ADFS 2.0, Event ID - 364, Error : The Security Timestamp Is Invalid
Query King | Tue, 27 Jun 2017 at 15:10 hours | Replies : 2 | Points : 100
Category : ADFS
Hi Experts,
I am getting below Error in ADFS 2.0 Proxy Server Event log. ADFS is working fine from internal network (Intranet) but getting error from Out side (Internet). Please see the below Error and suggest. Please.
-------------------------------------------- Event Log Summary ---------------------------------
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 5/2/2017 4:08:40 PM
Event ID: 364
Task Category: None
Level: Error
Keywords: AD FS
User: NETWORK SERVICE
Computer: XAADFS-02
Description:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.Security.MessageSecurityException: System.ServiceModel.Security.MessageSecurityException: The security timestamp is invalid because its creation time ('2017-05-02T08:14:56.594Z') is in the future. Current time is '2017-05-02T08:08:40.973Z' and allowed clock skew is '00:05:00'.
Server stack trace:
at System.ServiceModel.Security.SecurityTimestamp.ValidateFreshness(TimeSpan timeToLive, TimeSpan allowedClockSkew)
at System.ServiceModel.Security.SecurityTimestamp.ValidateRangeAndFreshness(TimeSpan timeToLive, TimeSpan allowedClockSkew)
at System.ServiceModel.Security.ReceiveSecurityHeader.ReadTimestamp(XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message& message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
This Question is already solved Click To See The Answer
Hi Query King,
As per event, There is more than 5 minutes different between your Proxy ADFS and Domain time (Primary Domain Controller Time). you can see this is event log.
The security timestamp is invalid because its creation time ('2017-05-02T08:14:56.594Z') is in the future. Current time is '2017-05-02T08:08:40.973Z' and allowed clock skew is '00:05:00'.
You can see there is 6 minutes and 16 second time difference where as allowed time difference is ONLY 5 minutes. Please check your proxy ADFS time and sync it with your domain time.
Run the below command to check the Source of Time update (NTP Server) details.
w32tm /query /status
Run the below command to configure NTP server manually. Replace XAAD-01.eXperts-Adda.com with Your PDC Server FQDN.
w32tm /config /manualpeerlist:"XAAD-01.eXperts-Adda.com" /syncfromflags:manual /reliable:yes /update
w32tm /resync
Net Stop w32time
Net Start w32time
w32tm /query /status
Check below URL for more details about NTP configuration
Hope it will fix your issue.
Thanks Santosh :)