Sign-In Fails to AD FS with event id 364 & 261
11,806 views
Skip to first unread message
Yanuar Kristian
May 2, 2014, 3:47:09 AM5/2/14
to simple...@googlegroups.com
Hi All,
I used simplesaml and tried to authenticate with ADFS.
I installed simplesaml in my local machine and ADFS in my remote server.
When I clicked Authentication tab in my simplesaml page and then choosed
Test authentication sources which have been configured, the page was redirected to adfs login form. After filling the username and password I got this error on my
screen.
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: f0af4ddd-4a18-46de-b2a7-fa26da13d1cc
And here is the error message taken from my ADFS server event viewer
--------------------
Event 364, AD FS
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. --->
System.ServiceModel.FaultException: The creator of this fault did not specify a Reason....
-------------------
Event 261, AD FS
The request specified an Assertion Consumer Service URL 'http://servicesaml.com:8080/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp' that is not configured on
the relying party 'urn:simplesaml:php'.
Assertion Consumer Service URL: http://servicesaml.com:8080/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
Relying party: urn:simplesaml:php
This request failed.
User Action
Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party.
--------------------
Could you help me with this error?
Or give me step by step how to configure simplesamlphp and the ADFS.
Any help would be very much appreciated.
I used simplesaml and tried to authenticate with ADFS.
I installed simplesaml in my local machine and ADFS in my remote server.
When I clicked Authentication tab in my simplesaml page and then choosed
Test authentication sources which have been configured, the page was redirected to adfs login form. After filling the username and password I got this error on my
screen.
There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: f0af4ddd-4a18-46de-b2a7-fa26da13d1cc
And here is the error message taken from my ADFS server event viewer
--------------------
Event 364, AD FS
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. --->
System.ServiceModel.FaultException: The creator of this fault did not specify a Reason....
-------------------
Event 261, AD FS
The request specified an Assertion Consumer Service URL 'http://servicesaml.com:8080/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp' that is not configured on
the relying party 'urn:simplesaml:php'.
Assertion Consumer Service URL: http://servicesaml.com:8080/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp
Relying party: urn:simplesaml:php
This request failed.
User Action
Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party.
--------------------
Could you help me with this error?
Or give me step by step how to configure simplesamlphp and the ADFS.
Any help would be very much appreciated.
Peter Schober
May 2, 2014, 7:46:12 AM5/2/14
to simple...@googlegroups.com
* Yanuar Kristian <yanu...@gmail.com> [2014-05-02 09:47]:
SimpleSAMLphp SP? If not, there's your error.
Whether the ACS URL is /correct/ (what you want it to be) I couldn't
say. It's what SSP believes is right, given your configuration.
If it's right, fix what ADFS has on record for this SP.
If it's wrong, fix what SSP believes is it's schema, hostname and port.
Unrelated to any errors, but obviously 'urn:simplesaml:php' is not a
legal value for your SimpleSAMLphp entity. Make sure to change that
before making productive use of the software.
> User Action
> Use the AD FS Management snap-in to configure an Assertion Consumer Service
> with the specified URL for this relying party.
No idea what that means but did you try doint that?
-peter
> The request specified an Assertion Consumer Service URL
> 'http://servicesaml.com:8080/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'
> that is not configured on
>
> the relying party 'urn:simplesaml:php'.
Well, does ADFS have an ACS URL like the one above configured for your
> 'http://servicesaml.com:8080/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'
> that is not configured on
>
> the relying party 'urn:simplesaml:php'.
SimpleSAMLphp SP? If not, there's your error.
Whether the ACS URL is /correct/ (what you want it to be) I couldn't
say. It's what SSP believes is right, given your configuration.
If it's right, fix what ADFS has on record for this SP.
If it's wrong, fix what SSP believes is it's schema, hostname and port.
Unrelated to any errors, but obviously 'urn:simplesaml:php' is not a
legal value for your SimpleSAMLphp entity. Make sure to change that
before making productive use of the software.
> User Action
> Use the AD FS Management snap-in to configure an Assertion Consumer Service
> with the specified URL for this relying party.
-peter
Daniel Tsosie
May 2, 2014, 4:09:34 PM5/2/14
to simple...@googlegroups.com
Note that AD FS is not intended to be configured directly in most Microsoft processes. Luckily, the latest SSP added proper MS Metadata support for the ADFS module. Full documentation can be found in modules/adfs/docs/adfs.txt
-Dan Tsosie
-Dan Tsosie
Factum IT BV
May 2, 2014, 6:01:47 PM5/2/14
to simple...@googlegroups.com
There’s a number of things that can go wrong here.. going from memory:
-
AD FS expects all RP trusts to be using SSL ..
-
Make sure you pass a Name ID in the response in your claims rule on the SSP RP.. You can do a simple transformation rule on the relying party by Transforming Window ID to NameID Transient.. this should suffice
-
Try dialing down the Secure Hashing Algorithm from SHA-256 to SHA-1 on the SSP relying party
-
If you want Single Logout to work, you’ll also need to include a token signing certificate on the SSP side in your authsources.php (and re-exchange metadata - either by re-importing the file / certificate manually in the signing tab or updating the metadata from AD FS .. depends on your configuration
Regards,
Mylo
--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.
Yanuar Kristian
May 5, 2014, 6:03:37 AM5/5/14
to simple...@googlegroups.com
Thanks All for your help.
I tried to re-configure again my simplesaml as SP and my ADFS as Idp based on
https://groups.google.com/forum/#!topic/simplesamlphp/I8IiDpeKSvY
The Event 364 & Event 261 problem were solved.
I got problem in NameID and then I could solved it.
Now I try to configure single logout.
Again, Thanks all.
Yanuar Kristian
I tried to re-configure again my simplesaml as SP and my ADFS as Idp based on
https://groups.google.com/forum/#!topic/simplesamlphp/I8IiDpeKSvY
The Event 364 & Event 261 problem were solved.
I got problem in NameID and then I could solved it.
Now I try to configure single logout.
Again, Thanks all.
Yanuar Kristian
Daniel Tsosie
May 5, 2014, 8:34:26 PM5/5/14
to simple...@googlegroups.com
Ya, sign logout request will be a key option to set.
-Dan Tsosie
-Dan Tsosie
indreshc...@gmail.com
Apr 13, 2018, 7:03:56 AM4/13/18
to SimpleSAMLphp
any suggestion about this
https://social.technet.microsoft.com/Forums/windowsserver/en-US/75341adc-d053-44ed-b01f-5433f02dd02e/issue-on-adfs-20-where-i-can-check-increase-this-limit-any-configuration-file-location-?forum=ADFS
Reply all
Reply to author
Forward
0 new messages