SAML Authentication Against Azure AD

I am trying to configure SSO using SAML and Azure AD. We have ADConnect to sync our on premise accounts to Office365. We run M-Files 2015.3

I have followed the guide CONFIGURING SAML V2.0 AUTHENTICATION AGAINST AZURE AD.

I can't seem to get it to work. I am an IT consultant with no M-Files experience and my clients M-Files reseller hasn?t setup SSO before, in fact I even went to another M-Files partner and they havent either.

TCP 443 is natted to our M-Files server and m-Files Web and Client work as expected. We have a public certificate

Settings are as follows. I have masked details for security of course

M-FILES SERVER

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\11.3.4330.196\Server\MFServer\Authentication]

[HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\11.3.4330.196\Server\MFServer\Authentication\Configurations]

[HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\11.3.4330.196\Server\MFServer\Authentication\Configurations\MySAMLConfiguration]
"AuthenticationService"="SAML"
"IdentityProviderEntityID"="sts.windows.net/.../"
"ServiceProviderEntityID"="sts.windows.net/.../"
"LogClaims"="true"
"IdentityProviderCertificateThumbprint"="‎00 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 99"
"SecondaryIdentityProviderCertificateThumbprint"="99 88 77 66 55 44 33 22 11 00 99 88 77 66 55 44 33 22 11"

[HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\11.3.4330.196\Server\MFServer\Authentication\Configurations\MySAMLConfiguration\ClientSpecific]
"SingleSignOnServiceUrl"="login.microsoftonline.com/.../saml2"
"AssertionConsumerServiceUrl"="ecm.domain.com.au/.../read"

[HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\11.3.4330.196\Server\MFServer\Authentication\Configurations\MySAMLConfiguration\ServerSpecific]
"IdentityProviderMetadata"="login.microsoftonline.com/.../federationmetadata.xml"
"AccountClaim"="schemas.xmlsoap.org/.../name"
"LatestMetadataCheck"="2018-01-18T01:04:28"
"EnableLogging"="true"

[HKEY_LOCAL_MACHINE\SOFTWARE\Motive\M-Files\11.3.4330.196\Server\MFServer\Authentication\Scopes\*\Plugins\MFiles.AuthenticationProviders.Core]
"Configuration"="MySAMLConfiguration"
"IsDefault"=dword:00000001

AZURE AD

I created a new App Registration called M-Files SSO
App ID URI sts.windows.net/.../
Reply URL 1 https://ecm.domain.com.au
Reply URL 2 ecm.domain.com.au/.../esign
Reply URL 3 ecm.domain.com.au/.../read
API has delegate permissions "Sign in and read user profile"
I had 3 certificates listed in login.microsoftonline.com/.../federationmetadata.xml, these have been extracted and saved to the local machine personal store on the server with thumbprints for 2 of them in the registry above

EVENT LOG FOR M-FILES WEB ACCESS ATTEMPTS
When I try to log onto M-Files Web, I get redirected to office 365 and authenticate, M-File web then throws up M-Files Web 11.3.4330.196 Internal Server Error and I am back at the logon screen for M-Files Web

Event ID 4 Extracting a SAML assertion from the following SAML response looks ok
Event ID 4 Extracted a SAML assertion for validation looks ok
Event ID 4 The SAML assertion passed validity checks looks ok

I then get an event warning

Processing the SAML response failed:
System.Runtime.InteropServices.COMException (0x80040001): Authentication failed.
CoMFilesServerApplication.cpp, 1882, Authentication failed. (0x8004001A)
MFilesSession.cpp, 1155, Authentication failed. (0x8004001A)
MFilesSession.cpp, 1261, Authentication failed. (0x8004001A)
MFilesSession.cpp, 2701, Authentication failed. (0x8004001A)
MFilesSession.cpp, 3581, Authentication failed. (0x8004001A)
MFilesSession.cpp, 3757, Authentication failed. (0x8004001A)
RPCMethodCallWithRetry.h, 226, Authentication failed. (0x8004001A)
RPCMethodCallWithRetry.h, 226, Authentication failed. (0x8004001A)
RPCLogin.cpp, 1163, Authentication failed. (0x8004001A)
RPCLogin.cpp, 376, Authentication failed. (0x8004001A)
RPCLoginHelper.cpp, 348, Authentication failed. (0x8004001A)
RPCLoginHelper.cpp, 672, Authentication failed. (0x8004001A)
(M-Files 11.3.4330.196)

