Event ID 111 Source AD FS 2.0 server has to have service restarted once a month.

Was actually told by Microsoft Tech Support to do scheduled reboots once a week.  That does not seem correct.
We have 2 ADFS servers and 2 proxy ADFS servers.

2015-06-27-1702.png
The Federation Service encountered an error while processing the WS-Trust request. 
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue 

Additional Data 
Exception details: 
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: ID4063: LogonUser failed for the 'domain/username' user. Ensure that the user has a valid Windows account. ---> System.ComponentModel.Win32Exception: There are currently no logon servers available to service the logon request
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
   --- End of inner exception stack trace ---
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)

System.IdentityModel.Tokens.SecurityTokenValidationException: ID4063: LogonUser failed for the 'domain/username' user. Ensure that the user has a valid Windows account. ---> System.ComponentModel.Win32Exception: There are currently no logon servers available to service the logon request
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)

System.ComponentModel.Win32Exception: There are currently no logon servers available to service the logon request

Open in new window



Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: ID4063: LogonUser failed for the 'domain/username' user. Ensure that the user has a valid Windows account. ---> System.ComponentModel.Win32Exception: There are currently no logon servers available to service the logon request


Restarting the AD FS 2.0 Windows Service fixes the issue

Thank you for your time!
K.B.
LVL 8
K BAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
First of all, you are not supposed to use domain/username, this will not work with SSO for O365. Use UPN instead. The error by itself indicates a NETLOGON issue, most likely due to DNS resolution/routing. There's an extensive list of possible causes here: http://blogs.technet.com/b/askpfeplat/archive/2013/01/28/quick-reference-troubleshooting-netlogon-error-codes.aspx#_Toc345694514
0
K BAuthor Commented:
Vasil,

Thank you for the reply.  The majority of the error messages do have the UPN, I do not know why I grabbed that example.

I cannot really find why this domain controller is giving an issue - It seems identical to the other domain controllers that the other ADFS servers are authenticated to.  Any ideas?
0
K BAuthor Commented:
replication seems fine.. DNS seems to be okay.  All that happens is that we restart the ADFS service and that ADFS node starts working again.
0
Vasil Michev (MVP)Commented:
Go over the list in the article I linked, it's most likely something in the network layer. When it happens next time check the actual Netlogon related entries in event log, see if it shows some additional info.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.