Claims authentication against Windows Live ID for SharePoint 2010

Hi,i followed the steps to configure Windows Live authentication for INT environment,but when i try to login with my INT Zone Credentials iam redirected to logout page..any help ??thanks in advance

I fixed the dash problem, but am getting a slightly different error now:

PS C:\Users\spsqladmin> New-SPTrustedRootAuthority “Production OpenID Token Signing Cert ” -Certificate $rootcert
PS C:\Users\spsqladmin> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
PS C:\Users\spsqladmin> $map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/claims/EmailAddres
s” -IncomingClaimTypeDisplayName “http://schemas.xmlsoap.org/claims/EmailAddress” -SameAsIncoming
PS C:\Users\spsqladmin> $map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identit
y/claims/nameidentifier” -IncomingClaimTypeDisplayName “UPN” -LocalClaimType “http://schemas.xmlsoap.org/ws/2005/05/iden
tity/claims/upn”
PS C:\Users\spsqladmin> $user = “283688@live.com” #your unique live PUID
PS C:\Users\spsqladmin> $emailclaim = New-SPClaimTypeMapping -IncomingClaimType http://schemas.xmlsoap.org/claims/EmailA
ddress -incomingClaimTypeDisplayName http://schemas.xmlsoap.org/claims/EmailAddress -SameAsIncoming
PS C:\Users\spsqladmin> $signinurl = “https://login.live-int.com/login.srf”
PS C:\Users\spsqladmin> $apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $re
alm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xml
soap.org/claims/EmailAddress”

New-SPTrustedIdentityTokenIssuer : Exception of type ‘System.ArgumentException’ was thrown.
Parameter name: newObj
At line:1 char:43
+ $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrus
tCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claim
s/EmailAddress"
+ CategoryInfo : InvalidData: (Microsoft.Share…dentityProvider:SPCmdletNewSPIdentityProvider) [New-SPTr
ustedIdentityTokenIssuer], ArgumentException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

Hi. Thank you for the informative post. I have ocnfigured as instructed. I think I am very close. When I visit my site I am redirected to select authentication type. I select Windows Live and then redirected here:

https://login.live-int.com/login.srf?wa=wsignin1.0&wtrealm=urn%3amydomain%3aint&wctx=https%3a%2f%2fmydomain.local%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

When I enter my credentials, it appears as though something is happening because the login.live page flickers and I see something going on (processing/posting back), but I am not redirected back to my local sharepoint site.

Curious if you can help point me in the right direction?

Thanks so much…

As for me live-int.com don’t redirect me anywhere… Did you solved this issue?

I have followed the same steps metioned above and enbaled Live Id Authentication on SharePoint 2010. My Issue is – Its not Signing out completely. In Sign-in Page, it is asking to choose “Live Id” or “Windows Authentication” from Dropdown. I logged in successfully using Live ID into the site. Once I click on Sign-out, its redirecting to Sign-in page(starting page) but not Signing out properly. again I choose LiveID from drop down, its not asking for credentials its taking previous login credentials. am I missing anything?

bondia senhores eu ando muito nervosa com vcs ja tenho 57 anos e vc bloquearão minha conta e meu mesn ,para desbloquear eu tenho que fornecer numero do meu carão de dredito e a data de validade os ultimos 4 digitos e o nome conforme aparece no meu cartão porque senão eu não terei minha conta de volta .O que é isso acho que que é caso de policia, eu ter que passar meu numero de cartão se não vou ter minha conta desbloqueada sei dos meus direito.olha quero minha conta desbloqueada senão vou fazer um boletim de ocorrencia e pode ter certeza, eu não vou colocar meu numero de cartão de credito afora é com vc. marlene Fidelis

This is definitely a functionality I’m considering for SharePoint Buzz. Will fpweb be implementing / allowing this for their customers?

How can I get the PUID of my live id?
I’ve tried to use my live id as $user, when I login, it redirect to the live login page, but throw an “email or password is not correct” error when I click “login”.
I found there was a hotfix on June 29th, which mentioned the puid problem, do I need to patch it?

