Jan 04 2018 01:24 AM
I have configured AD FS on a Windows 2016 server to authenticate against a national IDP. I get a successfully logon from the IDP, but when I Return to the ADFS server fails to redirect to my web site(wtrealm parameter). I get "Error occurred" in my browser and the Application log AD FS/Admin on my server log Event ID 364 "Encountered error during federation passive request"
How can I trace this error in order to investigate what is going wrong?
Complete Error Message:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
Exception details:
System.Security.Cryptography.CryptographicException: The parameter is incorrect.
at System.Security.Cryptography.CryptographicException.ThrowCryptographicException(Int32 hr)
at System.Security.Cryptography.RSACryptoServiceProvider.DecryptKey(SafeKeyHandle pKeyContext, Byte[] pbEncryptedKey, Int32 cbEncryptedKey, Boolean fOAEP, ObjectHandleOnStack ohRetDecryptedKey)
at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] rgb, Boolean fOAEP)
at System.Security.Cryptography.RSACryptoServiceProvider.Decrypt(Byte[] data, RSAEncryptionPadding padding)
at System.Security.Cryptography.RSAPKCS1KeyExchangeDeformatter.DecryptKeyExchange(Byte[] rgbIn)
at System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData(XmlDictionaryReader reader, SecurityTokenResolver serviceTokenResolver, SecurityTokenSerializer keyInfoSerializer, Collection`1 clauses, EncryptingCredentials& encryptingCredentials)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
at Microsoft.IdentityModel.Tokens.Saml2.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityServer.Tokens.ReferenceTokenHandler.TokenFromString(String token)
at Microsoft.IdentityServer.Service.Tokens.MSISReferenceTokenHandler.ResolveSamlArtifact(ReferenceToken referenceToken)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateAndSaveSamlSession(ProtocolContext context, SecurityTokenElement requestedTokenElement)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetSecurityTokenFromSignInResponse(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Jan 08 2018 11:56 AM
SolutionBecause it fails with the crypto issue, my guess would be:
1. They are using token encryption
2. They used the wrong certificate to encrypt the token
As a result, ADFS cannot parse the SAML structure properly. I have seen that in the past. Many third party IDP assume that ADFS is using the same certificate for token signature and token encryption. But that's not the case. Contact them and make them double check their configuration (ensure they are using the right certificate for the right purpose).
Jan 08 2018 10:52 PM
Thank's for this tip Pierre. I had to use the same certificate for signature and enctyption i my ADFS configuration.
Jan 08 2018 11:56 AM
SolutionBecause it fails with the crypto issue, my guess would be:
1. They are using token encryption
2. They used the wrong certificate to encrypt the token
As a result, ADFS cannot parse the SAML structure properly. I have seen that in the past. Many third party IDP assume that ADFS is using the same certificate for token signature and token encryption. But that's not the case. Contact them and make them double check their configuration (ensure they are using the right certificate for the right purpose).