Forum Discussion
AADSTS75011 by which the user authenticated with the service doesn't match requested authentication
We're experiencing problems with a certain application that we've registred in Azure.
Sorry, but we're having trouble signing you in. We received a bad request.
AADSTS75011 by which the user authenticated with the service doesn't match requested authentication method 'Password Protected transport'
Situation:
- user logs in (Citrix-environment)
- IE11 is auto-started. Default startpage = our intranet on SharePoint Online
(at this moment SSO kicks in and the user will be logged in automatically in office.com / SharePoint Online) - User starts new tab in IE11, navigates to the application's login-url (external SaaS application) and poof; the error shows up
- When user starts Chrome at this moment and navigates to the application's login-url again, he WILL be logged in automatically.
The software-developer says it has something to do with our Azure settings or Windows environment, but we have a lot more applications registred the same way where this error never occurs.
Does anyone have a clue on how to fix this?
It looks like the SaaS application does not accept Windows Integrated authentication?
- Rishabh SrivastavaIron Contributor
Hello Josse,
The error message that you are getting is because the authentication request sent by the application is not accepted by azure AD.
Note :- "PasswordProtectedTransport" is a parameter which is included when the authentication request is sent to the IDP using SAML.
Below mentioned is an example of sample saml auth request,
<saml:AuthnContext>
<saml:AuthnContextClassRef>
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
Check it from the rfc of saml - http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html
The purpose of this parameter is prompt user to enter credentials even if sso is enabled in the enterprise.
Now I am not really sure what is happening with this request, if you look closely there is a ","
between password and protected transport.
Also below mentioned is a sample saml request that should be sent to azure ad -
<samlp:AuthnRequest
xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
ID="id6c1c178c166d486687be4aaf5e482730"
Version="2.0" IssueInstant="2013-03-18T03:28:54.1839884Z"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://www.contoso.com</Issuer>
</samlp:AuthnRequest>Also please refer to the article mentioned above :-
RequestAuthnContext
The RequestedAuthnContext element specifies the desired authentication methods. It is optional in AuthnRequest elements sent to Azure AD. Azure AD supports only one AuthnContextClassRef value: urn:oasis:names:tc:SAML:2.0:ac:classes:Password
In order to get this fixed, I think you can ask your developer to change the authentication request for this application.
Regards,
Rishabh
- Josse HuizenCopper ContributorHi Rishabh,
thanks for your reply!
I am not a developer at all, but basically what you are saying is:
classes:PasswordProtectedTransport --> most probably this causes the problem
classes:Password --> this will work?
Is this correct? I will ask the developer to look futher into this.
Regards,
Josse- Rishabh SrivastavaIron Contributor
Yes, it will work and you can also share this article with him.
If still it doesn't work, let me know.
Regards,
Rishabh
- edmorice506Microsoft
Josse Huizen this error is related to the application sending this:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
if the application has an option to select the authentication method, change it to
urn:oasis:names:tc:SAML:2.0:ac:classes:Unspecified
To Allow Azure to select the authentication method
Right now is attempting to use WIA but being forced to use Username and Password