Great Post Andy

I’m half way ther but am getting an error when creating the trustedidentitytokenissueer

it appears that it doesn’t like the signonurl
New-SPTrustedIdentityTokenIssuer : https://login.live-int.com/login.srf
At line:1 char:43
+ $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrus
tCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl https://login.live-int.com/login.srf -IdentifierClaim "http:
//schemas.xmlsoap.org/claims/EmailAddress"
+ CategoryInfo : InvalidArgument: (https://login.live-int.com/login.srf:String) [New-SPTrustedIdentityTok
enIssuer], UriFormatException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

Any Ideas ?

Sorry

I had to create a variable to store the URL and reference it on the New-SPTrustedIdentityTokenIssuer command.

Getting this now from the live logon page

The Windows Live Network is unavailable from this site for one of the following reasons:

thanks Andy

Is the realm suppose to be a FQDN ? I currently have mine set to orbits.net. Does it need to be resolved orbits.net.live-int.com or is it just used to match up the liveid sites ?

@Andy Milsark
Thanks, Andy. Great post, but it seems the signup page of live-int is blocked from China…
I’ll try it later, sigh.

When I want to register my site and use URN:Anythingyouwant (URN:Tonydaniel in my case) after step 3 (Policy) I get the following errors when I continue and click Yes:

Error
- Validation failed for DefaultImageURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
- Validation failed for RootURL: This field cannot contain any leading or trailing spaces, must contain fewer than 513 characters, and must start and end with an alphanumeric character. This field can include only alphanumeric characters, ‘.’, and ‘-’.
- Validation failed for DefaultReturnURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
- Validation failed for ExpireCookieURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
- DefaultReturnURL does not contain the domain name.
- ExpireCookieURL does not contain the domain name.

Seems I need to setup something before I submit this? I don’t get to the part “Default Return Url”. Any thoughts?

I guess I misunderstood this URN: thing. When I entered the FQDN (www.tonydaniel.ms) it went through ok, sorry!

Sorry to keep buggin everyone. I’m still struggling to get the authentication working with live ID. Everything seems to be setup fine. I cann grant permissions on sharepoint to live ID users. The liveid logon page comes up with no errors. After entering the username and password, it just goes out to la la land.

Fiddler shows a connection time out

HTTPS connection failed. System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 65.55.70.91:443 at Fiddler.ServerChatter.CreateConnectedSocket(IPAddress[] arrDestIPs, Int32 iPort, Session _oSession) at Fiddler.Session._handleHTTPSConnect()

I think its something to do with my return URL. I have not built a custom logon page and we are also using host header webapp. Here is what I have it set to. (XXX is replaced with a valid host name)

https://xxxx.orbits.net/_trust/default.aspx

any ideas ? Aynone else get tis working ?

Yes I did import the cert. No infinite loop, I did have that previously. It just appears to time out

@Andy Milsark

nope blank

@Andy Milsark
I am facing the same issue. I get a redirected to the Windows Live Login page – where it shows the name of my site. However, it says:

The Windows Live Network is unavailable from this site for one of the following reasons…

I’ve checked the DNS name, domain name on the msm site and the realm I used to setup the SPTrustedIdentityTokenIssuer – they are all the same.

The only thing in my case is that I’m not using https for my site, and the port is 4200 (not the standard 80). 4200 however is openly accessible from the internet.

Any ideas?

@Krishna
Krishna

We are offloading SSL on our load balanacer, I’m going to reconfigure everything and bypass the load balancer. I’ll post the results. I still think it has something to do with the default return URL. What do you have yours set to ? Mine it https://VALID External FDN/_trust/Default.aspx

@Andy Milsark
442 on what the Signon URL ? That might make sense why I’m receiving all the connection timeouts

@Andy Milsark
I have tried to register account via live-int.com but can only create account within “@hotmail-int.com”. Can I create an account like userblabla@hotmail-int.com and change the powershell script to $user = “userblabla@hotmail-int.com” ?

Somebody able to register account ?
When I try to sign-up new account via https://accountservices.passport-int.net I get error message:
————-
We’re unable to complete your request
Windows Live ID is experiencing some technical difficulties while creating your account. To start using Windows Live today, get support now, click here ,choose Windows Live ID and copy paste the code below into the form.

