After enabled External IDP (SAML), AD users cannot be authenticated when logging with App Center Agent.

In the App Center Agent, end user will get a error message saying:

401 - Unauthorized: Access is denied to invalid credentials.

Integrated Windows authentication (IWA) is set by default in the AD Federation Services. App Center supports "Forms-based authentication" (FBA) and it was not set in the web.config file.

In order to enable end users to be authenticated, we need to make sure that the "Forms-based authentication" (FBA) is properly set in the web.config file. FBA needs to be move to the top of the <localAuthenticationTypes> as below:

<microsoft.identityServer.web>
    <localAuthenticationTypes>
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="Integrated" page="auth/integrated/" />
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
    </localAuthenticationTypes>

The web.config file can be found under <>:\inetpub\adfs\ls. For more information, please see the following articles:

How to configure App Center with ADFS SAML provider
http://www.symantec.com/docs/HOWTO84940

Configure ADFS for Forms Based Authentication (FBA):

http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-the-local-authentication-type.aspx

Applies To

Symantec App Center 4.x

External Identity Provider - SAML