ADFS Error 364 - Encountered error during federation passive request.

I am having major problems getting ADFS 2 on a Windows 2012 server working (note not 2012 R2).

The certificate and IIS are all working ok.  The local service account has read permission to the certificate and no other processes are trying to use port 1501 - only ADFS.

I have set up a trust relationship with a 3rd party which tests ok, but when I browse to https://mydomain.co.uk/adfs/ls/IdpInitiatedSignon.aspx I get the error below:

There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: 6e3385fe-23ff-440a-ab49-71a2c1a3132d

Subsequently the SSO with my third party won't work either.  When I installed ADFS it all went through ok but I just can't connect with my AD credentials.

This is a new area for me and I am now running out of ideas what to try.  More details below.  Any ideas anyone?

Alistair

---------------------------------------------------------------------------
Encountered error during federation passive request.

Additional Data

Exception details:
Microsoft.IdentityServer.Protocols.WSTrust.StsConnectionException: MSIS7004: An exception occurred while connecting to the federation service. The service endpoint URL 'net.tcp://localhost:1501/samlprotocol' may be incorrect or the service is not running. ---> System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://localhost:1501/samlprotocol that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

Server stack trace:
   at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.ISamlProtocolContract.ProcessRequest(Message request)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.SignMessage(HttpSamlMessage httpSamlMessage, PrincipalType principalType, String principalIdentifier)
   at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.BuildSignedSamlRequestMessage(HttpRedirectSamlBindingSerializer httpRedirectSamlBindingSerializer, AuthenticationRequest authenticationRequest, String relayState)
   at Microsoft.IdentityServer.Web.IdentityProviderInitiatedSignOn.SignOn(String relyingPartyIdentity, String relayState, SignOnRequestParameters parameters)

System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at net.tcp://localhost:1501/samlprotocol that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.

Server stack trace:
   at System.ServiceModel.Channels.ConnectionUpgradeHelper.DecodeFramingFault(ClientFramingDecoder decoder, IConnection connection, Uri via, String contentType, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
   at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
   at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.ISamlProtocolContract.ProcessRequest(Message request)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequestWorker(Message request, Boolean firstTry)
EPBarrusAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Guy LidbetterCommented:
Hi There,

I have seen this a few times... a 364 is an issue with the request so it will most definitely have nothing to do with the party trust or claims.

First off... Have you check and ensure the ADFS 2.0 app pool is still running? If not recycle it anyway and try again.

Does IIS supoprt federation? You can check this with
setspn -L  <hostname>

Open in new window

which lists current SPNs.
If not there, set the SPN
setspn -a http/adfs <machine name> <service account name>

Open in new window


Next you need to consider time skew, if the two parties are on different time source the notbefore in the signature could be in the future for the RP. In this case I would set a Skew on the trust

Add-PSSnapin Microsoft.Adfs.PowerShell #Load up the ADFS PowerShell plug in
Get-ADFSRelyingPartyTrust –identifier “urn:party:sso” #Just to see what the values were
Set-ADFSRelyingPartyTrust –TargetIdentifier “urn:party:sso” –NotBeforeSkew 5 #Set the skew to 5 minutes

Open in new window


Lastly, certificates. Make sure they are all valid and current, and their chains are trusted...

Hopefully one of these may help you...
0
EPBarrusAuthor Commented:
Hi Guy,

Thank you for this information.  All new to ADFS so bear with me.

I have a low privilege AD user called adfs I am using (which does have read access to the cert) and when I run 'setspn -l adfs I get this response:

'Registered ServicePrincipalNames for CN=adfs, OU=My OU, DC=My Company,DC=local:
host/adfs.mycompany.co.uk'

Wondering if there is some issue as the backend server is on a .local domain whilst the ADFS site is on co.uk?  Anyway certs are public facing and all valid including keychain - can browse from outside to my IIS via https ok.  This testing I am doing is at the moment all UK based so shouldn't be any timezone issues to worry about.

Quite a bit outside my tech comfort zone all this.

Alistair
0
Guy LidbetterCommented:
Hi Alistair,

No problem at all... if you could just clarify a few things for me.

1. Are you using an ADFS Proxy server as well?
2. Open an Admin CMD and  rerun the "setspn -L <hostname>" on the main ADFS server.

The ADFS account can be low privilege but needs to be a Local Admin of the ADFS server. Also you need to check the Server Cert and the Token Signing certificates validity too.

When you say the backend is .local and ADFS site is on co.uk... are you saying your internal domain is .local and the external facing web portion of the adfs server is .co.uk, or is there another server entirely hosting the adfs website?

Regarding the time bit, if you are using one time source... eg  you are on ntp2a.mcc.ac.uk (manchester) and they are on ntp.exnet.com (London), although you are both UK based you are using different time suppliers, the time difference between them may be 1 second, or 2 minutes. Location\time zone is irrelevant in this case. if the difference is enough... the federation will fail.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

EPBarrusAuthor Commented:
Hi Guy,

Thank you for replying.  I haven't installed ADFS Proxy.  The setup I have is on a new W2012 server on our VM, it is attached to the same internal .local domain that I am working on.  I am trying to get https://adfs.mycompany.co.uk working from the outside on this server.  As far as IIS goes I can browse to that site ok without any certificate errors.

When I run setspn -L my server I get:

Registered ServicePrincipalNames for CN=Server, OU=Computers, OU=Company,DC=OurDC,DC=local:
TERMSRV/ourserver.company.local
TERMSRV/ourserver
WSMAN/ourserver.company.local
WSMAN/ourserver
RestrictedKrbHost/ourserver.company.local
HOST/ourserver.company.local
RestrictedKrbHost/ourserver
HOST/ourserver

Not sure I like the look of the restrictedKbrHost entries.

Anyway I have put my adfs service user into the local admins and I am testing from the local server, from my own office PC and via my phone with Wifi disabled.  All browsing to https://adfs.mycompany.co.uk/adfs/ls/IdpInitiatedSignon.aspx results in a sign in page ok but trying to get past that page results in 'There was a problem - Reference number: 80f199ab-5d7c-422d-be19-25816203891a Etc.

The whole purpose of this is we are running a trial of Citrix Sharefile and want to get Single Sign-on working.  Their guys have already spent hours on this and they have dumped it firmly back in the Microsoft camp.

I can also confirm that the clocks on my PC and the adfs server match.  And finally in ADFS Management, the service communications , token decrypting and token signing certs all are valid into 2016 without errors.

Alistair
0
EPBarrusAuthor Commented:
Hi again,

Just got some update information to add after all this testing.  Currently I can browse to https://adfs.mycompany.co.uk/adfs/ls/IdpInitiatedSignon.aspx on the back end adfs server and get it to ask for AD credentials - it then asks for a script to run but successfully bounces me over the Sharefile.com site logged in ok.

Annoyingly it doesn't work if I try this from another machine or if I try via https://mycompany.sharefile.com but it is a partial success.

Really appreciate your help with this, I am going to turn my attention to our UTM box to see if there is anything there blocking port 1501.

Hopefully sometime in the next few days I will be able to post how it has gone.  Certainly heading in the right direction.

Alistair
0
Guy LidbetterCommented:
Great to hear there's progress with this... any more questions just drop throw them over...
0
EPBarrusAuthor Commented:
Although I am not 100% certain how I got all this working, Guy has been really helpful in clearly pointing me towards the right sort of areas to check.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.