Saturday, 31 August 2013

ADFS issues - ID3242: The security token could not be authenticated or authorized.

What a load of fun I had yesterday with ADFS. For some unknown reason, working web services stopped working today and after a lot of pleading we managed to get the logs from the ADFS server, which was showing this error:

 ID3242: The security token could not be authenticated or authorized.

After a lot of soul searching and hair pulling, we realized that the issue might be with the encryption certificate as the ADFS server cannot get to the CRL distribution point of the encryption certificate, due to the firewall.

This can be sorted out with these commands:
Add-PSSnapin Microsoft.ADFS.PowerShell (Import-Module ADFS - if using Win2k12 R2)  
Set-ADFSRelyingPartyTrust -TargetName <name> -EncryptionCertificateRevocationCheck None 
Set-ADFSRelyingPartyTrust -TargetName <name> -SigningCertificateRevocationCheck None 
We also set the signing certificate revocation check to none, although I think this is not needed, but there seems to be some reluctance to remove it.

Edit:

I write most of my posts well in advance and I'm not 100% that this is entirely correct. I'd like to say that I will check to make sure, but it's extremely unlikely.

Edit 2:

In our case it seems that this is indeed the solution as the ADFS server cannot get to the CRL Distribution Point, which causes issues :), which is why disabling the Revocation Checks on the certificates works.

1 comment:

  1. The problem appears to be that authentication now necessitates a UPN (user principal name / MSDN – User Name Formats) login as a result of ADFS's upgrade.
    Solution: If you have an on-premises installation of Microsoft Dynamics CRM, you might need to install a new certificate on the server.

    The answer is right here, exactly. https://kodlogs.net/193/id3242-the-security-token-could-not-be-authenticated-or-authorized

    ReplyDelete