developer-preview-the-windows-azure-authentication-library.aspx

I hope that helps.

Tino

Michael G. Park on Wed, 27 Feb 2013 22:32:59


I've been over those articles time and time again. I still can't figure this out or if it's even possible.

Is it possible to authenticate against WAAD via ACS using User Credentials and not through a browser?

If it is possible then how?

It looks like Microsoft just announced some breaking changes to Windows Azure Active Directory (http://social.msdn.microsoft.com/Forums/en-US/WindowsAzureAD/threads) that includes some changes to WS-Federation, SAML Protocol, and WS-FederationMetadata endpoints. Maybe these will fix the issue. They don't give a time of the release just that it's upcoming. Any idea when these changes are coming?

This seems like a basic use case and I feel like a noob asking but I can't seem to get it to work. Getting ADFS to authenticate against an on premise Active Directory was a cinch. Just can't get it to work with WAAD and I have like 5 applications/businesses I want to use this for.


Michael G. Park on Thu, 28 Feb 2013 04:50:57


I fired up Fiddler in an effort to try to figure out how to get this working. 
[
   {
      "Default":false,
      "EmailAddressSuffixes":[
         "domain-works.com"
      ],
      "Name":"Domain Works",
      "Protocols":[
         {
            "Mode":"passive",
            "Protocol":"SignIn",
            "Endpoint":"a long url for signing into domain-works.com via a browser"
         },
         {
            "Mode":"active",
            "Protocol":"WSTrustKerberos",
            "Endpoint":"https://fs.domain-works.com:443/adfs/services/trust/13/windowstransport"
         },
         {
            "Mode":"active",
            "Protocol":"WSTrustUsername",
            "Endpoint":"https://fs.domain-works.com:443/adfs/services/trust/13/usernamemixed"
         }
      ]
   },
   {
      "Default":false,
      "EmailAddressSuffixes":[
         "domain-broke.com"
      ],
      "Name":"Domain Broke",
      "Protocols":[
         {
            "Mode":"passive",
            "Protocol":"SignIn",
            "Endpoint":"a long url for signing into domain-broke.com via a browser"
         },
         {
            "Mode":"active",
            "Protocol":"WSTrustKerberos",
            "Endpoint":"https://accounts.accesscontrol.windows.net:443/adfs/services/trust/13/windowstransport"
         },
         {
            "Mode":"active",
            "Protocol":"WSTrustUsername",
            "Endpoint":"https://accounts.accesscontrol.windows.net:443/adfs/services/trust/13/usernamemixed"
         }
      ]
   }
]

The call to https://fs.domain-works.com:443/adfs/services/trust/13/usernamemixed succeeds. Howerver the call to https://accounts.accesscontrol.windows.net:443/adfs/services/trust/13/usernamemixed fails returning: 

HTTP/1.1 404 Not Found
Content-Type: text/plain
x-ms-request-id: cc7598af-c6e2-4be2-9bc8-82ce6cc41c3a
request-id: cc7598af-c6e2-4be2-9bc8-82ce6cc41c3a
X-Content-Type-Options: nosniff
Date: Thu, 28 Feb 2013 03:40:10 GMT
Content-Length: 39

The requested namespace does not exist.

So does the error "The requested namespace does not exist." mean wecan't use User Credentials to authenticate against WAAD vis ACS? Is there a way to create the required namespace?

Tino Donderwinkel on Thu, 28 Feb 2013 07:40:13


Hi,

How did you come by the URL https://accounts.accesscontrol.windows.net:443/adfs/services/trust/13/usernamemixed ?

Since the URL reads "...accesscontrol.windows.net" this is something you expect to exist in ACS? ACS is not AD FS, so I would never expect an ACS url to read "../adfs/..".

The ACS endpoints (if your namespace is 'accounts', which it is not) would be;

Management Service             https://accounts.accesscontrol.windows.net/v2/mgmt/service            
Management Portal             https://accounts.accesscontrol.windows.net/
OAuth WRAP             https://accounts.accesscontrol.windows.net/WRAPv0.9            
OAuth2 https://accounts.accesscontrol.windows.net/v2/OAuth2-13            
WS-Federation Metadata https://accounts.accesscontrol.windows.net/FederationMetadata/2007-06/FederationMetadata.xml            
WS-Metadata Exchange https://accounts.accesscontrol.windows.net/v2/wstrust/mex

If you need more information on the WS-Federation endpoints, open up the WS-Federation Metadata page. You will see that there are no endpoints with "/adfs/' in the URL. This is ACS, not AD FS. Hence, the URL you are trying to reach does not exist.

Make sure you are using the correct endpoints.

Just to add something more;

Protocols Supported in ACS
http://msdn.microsoft.com/en-us/library/windowsazure/gg185948.aspx

Tino