Forum Discussion

Josse Huizen's avatar
Josse Huizen
Copper Contributor
May 22, 2018

AADSTS75011 by which the user authenticated with the service doesn't match requested authentication

We're experiencing problems with a certain application that we've registred in Azure.

Sorry, but we're having trouble signing you in.  We received a bad request.

AADSTS75011 by which the user authenticated with the service doesn't match requested authentication method 'Password Protected transport'



Situation:

  • user logs in (Citrix-environment)
  • IE11 is auto-started. Default startpage = our intranet on SharePoint Online
    (at this moment SSO kicks in and the user will be logged in automatically in office.com / SharePoint Online)
  • User starts new tab in IE11, navigates to the application's login-url (external SaaS application) and poof; the error shows up
  • When user starts Chrome at this moment and navigates to the application's login-url again, he WILL be logged in automatically.

The software-developer says it has something to do with our Azure settings or Windows environment, but we have a lot more applications registred the same way where this error never occurs.

Does anyone have a clue on how to fix this?
It looks like the SaaS application does not accept Windows Integrated authentication?

  • Hello Josse,

     

    The error message that you are getting is because the authentication request sent by the application is not accepted by azure AD.

     

    Note :- "PasswordProtectedTransport" is a parameter which is included when the authentication request is sent to the IDP using SAML.

     

    Below mentioned is an example of sample saml auth request, 

     

    <saml:AuthnContext>

    <saml:AuthnContextClassRef>

    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

    </saml:AuthnContextClassRef>

    </saml:AuthnContext>

    </saml:AuthnStatement>

     

    Check it from the rfc of saml - http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html

     

    The purpose of this parameter is prompt user to enter credentials even if sso is enabled in the enterprise.

     

    Now I am not really sure what is happening with this request, if you look closely there is a ","

    between password and protected transport.

     

    Also below mentioned is a sample saml request that should be sent to azure ad - 

     

    <samlp:AuthnRequest
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    ID="id6c1c178c166d486687be4aaf5e482730"
    Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>
    </samlp:AuthnRequest>

     

    https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-single-sign-on-protocol-reference

     

    Also please refer to the article mentioned above :- 

     

    RequestAuthnContext

    The RequestedAuthnContext element specifies the desired authentication methods. It is optional in AuthnRequest elements sent to Azure AD. Azure AD supports only one AuthnContextClassRef value: urn:oasis:names:tc:SAML:2.0:ac:classes:Password

     

     

    In order to get this fixed, I think you can ask your developer to change the authentication request for this application.

     

     

    Regards,

    Rishabh

  • Josse Huizen this error is related to the application sending this:
    urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
    if the application has an option to select the authentication method, change it to 
    urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified
    To Allow Azure to select the authentication method
    Right now is attempting to use WIA but being forced to use Username and Password

Resources