Today in a fresh AD FS LAB environment I encountered a strange error. NTLM prompt for logon, almost as expected although I hoped for SSO. After I entered username and password, I was redirected to a new page: https://FQDN/adfs/ls/wia, with a HTTP Error 400 Bad Request (obviously changed the url in the picture, as I am not using contoso.com).
A simple search on google pointed me to this forumpost.
Turns out I had used a CNAME for my AD FS FQDN. This causes some issues with SPN, but I will not try to explain the details as I do not fully understand them myself… The resolution for me was to replace said CNAME with an A-Record of the same name, pointing to the IPv4 address of my AD FS-server. After I changed this, Single Sign-On started working perfectly. Also make sure the AD FS FQDN is listed in Internet Explorers “Local Intranet Sites”.
Hope this can help someone with the same issue!