Encountered error during federation passive request

Please help. i am having same issue on two ADFS server. I have installed ADFS already three times…..

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          9/29/2010 3:26:57 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          INFYI1ADFSSRV
Computer:      Infy_ADFS.infy.com
Description:
Encountered error during federation passive request.

Additional Data

Exception details:
Microsoft.IdentityServer.Configuration.ReadServiceConfigFailedException: MSIS2001: Configuration service URL is not configured. —> Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreConnectionException: ADMIN0017: An exception occurred while connecting
to the configuration service. The configuration service URL ‘net.tcp://localhost:1500/policy’ may be incorrect or the AD FS 2.0 Windows Service is not running. —> System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy.
The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:1500. —> System.Net.Sockets.SocketException: No connection could be made
because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   — End of inner exception stack trace —

Server stack trace:
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.BufferedConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStore.Search(FilterData filter, Int32 maxObjects, String[] propertyNames)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   — End of inner exception stack trace —
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.SearchWorker(Filter filter, Int32 maxObjects, String[] propertyNames, Boolean firstTry, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreClientManager.Search(Filter filter, Int32 maxObjects, String[] propertyNames, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.Search[T](Filter filter, Int32 maxItems, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyManagerBase.GetItem[T](Filter filter, String[] properties, PropertyFactoryBase propertyFactory)
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.ReadServiceConfiguration()
   — End of inner exception stack trace —
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.ReadServiceConfiguration()
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.get_ServiceConfiguration()
   at Microsoft.IdentityServer.Configuration.ServiceConfigurationReader.GetHostNetTcpPort()
   at Microsoft.IdentityServer.Web.PassivePolicyManager..ctor()
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetIssuerFriendlyName()

Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreConnectionException: ADMIN0017: An exception occurred while connecting to the configuration service. The configuration service URL ‘net.tcp://localhost:1500/policy’ may be incorrect or the AD FS 2.0 Windows
Service is not running. —> System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because
the target machine actively refused it 127.0.0.1:1500. —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   — End of inner exception stack trace —

System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because the target machine actively refused
it 127.0.0.1:1500. —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   — End of inner exception stack trace —

System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)

Event Xml:
<Event xmlns=»http://schemas.microsoft.com/win/2004/08/events/event»>
<System>
    <Provider Name=»AD FS 2.0″ Guid=»{20E25DDB-09E5-404B-8A56-EDAE2F12EE81}» />
    <EventID>364</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000001</Keywords>
    <TimeCreated SystemTime=»2010-09-29T07:26:57.536667700Z» />
    <EventRecordID>62</EventRecordID>
    <Correlation ActivityID=»{06F955C3-7141-4E72-9934-F2F8CDDAB86D}» />
    <Execution ProcessID=»1348″ ThreadID=»2644″ />
    <Channel>AD FS 2.0/Admin</Channel>
    <Computer>Infy_ADFS.infy.com</Computer>
    <Security UserID=»S-1-5-21-3099104782-3553834904-3296149652-1107″ />
</System>
<UserData>
    <Event xmlns:auto-ns2=»http://schemas.microsoft.com/win/2004/08/events» xmlns=»http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events»>
      <EventData>
        <Data>Microsoft.IdentityServer.Configuration.ReadServiceConfigFailedException: MSIS2001: Configuration service URL is not configured. —> Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreConnectionException:
ADMIN0017: An exception occurred while connecting to the configuration service. The configuration service URL ‘net.tcp://localhost:1500/policy’ may be incorrect or the AD FS 2.0 Windows Service is not running. —> System.ServiceModel.EndpointNotFoundException:
Could not connect to net.tcp://localhost:1500/policy. The connection attempt lasted for a time span of 00:00:02.0635164. TCP error code 10061: No connection could be made because the target machine actively refused it 127.0.0.1:1500. —> System.Net.Sockets.SocketException:
No connection could be made because the target machine actively refused it 127.0.0.1:1500
   at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)
   at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)
   — End of inner exception stack trace —

</Data>
</EventData>
</Event>
</UserData>
</Event>

Источник

Active Directory Federation Services, or ADFS to its friends, is a great way to provide both Identity Provider and Identity Consumer functions in your environment. With it, companies can provide single sign-on capabilities to their users and their customers using claims-based access control to implement federated identity. It is based on the emerging, industry-supported Web Services Architecture, which is defined in WS-* specifications.

