GaryF's questions

Scenario

1. User on AD client machine opens a browser and enters a https url to a service provider.

2. Browser redirects to ADFS 3.0 IdP and the user is prompted to enter their AD user name and password.

3. Browser redirects to the SP url and back to IdP six times until the following error is returned.

For a standard AD user

Activity ID: 00000000-0000-0000-1f00-0080000000f9
Relying party: SAM6
Error time: Thu, 01 Dec 2016 10:38:48 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0

If the AD user attempts to login the following error appears

Activity ID: 00000000-0000-0000-1f00-0080000000f8
Relying party: SAM6
Error time: Thu, 01 Dec 2016 10:38:48 GMT
Cookie: enabled
User agent string: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0)
Gecko/20100101 Firefox/49.0

Google doesn't return any reports for these errors posting here to see if anyone has encountered these errors. Related results returned by Google have been checked.

I have a colleague who has set up an ADFS server in a test environment and that have given the ADFS server an alias.

host name test-server.tdom.com
alias test-adfs.tdom.com

The server is running under a specific AD user account.

The replying party trusts have been set up to trust the alias.

We have been able to set SPNs for the host name as follows

setspn -s HTTP/test-server.tdom.com Admin
setspn -s HTTP/test-server $

But not for the alias if he tries to register.

setspn -s HTTP/test-adf $ returns a message stating the "account test-adf $ cannot be found".

Congruently we cannot get IWA to function.

Does anyone know how the SPN can be set for the alias.