ADFS 2.0 - Getting Event ID 364 And 316 Error, Please Help.
Query King | Tue, 26 Dec 2017 at 05:58 hours | Replies : 4 | Points : 100
Category : ADFS
Hi Experts,
I am getting Event ID 364 and 316 into ADFS Admin logs and users are unable to authenticate, getting below errors. Please help.
Error on Browser:
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: <GUID>
Error Event Log details.
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 12/25/2017 1:11:48 PM
Event ID: 364
Task Category: None
Level: Error
Keywords: AD FS
User: abc\adfs_svc
Computer: ADFS1.abc.com
Description:
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your
administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage,
SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatt ingProvider)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest,
SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest,
SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken,
WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SignIn(SecurityToken securityToken)
System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage,
SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest,
SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
Event Xml:
http://schemas.microsoft.com/win/2004/08/events/event">
364
0
2
0
0
0x8000000000000001
436973
AD FS 2.0/Admin
ADFS1.abc.com
http://schemas.microsoft.com/win/2004/08/events"
xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact
your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage,
SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest,
SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest,
SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.BuildSignInResponseCoreWithSerializedToken(String signOnToken,
WSFederationMessage incomingMessage)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SignIn(SecurityToken securityToken)
System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.Issue(HttpSamlMessage httpSamlMessage,
SecurityTokenElement onBehalfOf, String sessionState, String& newSessionState, String& authenticatingProvider)
at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.RequestBearerToken(HttpSamlRequestMessage httpSamlRequest,
SecurityTokenElement onBehalfOf, String& samlpSessionState, String& samlpAuthenticationProvider)
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 12/25/2017 1:11:48 PM
Event ID: 316
Task Category: None
Level: Error
Keywords: AD FS
User: abc\adfs_svc
Computer: ADFS1.abc.com
Description:
An error occurred during an attempt to build the certificate chain for the relying party trust 'RelayingParty.com' certificate identified by
thumbprint '125F60567E5A818436B7EA69FEE8760E4A9DE30C9'. Possible causes are that the certificate has been revoked, the certificate chain
could not be verified as specified by the relying party trust's signing certificate revocation settings or certificate is not within
its validity period.
You can use Windows PowerShell commands for AD FS 2.0 to configure the revocation settings for the relying party signing certificate.
Relying party trust's signing certificate revocation settings: CheckChainExcludeRoot
The following errors occurred while building the certificate chain:
A certificate chain could not be built to a trusted root authority.
The revocation function was unable to check revocation for the certificate.
The revocation function was unable to check revocation because the revocation server was offline.
User Action:
Ensure that the relying party trust's signing certificate is valid and has not been revoked.
Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only"
setting.
Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS 2.0 Troubleshooting
Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
Event Xml:
http://schemas.microsoft.com/win/2004/08/events/event">
316
0
2
0
0
0x8000000000000001
436972
AD FS 2.0/Admin
ADFS1.abc.com
http://schemas.microsoft.com/win/2004/08/events"
xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
RelayingParty.com
15F60567E5A818436B7EA69FEE8760E4A9D030C5
CheckChainExcludeRoot
A certificate chain could not be built to a trusted root authority.
The revocation function was unable to check revocation for the certificate.
The revocation function was unable to check revocation because the revocation server was offline.
This Question is already solved Click To See The Answer
Hi,
Please check and make sure that Signature Certificate in Relaying party is configured properly. Try to Add new certificate from vendor.
Right click on replaying party then select Properties, then go to Signature Tab and verify the Certificate.
Hi Santosh,
Thanks for suggestion, i have reapplied the certificate but i am still getting same error. Please help.
Hi,
As per given error, it seems to be Relaying Party certificate issue. You can disable the Certificate Revocation check for problematic Relying party and check.
Below is command.
Add-PSSnapin Microsoft.Adfs.PowerShell
Set-ADFSRelyingPartyTrust -TargetName "RelayingPartyName" -EncryptionCertificateRevocationCheck None
Set-ADFSRelyingPartyTrust -TargetName "RelayingPartyName" -SigningCertificateRevocationCheck None
Hi Santosh,
Thanks, it worked...