One common error that comes up when using ADFS is logged by Windows as an Event ID 364-Encounterd error during federation passive request. There are three common causes for this particular error. If you encounter this error, see if one of these solutions fixes things for you.

Time skew

Cause

ADFS proxies are typically not domain-joined, are located in the DMZ, and are frequently deployed as virtual machines. All of that means that the ADFS proxies may have unreliable or drifting clocks and since they cannot synchronize to a domain controller, their clocks will fall out of sync with the ADFS servers, resulting in failed authentication and Event ID 364.

Symptoms

ADFS proxies system time is more than five minutes off from domain time. Authentication requests through the ADFS proxies fail, with Event ID 364 logged. Authentication requests through the ADFS servers succeed.

Resolution

Configure the ADFS proxies to use a reliable time source. One way is to sync them with pool.ntp.org, if they are able to get out to the Internet using SNTP. Open an administrative cmd prompt and run this command.

w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /update

If you have an internal time source such as a router or domain controller that the ADFS proxies can access, you should use that instead.

If your ADFS proxies are virtual machines, they will sync their “hardware clock” from the VM host. Make sure it is synching to a reliable time source too.

Certificate Revocation Check Failing

Cause

ADFS proxies need to validate the SSL certificate installed on the ADFS servers that is being used to secure the connection between them.

Symptoms

If an ADFS proxy cannot validate the certificate when it attempts to establish an HTTPS session with the ADFS server, authentication requests will fail and the ADFS proxy will log an Event 364. Authentication requests to the ADFS servers will succeed.

Resolution

Ensure that the ADFS proxies have proper DNS resolution and access to the Internet either directly, or through web proxies, so that they can query CRL and/or OCSP endpoints for public Certificate Authorities. Web proxies do not require authentication.

Certificate Chain Fails

Cause

ADFS proxies need to validate the SSL certificate installed on the ADFS servers that are being used to secure the connection between them. They must trust the complete chain up to the root. If an ADFS proxy has not been fully patched, it may not have the complete list of trusted third party CAs installed in its certificate store.

Symptoms

If an ADFS proxy does not trust the certificate when it attempts to establish an HTTPS session with the ADFS server, authentication requests will fail and the ADFS proxy will log an Event 364. Authentication requests to the ADFS Servers will succeed.

Resolution

Ensure that the ADFS proxies trust the certificate chain up to the root. The certificate, any intermediate issuing certificate authorities, and the root certificate authority must be trusted by the application pool service account.

That accounts for the most common causes and resolutions for ADFS Event ID 364. If you have encountered this error and found another cause, please leave a comment below and let us know what you found to be cause and resolution.

Источник

Содержание

Encountered error during federation passive request
Asked by:
Question
All replies
Encountered error during federation passive request
Asked by:
Question
Encountered error during federation passive request
All replies

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

I set up an ADFS server on Windows Server 2012 R2 and it seems to be working fine. For testing purposes, I uses the following url, https:// /adfs/ls/IdpInitiatedSignon.aspx

Logging in using any domain administrator accounts works. However when I tried to login using any accounts which are not a domain administrator, it fails.

I get the following error shown in the web browser,

I get the following error in the ADFS server event log,

Please note that the username and password entered are correct.

I see that the Activity ID is given in the error message on the web browser but so far, I can’t figure out where to look for the log file.

Any help would be greatly appreciated.

Thanks in advance.

Hope the below links be helpful for you:

ADFS Proxy 364 Event

ADFS – Event ID 364

In addition, ADFS related issue, please post in the below forum:

I’m having a very similar issue with ADFS on 2012 R2. The contents of my event log are slightly different, but the symptoms are exactly the same. If a domain admin logs in, ADFS successfully authenticates, but when any non-admin account logs in, it fails. The webpage says «an error occurred» with very little informationa, and I get the event log saying the user name or password are incorrect, but like Programatix, I know they are correct, and have tried multiple accounts.

Has anyone found a resolution yet? (sorry Yan Li, your links didn’t help me)

Encountered error during federation passive request.

Источник

Encountered error during federation passive request

This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Asked by:

Question

I am trying to get ADFS working in my environment to work with our external Intranet provider.

DMZ Server — Proxy Role installed
Internal Server — ADFS 2.0 Installed

external A Record: sts.domainname.com

when i go to sts.domainname.com/adfs/ls i get this error:

in the event viewer on the ADFS Server i get an errors:

Encountered error during federation passive request.

Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7000: The sign in request is not compliant to the WS-Federation language for web browser clients or the SAML 2.0 protocol WebSSO profile.
at Microsoft.IdentityServer.Web.Dispatchers.UnknownRequestDispatcher.DispatchInternal(PassiveContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequestInternal(PassiveContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolHandler.ProcessRequest(HttpContext context)

If you require further information then please ask

Источник

Encountered error during federation passive request

1. Make sure IWA is on

4. Select the RP till you reach site, at which point your sso should happen, stop the fiddler and check trace to see any SAML post to your vendor if not

5. Check your RP settings, and your event logs

6. If there correct then ask your vendor to check the fiddler logs

adfs/ls is an endpoint hitting http://sts.domain.com/adfs/ls will take you no where, if you access it from the ADFS server or from a workstation

check this as well

how was the RP created from a metadata xml or manually by inserting the identifier and the endpoints (if manual check the syntax, this is strong syntax checking, no upper case- lower case mismatch).

Normally a vendor would give you a url, if they don’t you are to ask for them.

Hitting this url with IWA turned on should trigger the SSO

https://MYDOMAIN.THEREDOMAIN.com/Interact/Login/default.aspx but check with the vendor on this, there are different ways in which the vendor could configure the URL for SSO.

Normally an ADFS Setup would be like this

-> ->ADFS Proxy -> ADFS Server

There should be an external IP for sts.domain.com and an internal IP for sts.domain.com (this points to ADFS Server not Proxy).

your proxy is sitting behind a firewall so the minute an external Access is triggerd it would be redirected to your ADFS Proxy, which has a proxy trust with your ADFS server.

I am prompted with this:

I can then change to InteractGo and click Continue to Sign, which brings up a logon box, it then redirects me to the webpage for InteractGo but i still have to enter my credentials again to logon to the site.

That is not an SSO, nor are you

/adfs/ls is an endpoint not your signon page.

Have you configured SSO with your vendor, if you are Identity Provider, than you should be having a Relying Party Trust of your Vendor (Which you Do), your Vendor likewise should have claim provider trust or an RP-STS at there end to establish an SSO.

Depending upon the protocol choice Ws-Fed or SAML 2.0 you configure the SP-initated signon or IDP-initiated Sign on.

Can you share what federation platform your vendor is using, have they shared a Single Sign On URL with you

Yes i have a Relaying Party Trust setup and i have a URL

So, i have Claim Provider Trust setup for AD

I have Relaying Party Trust setup for Send Email to NameID

I have an Endpoint URL

this endpoint is it your vendor’s

In regards to this portion

«I can then change to InteractGo and click Continue to Sign, which brings up a logon box, it then redirects me to the webpage for InteractGo but i still have to enter my credentials again to logon to the site.», can you take trace to see if the vendor site is accepting your claims.

yeah the vendor’s endpoint.
They provided that

How can i get a trace?

Property

Value

Claim rule name

Send Email to NameID

Attribute store

LDAP Attribute

Outgoing Claim Type

downloaded Fiddler and installed it

but when i access either
https://sts.DOMAIN.com/adfs/ls/

I don’t see anything, unless i am doing something wrong

is this all the traffic you see on opening the browser. is HTTPS decryption enabled Tools-> Fiddler Options

Is the vendor site added to your Intranet zone and IWA turned on.

If Fiddler seems a bit overwhelming you can try Firefox with SAML 2.0 tracer

Just get a 404 not found

what else do you need to see?

Also yes, i have added it to trusted sites, and also tried intranet

If i am local on the server and i browse to /adfs/ls i get the same errors as above

Just to give you a picture of the setup

sts.domain.com points to my WAN IP which forwards 443 traffic to a Web APp Proxy server setup for ADFS.

ADFS Proxy is confgured to point to sts.domain.com for its Federation server.
Host Record on the server has an IP for sts.domain.com to the internal ADFS Server
Route on DMZ Server to send traffic for the internal LAN to the firewall

Firewall allows HTTPS (443) traffic from DMZ to ADFS Server

Federation Service dsplay name: domain.com
Federation Service name: sts.domain.com
Federation Service Identified: http://sts.domain.com/adfs/services/trust

by the looks of things, i am getting a 404 error whether i test this from the LAN, the ADFS Server or externally.

But when i test it, the ADFS Server does getan error on the logs, which i posted on my first post

Do i have something setup wrong on the names?