LEFKPK~OIURMRQTQU[[U]
—————

I go one step further and try to run the powershell-script. I have followed the tips from Kevin regarding putting signinurl in variable but still get error.
Here is my ps script:
————————–
Add-PsSnapin Microsoft.SharePoint.PowerShell
$realm = “site.domain.org”
$certloc = “C:\Util\LiveID-Auth\x509certificate\LiveIDPublic.cer”
$rootcert = Get-PfxCertificate $certloc
New-SPTrustedRootAuthority “Production OpenID Token Signing Cert” -Certificate $rootcert | Out-Null
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
$map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/claims/EmailAddress” -IncomingClaimTypeDisplayName “http://schemas.xmlsoap.org/claims/EmailAddress” –SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” -IncomingClaimTypeDisplayName “UPN” -LocalClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”
$user = “blabla@live.com” #your unique live PUID
$signinurl = “https://login.live—int.com/login.srf”
$apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”
$cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $apSAML -Identity $user.tolower()
————————–

Error message:
————————–
New-SPTrustedIdentityTokenIssuer : https://login.live—int.com/login.srf
At line:11 char:43
+ $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2
-SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress&quot;
+ CategoryInfo : InvalidArgument: (https://login.live—int.com/login.srf:String) [New-SPTrustedIdentityTokenIssuer], UriFormatException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

————————–

I try to run powershell script with live.com account but still get error. Have tried to follow tips regarding putting url in variable.

My PS script:
———————
Add-PsSnapin Microsoft.SharePoint.PowerShell
$realm = “site.domain.org”
$certloc = “C:\Util\LiveID-Auth\x509certificate\LiveIDPublic.cer”
$rootcert = Get-PfxCertificate $certloc
New-SPTrustedRootAuthority “Production OpenID Token Signing Cert” -Certificate $rootcert | Out-Null
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
$map1 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/claims/EmailAddress” -IncomingClaimTypeDisplayName “http://schemas.xmlsoap.org/claims/EmailAddress” –SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier” -IncomingClaimTypeDisplayName “UPN” -LocalClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn”
$user = “blabla@live.com” #your unique live PUID
$signinurl = “https://login.live—int.com/login.srf”
$apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”
$cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $apSAML -Identity $user.tolower()
———————

Error message:
———————
New-SPTrustedIdentityTokenIssuer : https://login.live—int.com/login.srf
At line:6 char:43
+ $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2
-SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress&quot;
+ CategoryInfo : InvalidArgument: (https://login.live—int.com/login.srf:String) [New-SPTrustedIdentityTokenIssuer], UriFormatException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider
———————

Test

Error message when running ps script:

New-SPTrustedIdentityTokenIssuer : https://login.live—int.com/login.srf
At line:11 char:43
+ $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2
-SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress&quot;
+ CategoryInfo : InvalidArgument: (https://login.live—int.com/login.srf:String) [New-SPTrustedIdentityTokenIssuer], UriFormatException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

My PS Script:
Add-PsSnapin Microsoft.SharePoint.PowerShell
$realm = "site.domain.org"
$certloc = "C:\Util\LiveID-Auth\x509certificate\LiveIDPublic.cer"
$rootcert = Get-PfxCertificate $certloc
New-SPTrustedRootAuthority "Production OpenID Token Signing Cert" -Certificate $rootcert | Out-Null
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certloc)
$map1 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/claims/EmailAddress&quot; -IncomingClaimTypeDisplayName "http://schemas.xmlsoap.org/claims/EmailAddress&quot; –SameAsIncoming
$map2 = New-SPClaimTypeMapping -IncomingClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier&quot; -IncomingClaimTypeDisplayName "UPN" -LocalClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&quot;
$user = "blabla@live.com" #your unique live PUID
$signinurl = "https://login.live—int.com/login.srf&quot;
$apSAML = New-SPTrustedIdentityTokenIssuer -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claims/EmailAddress&quot;
$cpSAML = New-SPClaimsPrincipal -TrustedIdentityTokenIssuer $apSAML -Identity $user.tolower()

Great post.

