On-Premise ADFS throws unexpected Error

[smumalo]

We have a fully configured Hybrid scenario with SP2016 and ADFS Auth. This is a pure On-Premise Problem.

https://webapp1/ <= ADFS https://webapp1:444/ <= NTLM

When we use "Connect-SPOnline" with the 444 , everything is working as expected.

But if we use the ADFS WebApp we sinply get following PowerShell-Error:

---

Connect-SPOnline : Cannot contact web site 'https://webapp1/' or the web site does not support SharePoint Online credentials. The response status code is 'Forbidden'. The response headers are 'X-SharePointHealthScore=0, SPRequestGuid=61d9839d-99f3-c0dd-f7c2-860bf6da2342, request-id=61d9839d-99f3-c0dd-f7c2-860bf6da2342, X-Forms_Based_Auth_Required=https://webapp1/_login/default.aspx?ReturnUrl=/_layouts/15/error.aspx, X-Forms_Based_Auth_Return_Url=https://webapp1/_layouts/15/error.aspx, X-MSDAVEXT_Error=917656; Access+de nied.+Before+opening+files+in+this+location%2c+you+must+first+browse+to+the+web+site+and+select+the+option+to+login+aut omatically., MicrosoftSharePointTeamServices=16.0.0.4378, X-Content-Type-Options=nosniff, X-MS-InvokeApp=1; RequireReadOnly, Content-Length=13, Content-Type=text/plain; charset=utf-8, Date=Tue, 07 Jun 2016 15:09:28 GMT, Server=Microsoft-IIS/8.5, X-Powered-By=ASP.NET'. At line:1 char:1

• Connect-SPOnline -Url 'https://webapp1/'

• 
  - CategoryInfo          : NotSpecified: (:) [Connect-SPOnline], NotSupportedException
  - FullyQualifiedErrorId : System.NotSupportedException,SharePointPnP.PowerShell.Commands.Base.ConnectSPOnline

---

If we add "-UseAdfs" to the request we get following Error:

---

Connect-SPOnline : Exception has been thrown by the target of an invocation. At line:1 char:1

• Connect-SPOnline -UseAdfs -Url 'https://webapp1/'

• 
  - CategoryInfo          : NotSpecified: (:) [Connect-SPOnline], TargetInvocationException
  - FullyQualifiedErrorId : System.Reflection.TargetInvocationException,SharePointPnP.PowerShell.Commands.Base.Conne
  ctSPOnline

---

We tried to provide the saml-token as username, adfs-login, even the DOMAIN\Username => nothing changes. As the Error is not catched, there seems to be something unexpected happening.

The problem is, that we need to work with the ADFS-WebApplication but are unable to do so.

We installed the most recent msi of PnP-PowerShell today and the SP2016 machine runing the commands is on the most recent updates.

Thank You, Stefan

[Dylan-DE]

Hi I am also getting this error when trying to connect to to our on-prem SharePoint with ADFS. Any ideas on how to troubleshoot this would be welcome :) Thanks Dylan

[lmscheuerman]

I'm just following up on this as we are encountering the same issue with SharePoint deployed in Azure using ACS provider. Thanks LMS

[initdave]

Hoping to stir up any additional insight to this inquiry. I am leveraging ADFS in an on-prem Sharepoint 2013 environment and find myself with this same error when attempting to connect.

` G:> Connect-PnPOnline -Url https://sharepoint.url.com -Credential (get-credential) -UseAdf

cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters: Credential Connect-PnPOnline : Exception has been thrown by the target of an invocation. At line:1 char:1

• Connect-PnPOnline -Url https://sharepoint.url.com ...

• 
  + CategoryInfo          : NotSpecified: (:) [Connect-PnPOnline], TargetInvocationException
  + FullyQualifiedErrorId : System.Reflection.TargetInvocationException,SharePointPnP.PowerShell.Commands.Base.ConnectOnline`

[mrpullen]

I've have used this on 2013 / on premise without an issue in the past.

This won't work if you are PIV enforced as the credential that is passed to ADFS is username/mixed. You should check your ADFS endpoint, if you are using some other endpoint, that might be the cause..

[Dylan-DE]

Hi mrpullen ,

I am not so familiar with the ADFS side of things, what do you mean about PIV enforced? I tried Googling this but did not find anything

[joshtransient]

@Dylan-DE: @mrpullen is talking about smart card/client certificate authentication.

Can confirm from a Fiddler trace that -UseAdfs hands off to /adfs/services/trust/13/usernamemixed. Verify that endpoint is enabled in ADFS (screenshot of where you need to be in the ADFS MMC).

[AtDH01]

@smumalo did you manage to resolve this issue? Having a similar issue connecting to SP2016 on-prem via ADFS...

[smumalo]

@AtDH01 unfortunately we established a workaround and did not invest any more time on a solution.

[SergeiAtML]

I am curious what was the work around, as I am encountering similar issue.

[khha]

I have the same issue! This is a workaround:

Connect-PnPOnline -Url "https://mycompany.com" -UseWebLogin

The "UseWebLogin" wil open a browser in a popup where you get automatic a token from ADFS.

Does someone has the solution of this issue?

[JoergBru]

I have the same issue. It works with parameter "-UserWebLogin", but doesn't work with param "-UseAdfs"

Connect-PnPOnline : Exception has been thrown by the target of an invocation. At D:\tmp\SharePoint\Test-PnpPowershell.ps1:11 char:1

• Connect-PnPOnline -Url https://teams.xxxxxx.de/ -Credentials ...

• 
  + CategoryInfo          : NotSpecified: (:) [Connect-PnPOnline], TargetInvocationException
  + FullyQualifiedErrorId : System.Reflection.TargetInvocationException,PnP.PowerShell.Commands.Base.ConnectOnline

But unfortunatelly it is not the complete truth :-( On five development SharePoint Server i does work with parm "-UseAdfs" Only on these five Machines with SP2013 and Visual Studio installed.

Any ideas why?