SOLVED
Home

ADFS 4.0 fail to redirect success IDP logon

%3CLINGO-SUB%20id%3D%22lingo-sub-141548%22%20slang%3D%22en-US%22%3EADFS%204.0%20fail%20to%20redirect%20success%20IDP%20logon%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141548%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20configured%20AD%20FS%20on%20a%20Windows%202016%20server%20to%20authenticate%20against%20a%20national%20IDP.%20I%20get%20a%20successfully%20logon%20from%20the%20IDP%2C%20but%20when%20I%20Return%20to%20the%20ADFS%20server%20fails%20to%20redirect%20to%20my%20web%20site(wtrealm%20parameter).%20I%20get%20%22Error%20occurred%22%20in%20my%20browser%20and%20the%20Application%20log%20AD%20FS%2FAdmin%20on%20my%20server%20log%20Event%20ID%20364%20%22Encountered%20error%20during%20federation%20passive%20request%22%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHow%20can%20I%20trace%20this%20error%20in%20order%20to%20investigate%20what%20is%20going%20wrong%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EComplete%20Error%20Message%3A%3C%2FP%3E%0A%3CP%3EEncountered%20error%20during%20federation%20passive%20request.%3C%2FP%3E%0A%3CP%3EAdditional%20Data%3C%2FP%3E%0A%3CP%3EProtocol%20Name%3A%20%3CBR%20%2F%3ESaml%3C%2FP%3E%0A%3CP%3ERelying%20Party%3A%20%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EException%20details%3A%20%3CBR%20%2F%3ESystem.Security.Cryptography.CryptographicException%3A%20The%20parameter%20is%20incorrect.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32%20hr)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle%20pKeyContext%2C%20Byte%5B%5D%20pbEncryptedKey%2C%20Int32%20cbEncryptedKey%2C%20Boolean%20fOAEP%2C%20ObjectHandleOnStack%20ohRetDecryptedKey)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte%5B%5D%20rgb%2C%20Boolean%20fOAEP)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte%5B%5D%20data%2C%20RSAEncryptionPadding%20padding)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20System.Security.Cryptography.RSAPKCS1KeyExchangeDeformatter.DecryptKeyExchange(Byte%5B%5D%20rgbIn)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause%20keyIdentifierClause%2C%20SecurityKey%26amp%3B%20key)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData(XmlDictionaryReader%20reader%2C%20SecurityTokenResolver%20serviceTokenResolver%2C%20SecurityTokenSerializer%20keyInfoSerializer%2C%20Collection%601%20clauses%2C%20EncryptingCredentials%26amp%3B%20encryptingCredentials)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader%20reader)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader%20reader)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader%20reader)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityServer.Tokens.ReferenceTokenHandler.TokenFromString(String%20token)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityServer.Service.Tokens.MSISReferenceTokenHandler.ResolveSamlArtifact(ReferenceToken%20referenceToken)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader%20reader)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement%20securityTokenXml%2C%20SecurityTokenHandlerCollection%20securityTokenHandlers)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateAndSaveSamlSession(ProtocolContext%20context%2C%20SecurityTokenElement%20requestedTokenElement)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetSecurityTokenFromSignInResponse(ProtocolContext%20context)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext%20protocolContext%2C%20PassiveProtocolHandler%20protocolHandler)%3CBR%20%2F%3E%26nbsp%3B%26nbsp%3B%20at%20Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext%20context)%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-141548%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAuthentication%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142945%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%204.0%20fail%20to%20redirect%20success%20IDP%20logon%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142945%22%20slang%3D%22en-US%22%3E%3CP%3EThank's%20for%20this%20tip%20Pierre.%20I%20had%20to%20use%20the%20same%20certificate%20for%20signature%20and%20enctyption%20i%20my%20ADFS%20configuration.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-142742%22%20slang%3D%22en-US%22%3ERe%3A%20ADFS%204.0%20fail%20to%20redirect%20success%20IDP%20logon%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-142742%22%20slang%3D%22en-US%22%3E%3CP%3EBecause%20it%20fails%20with%20the%20crypto%20issue%2C%20my%20guess%20would%20be%3A%3C%2FP%3E%0A%3CP%3E1.%20They%20are%20using%20token%20encryption%3C%2FP%3E%0A%3CP%3E2.%20They%20used%20the%20wrong%20certificate%20to%20encrypt%20the%20token%3C%2FP%3E%0A%3CP%3EAs%20a%20result%2C%20ADFS%20cannot%20parse%20the%20SAML%20structure%20properly.%26nbsp%3BI%20have%20seen%20that%20in%20the%20past.%20Many%20third%20party%20IDP%20assume%20that%20ADFS%20is%20using%20the%20same%20certificate%20for%20token%20signature%20and%20token%20encryption.%20But%20that's%20not%20the%20case.%20Contact%20them%20and%20make%20them%20double%20check%20their%20configuration%20(ensure%20they%20are%20using%20the%20right%20certificate%20for%20the%20right%20purpose).%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Tore Veiseth
New Contributor

I have configured AD FS on a Windows 2016 server to authenticate against a national IDP. I get a successfully logon from the IDP, but when I Return to the ADFS server fails to redirect to my web site(wtrealm parameter). I get "Error occurred" in my browser and the Application log AD FS/Admin on my server log Event ID 364 "Encountered error during federation passive request" 

How can I trace this error in order to investigate what is going wrong?

 

Complete Error Message:

Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
 

Exception details:
System.Security.Cryptography.CryptographicException: The parameter is incorrect.

   at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
   at System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, Boolean fOAEP, ObjectHandleOnStack ohRetDecryptedKey)
   at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)
   at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] data, RSAEncryptionPadding padding)
   at System.Security.Cryptography.RSAPKCS1KeyExchangeDeformatter.DecryptKeyExchange(Byte[] rgbIn)
   at System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData(XmlDictionaryReader reader, SecurityTokenResolver serviceTokenResolver, SecurityTokenSerializer keyInfoSerializer, Collection`1 clauses, EncryptingCredentials& encryptingCredentials)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at Microsoft.IdentityServer.Tokens.ReferenceTokenHandler.TokenFromString(String token)
   at Microsoft.IdentityServer.Service.Tokens.MSISReferenceTokenHandler.ResolveSamlArtifact(ReferenceToken referenceToken)
   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateAndSaveSamlSession(ProtocolContext context, SecurityTokenElement requestedTokenElement)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetSecurityTokenFromSignInResponse(ProtocolContext context)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

 

2 Replies
Highlighted
Solution

Because it fails with the crypto issue, my guess would be:

1. They are using token encryption

2. They used the wrong certificate to encrypt the token

As a result, ADFS cannot parse the SAML structure properly. I have seen that in the past. Many third party IDP assume that ADFS is using the same certificate for token signature and token encryption. But that's not the case. Contact them and make them double check their configuration (ensure they are using the right certificate for the right purpose). 

Highlighted

Thank's for this tip Pierre. I had to use the same certificate for signature and enctyption i my ADFS configuration.

 

Related Conversations