I almost have it working. After I sign in using my test Hotmail account and it redirects back to the SharePoint site I get the following error:

Request information:
Request URL: https://my.dummy.org:443/_trust/default.aspx
Request path: /_trust/default.aspx
User host address: fe80::109d:8609:e5ab:30fcInvalidOperationException
User:
Is authenticated: False
Authentication Type:
Thread account name: DUMMY\svc-sp-managed

Thread information:
Thread ID: 19
Thread account name: DUMMY\svc-sp-managed
Is impersonating: False
Stack trace: at System.Uri.GetLeftPart(UriPartial part)
at Microsoft.SharePoint.Administration.SPAlternateUrl.Canonicalize(Uri uri)
at Microsoft.SharePoint.Administration.SPWebApplication.Lookup(SPFarm farm, Uri requestUri, Boolean fallbackToHttpContext, SPAlternateUrl& alternateUrl, SPSiteLookupInfo& hostHeaderSiteInfo, Boolean& lookupRequiredContext)
at Microsoft.SharePoint.Administration.SPWebApplication.Lookup(Uri requestUri, Boolean fallbackToHttpContext)
at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.RetrieveWebApplicationIdAndZoneFromUri(Uri context, Guid& webAppId, SPUrlZone& zone)
at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateSingleAudienceCondition(Uri audienceUri, Guid requestWebAppId, SPUrlZone requestZone, IEnumerable`1 trustedLoginProviderNames)
at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateAudienceConditions(SamlConditions conditions)
at Microsoft.SharePoint.IdentityModel.SPSaml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Your help is greatly appreciated.
Ashkan

@Ashkan

Forgot to mention that I have the latest CU updates for June installed.

@Ashkan
I’ve met the same error. But it appears after I choose “LiveID” from the login page…It doesn’t jump to the login page at all!

Hi Andy,

When I first configured Live ID with Sharepoint 2007 a long time ago, I registered my sites at msm.live.com (not INT). It looks like in the past few months, Microsoft moved some of these accounts around, and I can’t access my site registration details, through msm.live.com, however, I still can, through live.azure.com. This allows me to configure the return url, grab the App ID and Secret Key (Not sure if they are used in your guide, but they were for SP 2007).. however there’s no DNS Name or “Override Authentication Policy” I can set. Do you know if I can still use these registrations with SP 2010. I’d hate to register a site with INT, because I my sites already approved in the production domain. By the way, when I tried to register a site with msm.live-int.com, after clicking Submit and Yes, it displayed a lot of errors in red I am not sure where they came from. I noticed that in the registration screen, you can optionally enter an Application ID and a Secret Key.. however I am not sure how this will make things different…

@Erucy

That’s weird. When do you get the exception? For me the exception happens when after a successful login and posts back to my site.

Do you have the cumulative updates for June installed? I wonder if the CU is causing the error since the CU contains updates for the SP IdentityModel assembly.

Hi Andy,

When I first configured Live ID with Sharepoint 2007 a long time ago, I registered my sites at msm.live.com (not INT). It looks like in the past few months, Microsoft moved some of these accounts around, and I can’t access my site registration details, through msm.live.com, however, I still can, through live.azure.com. This allows me to configure the return url, grab the App ID and Secret Key (Not sure if they are used in your guide, but they were for SP 2007).. however there’s no DNS Name or “Override Authentication Policy” I can set. Do you know if I can still use these registrations with SP 2010. I’d hate to register a site with INT, because I my sites already approved in the production domain. By the way, when I tried to register a site with msm.live-int.com, after clicking Submit and Yes, it displayed a lot of errors in red I am not sure where they came from. I noticed that in the registration screen, you can optionally enter an Application ID and a Secret Key.. however I am not sure how this will make things different…

Hi Everybody,

When I go to the MSM site and fill out the details, click Submit, and the click Yes, I get the following errors:

Validation failed for DefaultImageURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
Validation failed for RootURL: This field cannot contain any leading or trailing spaces, must contain fewer than 513 characters, and must start and end with an alphanumeric character. This field can include only alphanumeric characters, ‘.’, and ‘-’.
Validation failed for DefaultReturnURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
Validation failed for ExpireCookieURL: The field cannot contain any leading or trailing spaces, and must contain a valid URL that begins with http:// or https://.
DefaultReturnURL does not contain the domain name.
ExpireCookieURL does not contain the domain name.

Any ideas?

Thanks!

Please disregard my last message.. Tony was right… the “urn:something:dev” doesnt work. When I added my site domain name, it went through just fine.

We have followed your instructions and have gotten this to work. Is it possible, now that we can add users by the PUID, any way we can see the PUID@live.com to a friendly name (or email) that is associated with the user on the sharepoint side. If you have more than a couple of PUIDs, it can get confusing quickly when a site owner is setting permissions (which PUID = which person). Also, the user who logs in under LiveID seems to have the PUID at the top right hand corner the sharepoint site, which may cause some users to panic.

