Issue:
After installing and configuring Active Directory Federation Service a.k.a ADFS, few of us sometime might be getting password prompt issue. Ideally, if we login from internal network then the session should be authenticated automatically using windows integrated authentication settings. But in this scenario, we might get the prompt repeatedly and if we type the credential and after few attempts we will get 401 error page with the message “Unauthorized: Access is denied due to invalid credentials” regardless of using our correct username and password
Cause:
There are multiple reason for this issue
- CNAME record was created for the ADFS URL in the internal DNS
- SPN is not registered properly for the service account that is used to configure our ADFS server
- Duplicate SPN value registered
Resolution:
- Instead of creating CNAME record, we need to create an A record for the ADFS url in our internal DNS. For example if your ADFS url is sso.yourcompanydomain.com then create an A record for this url. Because if we have CNAME record then it will create a Kerberos issue during authentication
- To find a duplicate SPN value of the service account please refer the following MSDN article
https://blogs.msdn.microsoft.com/psssql/2009/02/13/searching-for-duplicate-spns-got-a-little-easier/
- To register SPN please refer the following article
https://msdn.microsoft.com/en-us/library/ms191153.aspx
I have personally faced the above issues for few time and every time the solution was same as mentioned in this article. In your scenario it might be different but it’s good to check these troubleshooting steps and also please check the event viewer of your ADFS server which will give you some good insight about the issue. Thanks for reading!! Have a great day ahead J