1. Make sure IWA is on

4. Select the RP till you reach site, at which point your sso should happen, stop the fiddler and check trace to see any SAML post to your vendor if not

5. Check your RP settings, and your event logs

6. If there correct then ask your vendor to check the fiddler logs

adfs/ls is an endpoint hitting http://sts.domain.com/adfs/ls will take you no where, if you access it from the ADFS server or from a workstation

check this as well

how was the RP created from a metadata xml or manually by inserting the identifier and the endpoints (if manual check the syntax, this is strong syntax checking, no upper case- lower case mismatch).

Normally a vendor would give you a url, if they don’t you are to ask for them.

Hitting this url with IWA turned on should trigger the SSO

https://MYDOMAIN.THEREDOMAIN.com/Interact/Login/default.aspx but check with the vendor on this, there are different ways in which the vendor could configure the URL for SSO.

Normally an ADFS Setup would be like this

-> ->ADFS Proxy -> ADFS Server

There should be an external IP for sts.domain.com and an internal IP for sts.domain.com (this points to ADFS Server not Proxy).

your proxy is sitting behind a firewall so the minute an external Access is triggerd it would be redirected to your ADFS Proxy, which has a proxy trust with your ADFS server.

So IWA is enabled on IE

I go to that URL, i select the RP, and get redirected and prompted to logon with a Logon Box. i enter credentials then it redirects to the Vendors endpoint that they provided.

so it does redirect to their web page endpoint, but i am prompted to logon when it should use IWA and just go straight through.

on fiddler i can see the SAML Request and where it then redirects to the VENDORS page

I can share this with you if you want?

the other thing i think might be an issue, and need confirming is

sts.MYDOMAIN.com External A Record points to my WAN IP for e.g 123.123.123.123, which my firewall redirects to the DMZ Proxy server.

Proxy is configured to connect to sts.mydomain.com which has an an Host Record pointing to the internal LAN ADFS Server on e.g 10.10.10.10

This is directed via the Firewall and 443 traffic is allowed.

now on the ADFS Server is this correct:

The configuration is correct.

The logon box you are prompted for is it ADFS prompt or the vendor logon. If its ADFS logon prompt, and IWA is turned, than are the ADFS SPN’s registered, because that would mean that inside the domain Kerberos authentication is not happening and a form based authentication is taking place.

If its vendor prompt than single-sign-on is not happening at all, you should chase your vendor than.

Identity Providers Responsibility (That is you) would lie till the claims post from your IDP to Vendor.

Service Provider Call (That is your vendor) would lie after the claims Post from your IDP to them.

If Fiddler shows that you are doing the correct Post, than talk to your vendor they will definitely have some errors on there logs which would help you to track down.

Another thing to note is that ADFS is Certificate based communication, if your ADFS server is not internet facing than it may fail certificate revocation check, make sure you disable the certificate revocation check for that RP created by you for your vendor, for both Token Signing and Encryption Certificate

Источник

Remove From My Forums

Question
Help me to solve the following issue.

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          9/9/2011 11:26:57 PM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:          GENEVATESTadministrator
Computer:      AspireVM7-15.genevatest.cellosaas.com
Description:

Encountered error during federation passive request.

Additional Data

Exception details:
System.NullReferenceException
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at System.Management.ManagementObject.Initialize(Boolean getObject)
   at System.Management.ManagementBaseObject.get_Properties()
   at System.Management.ManagementBaseObject.GetPropertyValue(String propertyName)
   at System.Management.ManagementBaseObject.get_Item(String propertyName)
   at Microsoft.IdentityServer.Web.PassiveWmiUtility.SettingsObject.get_Item(String propertyName)
   at Microsoft.IdentityServer.Web.PassiveWmiUtility.IsProxy()
   at Microsoft.IdentityServer.Web.PassivePolicyManager..ctor()
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetIssuerFriendlyName()

Encountered error during federation passive request.

Additional Data

Exception details:
System.NullReferenceException
   at System.Runtime.InteropServices.Marshal.ThrowExceptionForHRInternal(Int32 errorCode, IntPtr errorInfo)
   at System.Management.ManagementObject.Initialize(Boolean getObject)
   at System.Management.ManagementBaseObject.get_Properties()
   at System.Management.ManagementBaseObject.GetPropertyValue(String propertyName)
   at System.Management.ManagementBaseObject.get_Item(String propertyName)
   at Microsoft.IdentityServer.Web.PassiveWmiUtility.SettingsObject.get_Item(String propertyName)
   at Microsoft.IdentityServer.Web.PassiveWmiUtility.IsProxy()
   at Microsoft.IdentityServer.Web.PassivePolicyManager..ctor()
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveEndpointAbsolutePath()

I tried that setspn also. But still its throwing a same error for me.