Kevin Korb :Great Post Andy
I’m half way ther but am getting an error when creating the trustedidentitytokenissueer
it appears that it doesn’t like the signonurlNew-SPTrustedIdentityTokenIssuer : https://login.live-int.com/login.srfAt line:1 char:43+ $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl https://login.live-int.com/login.srf -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”+ CategoryInfo : InvalidArgument: (https://login.live-int.com/login.srf:String) [New-SPTrustedIdentityTokenIssuer], UriFormatException+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider
Any Ideas ?

Hi Kevin,

I am getting the error you got even after creating the new variable.. I am executing this:
$signinurl = “https://login.live—int.com/login.srf”
$apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”

And the error is:

New-SPTrustedIdentityTokenIssuer : https://login.live-int.com/login.srf
At line:1 char:43
+ $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrus
tCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claim
s/EmailAddress"
+ CategoryInfo : InvalidArgument: (https://login.live-int.com/login.srf:String) [New-SPTrustedIdentityTok
enIssuer], UriFormatException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

Any ideas?

@Kevin Korb

Hi Kevin,

I am getting the same error you got even after setting the new variable.

Here’s the line I am executing:

$signinurl = “https://login.live—int.com/login.srf”

$apSAML = New-SPTrustedIdentityTokenIssuer -Name “LiveIDInt” -Description “LiveIDInt” -Realm $realm -ImportTrustCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim “http://schemas.xmlsoap.org/claims/EmailAddress”

And here’s the error:

New-SPTrustedIdentityTokenIssuer : https://login.live-int.com/login.srf
At line:1 char:43
+ $apSAML = New-SPTrustedIdentityTokenIssuer <<<< -Name "LiveIDInt" -Description "LiveIDInt" -Realm $realm -ImportTrus
tCertificate $cert -ClaimsMappings $map1,$map2 -SignInUrl $signinurl -IdentifierClaim "http://schemas.xmlsoap.org/claim
s/EmailAddress"
+ CategoryInfo : InvalidArgument: (https://login.live-int.com/login.srf:String) [New-SPTrustedIdentityTok
enIssuer], UriFormatException
+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletNewSPIdentityProvider

Any Ideas??

For some who may be having problems with the New-SPTrustedIdentityTokenIssuer statement. If you copy and paste the powershell script from this site, the dash “-” in the SignInUrl parameter is not the valid style for a dash and you will get an invalid parameter error. Just type over the dash with the normal minus sign and it should work.

Ok Guys, I am getting a step further at a time.. However I still need some help. I could successfully complete the configuration described in this article using the INT site, however our goal is to be on production, right? . Based on that, I decided to give this a try using the Production settings, to see if I could successfully configure my site to redirect to the Live.com production environment as I had it when I was using SP 2007.

My sites are registered in the live.com production environment through Azure Live Services. After repeating the configuration of this article using the production servers and settings, I made some strides but I am not there yet.. when I go to my site now, this is the url I see generated by sharepoint (I am replacing my domain with for this post):

- http:///_login/default.aspx?ReturnUrl=%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F&Source=%2F

Here I can select Windows Authentication or “Windows Live ID” (the STS I configured). Once I select the “Windows Live ID” option from the menu, I get redirected to this site:

-https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=&wctx=http%3a%2f%2f%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

And this page error is displayed:

“This displays an error: We’re unable to complete your request
Windows Live ID is experiencing technical difficulties. Please try again later.”

After doing some extra testing, I noticed, that if I manually add my site’s APPID (coming from Azure Live Services) to the url’s querystring the Sign in page takes me to once I select Windows Live from the menu (notice 1st parameter in the querystring):

https://login.live.com/login.srf?appid=XXXXXXXXXXXXXXXX&wa=wsignin1.0&wtrealm=&wctx=http%3a%2f%2f%2f_layouts%2fAuthenticate.aspx%3fSource%3d%252F

The authentication process works just great! I get redirected to the production login.live.com site, I enter my credentials, and I get redirected back to my site as expected.

Now, my question is: Is there a way to modify the PowerShell script above to have Sharepoint pass the appid as part of the querystring when selecting “Windows Live” from the Sign in page menu?

I think that will solve this issue.. Any thoughts guys?