<bin>
AgAAAAwAAAABAAAAuMY4jTcZ8Eqrmf8yWSKk8QEIAAAANgA3ADIAAAAmAAAAUgBQAEMATABvAGcA
/zJZIqTxAQoAAAAxADIANgAxAAAAJAAAAE0ARgBpAGwAZQBzAFMAZQBzAHMAaQBvAG4ALgBjAHAA
cAAAABoABIABAgAAAAAAAQAAALjGOI03GfBKq5n/MlkipPEBCgAAADEAMQA1ADUAAAAkAAAATQBG
AGkAbABlAHMAUwBlAHMAcwBpAG8AbgAuAGMAcABwAAAAGgAEgAECAAAAAAABAAAAuMY4jTcZ8Eqr
mf8yWSKk8QEKAAAAMQA4ADgAMgAAADwAAABDAG8ATQBGAGkAbABlAHMAUwBlAHIAdgBlAHIAQQBw
AHAAbABpAGMAYQB0AGkAbwBuAC4AYwBwAHAAAAAaAASAAQIAAAAAAAAAAAAB
</bin>

(0022)
  at MFilesAPI.MFilesServerApplicationClass.ConnectWithAuthenticationDataEx3(PluginInfo PluginInfo, NamedValues AuthenticationData, String AttemptIdentifier, TimeZoneInformation TimeZone, String ProtocolSequence, String NetworkAddress, String Endpoint, Boolean EncryptedConnection, String LocalComputerName, Boolean AllowAnonymousConnection, String LogicalTargetServer, String ClientCulture)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt, String redirectUrl)
  at MFiles.AuthenticationProviders.Core.CoreHttpHandler.ReadRequest(HttpContext context)

Also an event error

The description for Event ID 3 from source M-Files cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Uncaught exception in M-Files Web Access:

System.Runtime.InteropServices.COMException (0x80040001): Authentication failed.

CoMFilesServerApplication.cpp, 1882, Authentication failed. (0x8004001A)
MFilesSession.cpp, 1155, Authentication failed. (0x8004001A)
MFilesSession.cpp, 1261, Authentication failed. (0x8004001A)
MFilesSession.cpp, 2701, Authentication failed. (0x8004001A)
MFilesSession.cpp, 3581, Authentication failed. (0x8004001A)
MFilesSession.cpp, 3757, Authentication failed. (0x8004001A)
RPCMethodCallWithRetry.h, 226, Authentication failed. (0x8004001A)
RPCMethodCallWithRetry.h, 226, Authentication failed. (0x8004001A)
RPCLogin.cpp, 1163, Authentication failed. (0x8004001A)
RPCLogin.cpp, 376, Authentication failed. (0x8004001A)
RPCLoginHelper.cpp, 348, Authentication failed. (0x8004001A)
RPCLoginHelper.cpp, 672, Authentication failed. (0x8004001A)
(M-Files 11.3.4330.196)

<bin>
AgAAAAwAAAABAAAAuMY4jTcZ8Eqrmf8yWSKk8QEIAAAANgA3ADIAAAAmAAAAUgBQAEMATABvAGcA
aQBuAEgAZQBsAHAAZQByAC4AYwBwAHAAAAAaAASAAAIAAAAAAAEAAAC4xjiNNxnwSquZ/zJZIqTx
AGkAbABlAHMAUwBlAHMAcwBpAG8AbgAuAGMAcABwAAAAGgAEgAECAAAAAAABAAAAuMY4jTcZ8Eqr
mf8yWSKk8QEKAAAAMQA4ADgAMgAAADwAAABDAG8ATQBGAGkAbABlAHMAUwBlAHIAdgBlAHIAQQBw
AHAAbABpAGMAYQB0AGkAbwBuAC4AYwBwAHAAAAAaAASAAQIAAAAAAAAAAAAB
</bin>

(0022)
  at MFilesAPI.MFilesServerApplicationClass.ConnectWithAuthenticationDataEx3(PluginInfo PluginInfo, NamedValues AuthenticationData, String AttemptIdentifier, TimeZoneInformation TimeZone, String ProtocolSequence, String NetworkAddress, String Endpoint, Boolean EncryptedConnection, String LocalComputerName, Boolean AllowAnonymousConnection, String LogicalTargetServer, String ClientCulture)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt, String redirectUrl)
  at MFiles.AuthenticationProviders.Core.CoreHttpHandler.ReadRequest(HttpContext context)
  at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

the message resource is present but the message is not found in the string/message table

Also an event error about .netasp

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 18/01/2018 2:31:33 PM
Event time (UTC): 18/01/2018 3:31:33 AM
Event ID: bed3d95d89de487383047b3d871dfeb2
Event sequence: 334
Event occurrence: 12
Event detail code: 0

Application information:
    Application domain: /LM/W3SVC/1/ROOT-1-131607130859005688
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\Program Files\M-Files\11.3.4330.196\Server\MFWA\
    Machine name: SERVER

Process information:
    Process ID: 5064
    Process name: w3wp.exe
    Account name: IIS APPPOOL\M-Files 11.3.4330.196

Exception information:
    Exception type: COMException
    Exception message: Authentication failed.

CoMFilesServerApplication.cpp, 1882, Authentication failed. (0x8004001A)
MFilesSession.cpp, 1155, Authentication failed. (0x8004001A)
MFilesSession.cpp, 1261, Authentication failed. (0x8004001A)
MFilesSession.cpp, 2701, Authentication failed. (0x8004001A)
MFilesSession.cpp, 3581, Authentication failed. (0x8004001A)
MFilesSession.cpp, 3757, Authentication failed. (0x8004001A)
RPCMethodCallWithRetry.h, 226, Authentication failed. (0x8004001A)
RPCMethodCallWithRetry.h, 226, Authentication failed. (0x8004001A)
RPCLogin.cpp, 1163, Authentication failed. (0x8004001A)
RPCLogin.cpp, 376, Authentication failed. (0x8004001A)
RPCLoginHelper.cpp, 348, Authentication failed. (0x8004001A)
RPCLoginHelper.cpp, 672, Authentication failed. (0x8004001A)
(M-Files 11.3.4330.196)

<bin>
AgAAAAwAAAABAAAAuMY4jTcZ8Eqrmf8yWSKk8QEIAAAANgA3ADIAAAAmAAAAUgBQAEMATABvAGcA
aQBuAEgAZQBsAHAAZQByAC4AYwBwAHAAAAAaAASAAAIAAAAAAAEAAAC4xjiNNxnwSquZ/zJZIqTx
AQgAAAAzADQAOAAAACYAAABSAFAAQwBMAG8AZwBpAG4ASABlAGwAcABlAHIALgBjAHAAcAAAABoA
mf8yWSKk8QEKAAAAMQA4ADgAMgAAADwAAABDAG8ATQBGAGkAbABlAHMAUwBlAHIAdgBlAHIAQQBw
AHAAbABpAGMAYQB0AGkAbwBuAC4AYwBwAHAAAAAaAASAAQIAAAAAAAAAAAAB
</bin>

(0022)
  at MFilesAPI.MFilesServerApplicationClass.ConnectWithAuthenticationDataEx3(PluginInfo PluginInfo, NamedValues AuthenticationData, String AttemptIdentifier, TimeZoneInformation TimeZone, String ProtocolSequence, String NetworkAddress, String Endpoint, Boolean EncryptedConnection, String LocalComputerName, Boolean AllowAnonymousConnection, String LogicalTargetServer, String ClientCulture)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt, String redirectUrl)
  at MFiles.AuthenticationProviders.Core.CoreHttpHandler.ReadRequest(HttpContext context)
  at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)



Request information:
    Request URL: ecm.domain.com.au:443/.../read
    Request path: /Authentication/MFiles.AuthenticationProviders.Core/read
    User host address:
    User: 
    Is authenticated: False
    Authentication Type: 
    Thread account name: IIS APPPOOL\M-Files 11.3.4330.196

