ADFS 4.0, Event ID - 364, Error :RevocationValidationException

Query King | Fri, 02 Aug 2019 at 02:43 hours | Replies : 4 | Points : 100

Category : ADFS

Hi Friends,

I am getting below error in ADFS 4.0 While accessing the application URL. Please help.

Error:

Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS7098: The certificate identified by thumbprint '3D7C66C9D5A2BWDDCF051AC1E2XXC6E3C798A8E8' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

Event Logs:

Log Name: AD FS/Admin
Source: AD FS
Date: 31/7/2019 5:09:00 PM
Event ID: 364
Task Category: None
Level: Error
Keywords: AD FS
User: eXperts-Adda\ADFS_SVC_QA
Computer: ADFS.eXperts-Adda.COM
Description:
Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
https://RelyingPartyIdentifierURL

Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS7098: The certificate identified by thumbprint '3D7C66C9D5A2BWDDCF051AC1E2XXC6E3C798A8E8' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateRevocationSetting(RevocationSetting revocationSetting, ReceiverX509SigningCredentials receiverSigningCredentials, String partnerId, ServiceCertificateType certificateType)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Event Xml:

This Question is already solved Click To See The Answer

Santosh Gupta
Novice (N+)

Hi,

From the event logs, Pick the thumbprint (3D7C66C9D5A2BWDDCF051AC1E2XXC6E3C798A8E8) value and check if the certificate is expired or Root/Intermediate certificate is expired. If you have already renewed the certificate then please check if same certificate is updated in application and relaying party trust (https://RelyingPartyIdentifierURL) in ADFS Server.

Fri, 02 Aug 2019 04:29 hrs |

Query King
Novice (N)

Hi Santosh,

Thanks for your response. I have checked but i am unable to see any certificate expiration or any issue. Please suggest.

Mon, 05 Aug 2019 09:19 hrs |

Solved

Santosh Gupta
Novice (N+)

Hi,

As per error there must be an expired or incorrect certificate. Please recheck.

Even though if you want, Run the below command to disabled the certificate Revocation and Encryption checks.

SigningCertificateRevocationCheck -None
EncryptionCertificateRevocationCheck -None

To View current Status:


Get-AdfsRelyingPartyTrust "RelayingPartyName" | Format-List Name,SigningCertificateRevocationCheck,EncryptionCertificateRevocationCheck

To Disable the certificate Revocation and Encryption checks


Get-AdfsRelyingPartyTrust "RelayingPartyName" | Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck none -EncryptionCertificateRevocationCheck none

Hope it helps.

Mon, 05 Aug 2019 09:32 hrs | (Excellent)

Query King
Novice (N)

Hi Santosh,

Thanks, Error is gone and Relaying party is working fine.

Wed, 21 Aug 2019 07:56 hrs |

Top 10 Users

Santosh Gupta Novice (N+)	6825
Baghira Novice (N)	3125
Anuj Chauhan Novice (N)	2050
bhupender singh Novice (N)	1825
Rohit Dixit Novice (N)	1750
Rishabh Jain Novice (N)	500
kattappa Novice (N)	500
Administrator Novice (N)	400
Khalid Kamal Novice (N)	400
Amzad Khan Novice (N)	200

Latest Articles

Backup And Backup Types Consistent Top Navigation For All Site Collections In SharePoint 2010/2013 Difference Between Local, Global And Universal Groups Error Occurred While Collecting Data For Administrative Templates Win2K8 How To Clear Saved Credentials From Windows And Web Browsers How To Export ADFS 2.0 Metadata XML File Introduction To Windows Azure Cloud Performance Issues And Solutions For List And Libraries In SharePoint SAP FICO SharePoint Site Users & Hits Count Report For The Past 30 Days