At a client side after deploying the AD FS 2.0 for SSO with Office 365, Whenever I tried logging in to the Office 365 Portal, I get redirected to the FS Proxy Forms based and it would show an Unhandled Exception with the view of a Correlation ID.

Now inorder to see what really happened you will need to navigate to the Event Viewer –> Applications –> AD FS Admin and in the view pane just add the Correlation ID tab.

In most cases the error you will be getting is like below

Encountered error during federation passive request.

Additional Data

Exception details:
System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. —> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
   — End of inner exception stack trace —

Server stack trace:
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
   at Microsoft.IdentityServer.PolicyModel.Client.PolicyStoreReadOnlyTransferClient.GetState(String serviceObjectType, String mask, FilterData filter, Int32 clientVersionNumber)
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.FetchServiceSettingsData()
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetServiceSettingsData()
   at Microsoft.IdentityServer.ProxyConfiguration.ProxyConfigurationReader.GetFederationPassiveConfiguration()
   at Microsoft.IdentityServer.Web.PassivePolicyManager.GetPassiveEndpointAbsolutePath()
   at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.GetPassiveEndpointAbsolutePath()

System.ServiceModel.FaultException: An error occurred when verifying security for the message.

 

Now this is normally caused by one of the below two reasons

1- The ADFS server identifier URL has been changed to https and using the same URL extension adfs/services/trust. This manifests a bug in the AD FS, so the solution is either to change the HTTPS back to HTTP or change the Extension. You cant have both

This bug is documented here http://social.technet.microsoft.com/wiki/contents/articles/1670.ad-fs-2-0-federation-server-proxy-servers-fail-to-authenticate-users-events-248-and-996-logged.aspx 

 

2- This is not very well documented and was my problem, it was the TIME. Given that I have not joined the proxy servers to the domain, but the federation servers were indeed joined. There was a time skew between both.

So I made sure that the Proxy Servers would always Sync the time from the Domain controller holding the PDC.

Fixing this fixed the problem.

So if you have the same, make sure that you check the above 2.

Advertisements