This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 35%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKN%3C/text%3E%3C/svg%3E)
Hello All,
I have enabled Azure MFA on ADFS. While testing from https://aka.ms/mfasetup I getting below error message. Followed multiple blogs and implemented suggestions like UPN update etc.
Could anyone please suggest solution for this error.
AADSTS50107: The requested federation realm object 'http://sso.xyz.com/adfs/services/trust' does not exist.
Thanks
Naveen
This is not an ADFS error. This is an Aure AD error (I added the Azure AD tag).
This basically says that your the federation settings you have for this domain in Azure AD are not matching the actual ID of your ADFS deployment. Or at least not the ID that ADF issued in its tokens.
Asusming you don't have a multiple domain environment, the following commands should return the same thing:
# from a machine with the MSOnline module installed and connected
(Get-MsolDomainFederationSettings -DomainName <your domain here>).IssuerUri
# from an ADFS server
(Get-ADFSProperties).Identifier
Then you need to proper claim issuance rule. You can generate them with this wizard if you are not sure which one should be set: https://adfshelp.microsoft.com/AadTrustClaims/ClaimsGenerator.
If you have a multiple domain environment let us know, it might be a bit different. Utlimatly, we use the user's UPN to generate the IssuerID in the token. That also might be why you see post here and there mentionning UPN issues. What is your current UPN situation? Routable domain name? Matching the email address?
TNo multiple domain. I have generated claims from Azure script which is given on portal.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN"), query = "samAccountName={0};mail;{1}", param = regexreplace(c.Value, "(?<domain>[^\]+)\(?<user>.+)", "${user}"), param = c.Value);
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(store = "Active Directory", types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\]+)\(?<user>.+)", "${user}"), param = c.Value);
Hello @Pierre Audonnet - MSFT
Sorry for the delayed response. Thank you very much for the reply. I am getting below details
I have tried to check from Azure AD connect and was able to see the configuration but getting error message on verify federated login.
The federation service name sso.abcservice.com cannot be resolved.Confirm that the federation
service name is registered in DNS and is resolvable from this server.
Azure -
http://abcservice.com/adfs/services/trust/
ADFS -
AbsolutePath : /adfs/services/trust
AbsoluteUri : http://sso.abcservice.com/adfs/services/trust
LocalPath : /adfs/services/trust
Authority : sso.abcservice.com
HostNameType : Dns
IsDefaultPort : True
IsFile : False
IsLoopback : False
PathAndQuery : /adfs/services/trust
Segments : {/, adfs/, services/, trust}
IsUnc : False
Host : sso.abcservice.com
Port : 80
Query :
Fragment :
Scheme : http
OriginalString : http://sso.abcservice.com/adfs/services/trust
DnsSafeHost : sso.abcservice.com
IdnHost : sso.abcservice.com
IsAbsoluteUri : True
UserEscaped : False
UserInfo :
Please suggest.
Thanks
Naveen