cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

ADFS 4.0 fail to redirect success IDP logon

Tore Veiseth
Copper Contributor

‎Jan 04 2018 01:24 AM

‎Jan 04 2018 01:24 AM

ADFS 4.0 fail to redirect success IDP logon

I have configured AD FS on a Windows 2016 server to authenticate against a national IDP. I get a successfully logon from the IDP, but when I Return to the ADFS server fails to redirect to my web site(wtrealm parameter). I get "Error occurred" in my browser and the Application log AD FS/Admin on my server log Event ID 364 "Encountered error during federation passive request" 

How can I trace this error in order to investigate what is going wrong?

 

Complete Error Message:

Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
 

Exception details:
System.Security.Cryptography.CryptographicException: The parameter is incorrect.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, Boolean fOAEP, ObjectHandleOnStack ohRetDecryptedKey)
   at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)
   at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] data, RSAEncryptionPadding padding)
   at System.Security.Cryptography.RSAPKCS1KeyExchangeDeformatter.DecryptKeyExchange(Byte[] rgbIn)
   at System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData(XmlDictionaryReader reader, SecurityTokenResolver serviceTokenResolver, SecurityTokenSerializer keyInfoSerializer, Collection`1 clauses, EncryptingCredentials& encryptingCredentials)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at Microsoft.IdentityServer.Tokens.ReferenceTokenHandler.TokenFromString(String token)
   at Microsoft.IdentityServer.Service.Tokens.MSISReferenceTokenHandler.ResolveSamlArtifact(ReferenceToken referenceToken)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateAndSaveSamlSession(ProtocolContext context, SecurityTokenElement requestedTokenElement)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetSecurityTokenFromSignInResponse(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

 

Labels:
3,668 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by Tore Veiseth (Copper Contributor)
Pié

‎Jan 08 2018 11:56 AM

‎Jan 08 2018 11:56 AM

Solution

Re: ADFS 4.0 fail to redirect success IDP logon

Because it fails with the crypto issue, my guess would be:

1. They are using token encryption

2. They used the wrong certificate to encrypt the token

As a result, ADFS cannot parse the SAML structure properly. I have seen that in the past. Many third party IDP assume that ADFS is using the same certificate for token signature and token encryption. But that's not the case. Contact them and make them double check their configuration (ensure they are using the right certificate for the right purpose). 

0 Likes
Reply
Tore Veiseth

‎Jan 08 2018 10:52 PM

‎Jan 08 2018 10:52 PM

Re: ADFS 4.0 fail to redirect success IDP logon

Thank's for this tip Pierre. I had to use the same certificate for signature and enctyption i my ADFS configuration.

 

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Tore Veiseth (Copper Contributor)
Pié

‎Jan 08 2018 11:56 AM

‎Jan 08 2018 11:56 AM

Solution

Re: ADFS 4.0 fail to redirect success IDP logon

Because it fails with the crypto issue, my guess would be:

1. They are using token encryption

2. They used the wrong certificate to encrypt the token

As a result, ADFS cannot parse the SAML structure properly. I have seen that in the past. Many third party IDP assume that ADFS is using the same certificate for token signature and token encryption. But that's not the case. Contact them and make them double check their configuration (ensure they are using the right certificate for the right purpose). 

View solution in original post

0 Likes
Reply