带有 Windows 的 IdentityServer3 身份验证失败并重定向到 IdpReplyUrl

Question

I am trying to implement IdentityServer using Windows Authentication in an ASP.NET OWIN application.

I have used the WebHost (WindowsAuth) code at https://github.com/IdentityServer/IdentityServer3.Samples to prove the concept and it works. However, when I try to use the same principles with my own IdentityServer implementation it doesn't work. I've replicated, I hope, the sample exactly.

The IdentityServer home page displays correctly. The WindowsAuthentication app responds with the metadata xml correctly. The discovery document displays correctly. However, when I try to access the permissions page, I get redirected to the route I've specified in the WindowsAuthentication IdpReplyUrl : http://localhost:55567/was and that's it. In the sample, I reach an empty permissions page, but I know the auth has worked as it shows my username in the title bar.

Looking into the logging (see below) it ends with a 401, which I thought was the answer, however the successful authentication also has this line.

IdentityServer3.Core.Logging.LoggerExecutionWrapper DEBUG 2021-01-07 10:50:16 [2021-01-07T10:50:16.2766069Z] Request received, Method=GET, Url=http://localhost:53731/permissions, Id=061c1ec0-df33-4137-9eb1-9366c5c9b09b, Message='http://localhost:53731/permissions'
IdentityServer3.Core.Logging.LoggerExecutionWrapper INFO  2021-01-07 10:50:16 Permissions page requested
IdentityServer3.Core.Logging.LoggerExecutionWrapper INFO  2021-01-07 10:50:16 User not authenticated, redirecting to login
IdentityServer3.Core.Logging.LoggerExecutionWrapper INFO  2021-01-07 10:50:16 Redirecting to login page
IdentityServer3.Core.Logging.LoggerExecutionWrapper DEBUG 2021-01-07 10:50:16 Protecting message: {"ReturnUrl":"http://localhost:53731/permissions","AcrValues":[],"Created":637456134164505256}
IdentityServer3.Core.Logging.LoggerExecutionWrapper DEBUG 2021-01-07 10:50:16 [2021-01-07T10:50:16.5320969Z] Sending response, Status=302 (Redirect), Method=GET, Url=http://localhost:53731/permissions, Id=061c1ec0-df33-4137-9eb1-9366c5c9b09b, Message='Content-type='none', content-length=unknown'
IdentityServer3.Core.Logging.LoggerExecutionWrapper DEBUG 2021-01-07 10:50:16 [2021-01-07T10:50:16.5580994Z] Request received, Method=GET, Url=http://localhost:53731/login?signin=815bf7d8b26092659af9966b10eab111, Id=eec1429b-0162-44c1-be75-99316e56e995, Message='http://localhost:53731/login?signin=815bf7d8b26092659af9966b10eab111'
MyApp.Authentication.UserServices.Windows.WindowsUserService DEBUG 2021-01-07 10:50:16 Initialising MyApp user service
IdentityServer3.Core.Logging.LoggerExecutionWrapper INFO  2021-01-07 10:50:16 Login page requested
IdentityServer3.Core.Logging.LoggerExecutionWrapper DEBUG 2021-01-07 10:50:16 signin message passed to login: {
  "ReturnUrl": "http://localhost:53731/permissions",
  "ClientId": null,
  "IdP": null,
  "Tenant": null,
  "LoginHint": null,
  "DisplayMode": null,
  "UiLocales": null,
  "AcrValues": [],
  "Created": 637456134164505256
}
IdentityServer3.Core.Logging.LoggerExecutionWrapper INFO  2021-01-07 10:50:16 local login disabled for the client
IdentityServer3.Core.Logging.LoggerExecutionWrapper INFO  2021-01-07 10:50:16 only one provider for client
IdentityServer3.Core.Logging.LoggerExecutionWrapper INFO  2021-01-07 10:50:16 redirecting to provider URL: http://localhost:53731/external?provider=windows&signin=815bf7d8b26092659af9966b10eab111
IdentityServer3.Core.Logging.LoggerExecutionWrapper DEBUG 2021-01-07 10:50:16 [2021-01-07T10:50:16.8326786Z] Sending response, Status=302 (Redirect), Method=GET, Url=http://localhost:53731/login?signin=815bf7d8b26092659af9966b10eab111, Id=eec1429b-0162-44c1-be75-99316e56e995, Message='Content-type='none', content-length=unknown'
IdentityServer3.Core.Logging.LoggerExecutionWrapper DEBUG 2021-01-07 10:50:16 [2021-01-07T10:50:16.8649835Z] Request received, Method=GET, Url=http://localhost:53731/external?provider=windows&signin=815bf7d8b26092659af9966b10eab111, Id=584d06ea-8cd0-4974-90e5-2b53ef202910, Message='http://localhost:53731/external?provider=windows&signin=815bf7d8b26092659af9966b10eab111'
MyApp.Authentication.UserServices.Windows.WindowsUserService DEBUG 2021-01-07 10:50:16 Initialising MyApp user service
IdentityServer3.Core.Logging.LoggerExecutionWrapper INFO  2021-01-07 10:50:17 External login requested for provider: windows
IdentityServer3.Core.Logging.LoggerExecutionWrapper INFO  2021-01-07 10:50:17 Triggering challenge for external identity provider
IdentityServer3.Core.Logging.LoggerExecutionWrapper DEBUG 2021-01-07 10:50:17 [2021-01-07T10:50:17.1793712Z] Sending response, Status=401 (Unauthorized), Method=GET, Url=http://localhost:53731/external?provider=windows&signin=815bf7d8b26092659af9966b10eab111, Id=584d06ea-8cd0-4974-90e5-2b53ef202910, Message='Content-type='none', content-length=unknown'

Any suggestions are warmly received.

Update

I've enabled logging on the WindowsAuthentication app and that appears to be working:

Start WS-Federation request
User is anonymous. Triggering authentication
Start WS-Federation request
Sign-in request
Creating WS-Federation signin response
Using primary SID as subject
Emitting WindowsAccountName as name claim

Answer 1

This was because I had set the IdpReplyUrl incorrectly. It must be set to the address of the 'main' IdentityServer host, I had it set to the Windows authentication host:

IdpReplyUrl = "https://idserverapp/was" not IdpReplyUrl = "https://windowsauthapp/was"