Thanks in advance.

Answers

We need to have 3 machine to test ADFS.

One machine for ADFS Server, another one for Domain Controller and last one for Application server.

Now my application working fine…

Thanks for all your response.
- Marked as answer by
  
  Monday, September 26, 2011 9:53 AM

Источник

Here you find a powershell script which was very useful for me.
All scripts are free of charge, use them at your own risk :

Problem

This week I had a customer who had a error on there ADFS server, this error was internal and external, and also with the ADFS test site.

No user was able to work with their office application, because synchronization to Microsoft was not possible.

Error :
•Activity ID: c2a60103-7ffc-48e0-8ba5-0080020000ca
•Error time: Tue, 24 Dec 2019 07:37:53 GMT
•Cookie: enabled
•User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko

In the eventlog there is an error :

Log Name: AD FS/Admin
Source: AD FS
Date: 12/24/2019 11:25:08 AM
Event ID: 364
Task Category: None
Level: Error
Keywords: AD FS
User: DOMAINadfs-admin
Computer: DXP-0430-ADFS21.Domain.nl
Description:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Event Xml:
<Event xmlns=”http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=”AD FS” Guid=”{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}” />
<EventID>364</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime=”2019-12-24T10:25:08.815259600Z” />
<EventRecordID>11621</EventRecordID>
<Correlation ActivityID=”{ED917B3C-CC41-408D-2C00-0080000000FB}” />
<Execution ProcessID=”5312″ ThreadID=”1488″ />
<Channel>AD FS/Admin</Channel>
<Computer>DXP-0430-ADFS21.Domain.nl</Computer>
<Security UserID=”S-1-5-21-1659004503-789336058-839522115-9634″ />
</System>
<UserData>

<Event xmlns=”http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events”>
<EventData>
<Data>
</Data>
<Data>
</Data>
<Data>Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
</Data>
</EventData>
</Event>
</UserData>
</Event>

Solution

Get-AdfsProperties | fl *idpinitiatedsignon*

RelayStateForIdpInitiatedSignOnEnabled : False
EnableIdpInitiatedSignonPage : False

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true
Get-AdfsProperties | fl *idpinitiatedsignon*

RelayStateForIdpInitiatedSignOnEnabled : False
EnableIdpInitiatedSignonPage : True

Источник

#adfs #pingfederate

Вопрос:

Я использую PingFederate HTML FormAdapter и ADFS для простой страницы входа в систему и аутентификации пользователя. Если пользователь сохраняет страницу входа открытой / бездействующей в течение 10 или более минут, вводит учетные данные и нажимает «Войти», я получаю приведенное ниже исключение. Если вход в систему выполняется раньше 10 минут, он работает нормально. Есть ли время ожидания в ADFS, которое я могу увеличить?

Обнаружена ошибка во время пассивного запроса федерации.

Дополнительные данные

Имя протокола: Saml

Проверяющая сторона:

Сведения об исключении: Майкрософт.IdentityServer.Web.CookieManagers.Исключение InvalidContextException: MSIS7001: контекст пассивного протокола не найден или недействителен. Если контекст сохранялся в файлах cookie, файлы cookie, предоставленные клиентом, были недействительными. Убедитесь, что клиентский браузер настроен на прием файлов cookie с этого веб-сайта, и повторите этот запрос. в Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetOriginalRequestFromResponse(контекст ProtocolContext, логическое значение deleteCookie) в Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler ProtocolHandler) в Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(контекст WrappedHttpListenerContext)

Ответ №1:

Источник

Time skew

Cause

Symptoms

Resolution

Certificate Revocation Check Failing

Cause

Symptoms

Resolution

Certificate Chain Fails

Cause

Symptoms

Resolution

Encountered error during federation passive request

<img decoding="async" onError="javascript: wp_broken_images = window.wp_broken_images || function(){}; wp_broken_images(this);" src="https://i1.social.s-msft.com/globalresources/Images/trans.gif" />

Asked by:

Question

Encountered error during federation passive request

<img decoding="async" onError="javascript: wp_broken_images = window.wp_broken_images || function(){}; wp_broken_images(this);" src="https://i1.social.s-msft.com/globalresources/Images/trans.gif" />

Asked by:

Question

Encountered error during federation passive request

Question

Answers

Problem

Solution

Вопрос:

Ответ №1:

Читайте также: