400 Bad Request Error with ADFS

I spent waaayyyyy too much time trying to resolve this problem so am capturing it here in case any of the rest of you run up against this. I installed a new ADFS 3.0 on Windows Server 2012 R2 machine in my environment, and then configured a new SharePoint SPTrustedIdentityTokenIssuer for it. Every time I tried to authenticate to it I entered my credentials, and then I would get a 400 bad request back and the whole thing came to a grinding halt. I was getting no errors in any of the event logs on the ADFS server. What was also weird is that if I configured ADFS to use forms based authentication instead of Windows, I could log in just fine.

I suspected Kerberos SPN issues, but when I had tried to set it after setting up ADFS (using setspn) it said that the SPN was set. Well, guess what - turns out that was not true. I finally just went in to adsiedit.msc on my domain controller and looked at my service account. If you go into the properties you can scroll down to servicePrinicpalName and see exactly what's configured for it, and sure enough, my ADFS server was not listed there. So, I just added the SPN needed for it - http/yourFqdnAdfsServer - saved it, and authentication started working then. As always, note that the SPN is NOT a Url, like http://myserver, it's just the protocol and host name, so http/myserver.

Hopefully this will save you some time, I know a lot of folks build all this out in their labs at home so start by double-checking your service account SPNs.