Thread information:
    Thread ID: 84
    Thread account name: IIS APPPOOL\M-Files 11.3.4330.196
    Is impersonating: False
    Stack trace:    at MFilesAPI.MFilesServerApplicationClass.ConnectWithAuthenticationDataEx3(PluginInfo PluginInfo, NamedValues AuthenticationData, String AttemptIdentifier, TimeZoneInformation TimeZone, String ProtocolSequence, String NetworkAddress, String Endpoint, Boolean EncryptedConnection, String LocalComputerName, Boolean AllowAnonymousConnection, String LogicalTargetServer, String ClientCulture)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt, String redirectUrl)
  at MFiles.AuthenticationProviders.Core.CoreHttpHandler.ReadRequest(HttpContext context)
  at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


Custom event details:

The description for Event ID 3 from source M-Files cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Exception in M-Files Web Access:

System.Runtime.InteropServices.COMException (0x80040001): Authentication failed.

CoMFilesServerApplication.cpp, 1882, Authentication failed. (0x8004001A)
MFilesSession.cpp, 1155, Authentication failed. (0x8004001A)
MFilesSession.cpp, 1261, Authentication failed. (0x8004001A)
MFilesSession.cpp, 2701, Authentication failed. (0x8004001A)
MFilesSession.cpp, 3581, Authentication failed. (0x8004001A)
MFilesSession.cpp, 3757, Authentication failed. (0x8004001A)
RPCMethodCallWithRetry.h, 226, Authentication failed. (0x8004001A)
RPCMethodCallWithRetry.h, 226, Authentication failed. (0x8004001A)
RPCLogin.cpp, 1163, Authentication failed. (0x8004001A)
RPCLogin.cpp, 376, Authentication failed. (0x8004001A)
RPCLoginHelper.cpp, 348, Authentication failed. (0x8004001A)
RPCLoginHelper.cpp, 672, Authentication failed. (0x8004001A)
(M-Files 11.3.4330.196)

<bin>
AgAAAAwAAAABAAAAuMY4jTcZ8Eqrmf8yWSKk8QEIAAAANgA3ADIAAAAmAAAAUgBQAEMATABvAGcA
AGkAbABlAHMAUwBlAHMAcwBpAG8AbgAuAGMAcABwAAAAGgAEgAECAAAAAAABAAAAuMY4jTcZ8Eqr
mf8yWSKk8QEKAAAAMQA4ADgAMgAAADwAAABDAG8ATQBGAGkAbABlAHMAUwBlAHIAdgBlAHIAQQBw
AHAAbABpAGMAYQB0AGkAbwBuAC4AYwBwAHAAAAAaAASAAQIAAAAAAAAAAAAB
</bin>

(0022)
  at MFilesAPI.MFilesServerApplicationClass.ConnectWithAuthenticationDataEx3(PluginInfo PluginInfo, NamedValues AuthenticationData, String AttemptIdentifier, TimeZoneInformation TimeZone, String ProtocolSequence, String NetworkAddress, String Endpoint, Boolean EncryptedConnection, String LocalComputerName, Boolean AllowAnonymousConnection, String LogicalTargetServer, String ClientCulture)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt)
  at MFiles.Web.Service.ServerCommunicationProxy.Authenticate(HttpContext httpContext, IStringDictionary authdata, String attempt, String redirectUrl)
  at MFiles.AuthenticationProviders.Core.CoreHttpHandler.ReadRequest(HttpContext context)
  at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
  at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

the message resource is present but the message is not found in the string/message table

EVENT LOG FOR M-FILES WEB ACCESS ATTEMPTS
When I try to logon to the vault using desktop client, I get redirected to office 365 logon portal which works then M-Files stays logging into the vault failed, authentication failed.
no event errors just
Event ID 4 Extracting a SAML assertion from the following SAML response looks ok
Event ID 4 Extracted a SAML assertion for validation looks ok
Event ID 4 The SAML assertion passed validity checks looks ok

a few quesitons

1 Any problems with my config above
2 M-Files web still shows traditional logon as well as "logon using SAML" so users can bypass SAML. How do I force SAML all the time?
3 How do I disable SAML for M-Files Desktop, I really only want it for web and mobile?
4 IIS doesn have any of the subdirectorys for /Authentication/MFiles.AuthenticationProviders.Core in the content view. as is listed ion the reply URL