How do I configure client and relying party trust on Windows 2016 RTM ADFS for a rich client or web app?

Question

I have previously got a rich client authenticating with Windows 2012 R2 ADFS and documented it here. We are moving to Windows 2016 RTM ADFS (because 2012 R2 does not support Web Apps/ADAL.js properly) and I am struggling to translate/extend that config to work. Whatever I do, I get an error was soon as the client hit ADFS:

 MSIS9321: Received invalid OAuth request. The client 'LL957F23-D6C5-4D52-8A40-4F26B3408888' is forbidden to access the resource '<relying-party-url>' 

I've found several responses to this problem for preview versions of ADFS 2016, and all suggest the same solution - to setup the Relying Party using powershell and specify the following option:

-IssuanceAuthorizationRules '=> issue(Type = "http://schemas.microsoft.com/authorization/claims/permit", Value = “true”);'

However, I have taken the exact code shown by those solutions and tried both manually setting the Access Control Policy to "Permit Everyone" (the default) and alternatively using the -IssuanceAuthorizationRules setup, and neither solves this problem.

Does anyone have other solutions for this error or experience with ADFS on Win 2016 RTM?

Answer 1

OK, I have got this working. There is some additional configuration when compared to ADFS on Windows 2012 R2.

On Windows Server 2016 ADFS, we need to setup an Application Group, which links one or more clients to the service(s) (Relying Parties) they wish to use.

Open the ADFS Management console and on the left hand side right-click on "Application Groups" and "Add Application Group..."

Choosing one of the Client-Server templates allows you to setup a linked client and server in one pass of the wizard. If, like me, you have already defined you client app, you can select the Standalone Web Api and link your existing client later.

Page 2 of the wizard in this case requires just the Web Api identifier - target resource URL or other string identifier (it must be unique across all Relying Parties on ADFS).

On page 3 you choose an Access Control Policy - I took the default for not of "Permit Everyone".

On page 4 you can add your existing client(s) which need tokens to access the web API in the top panel, and specify the scopes permitted: such as OpenID Connect authorization or the ability to request a refresh token.

And that's it. This got rid of the The client is forbidden to access the resource error for me. I did not have to use the custom -IssuanceAuthorizationRules described in other posts.