locked
AD FS 4.0, Custom MFA Provider, International locales, and style sheet exception RRS feed

  • Question

  • We creatd a custom MFA plugin for AD FS 3 (2012 R2) using the articles https://msdn.microsoft.com/en-us/library/dn783423.aspx and https://blogs.msdn.microsoft.com/jenfieldmsft/2014/03/24/build-your-own-external-authentication-provider-for-ad-fs-in-windows-server-2012-r2-walk-through-part-1/ as references.

    The same plugin works on AD FS 4 (2016), except when the client language is set to something other than US English. Then an exception is observed with a message about a missing style sheet for that locale. 

    Any ideas? There is no updated version of the two reference articles for AD FS 4 on Server 2016 that I can find. I also opened a case with MS Premier Support last September asking if they were aware of any changes to custom authentication methods for AD FS 4 and they were not.

    The full exception:

    Description:

    Encountered error during federation passive request.

     

    Additional Data

     

    Protocol Name:

    wsfed

     

    Relying Party:

    urn:federation:MicrosoftOnline

     

    Exception details:

    Microsoft.IdentityServer.Web.WebConfigurationException: No style sheet is configured in the active theme for default locale [en-GB/2057].

       at Microsoft.IdentityServer.Web.UI.ThemeAuthoringEngine.PrepareTheme()

       at Microsoft.IdentityServer.Web.UI.PageBase.get_ThemeAuthoringEngine()

       at Microsoft.IdentityServer.Web.Authentication.External.AdapterPresentationManager.get_ResponseCulture()

       at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)

       at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)

       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)


    • Edited by MSDevDS Thursday, May 25, 2017 4:09 PM
    Thursday, May 25, 2017 3:56 PM

Answers

  • Create a .reg file with the following content:

    Windows Registry Editor Version 5.00
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International]
    "Locale"="00000409"
    "LocaleName"="en-US"
    "s1159"="AM"
    "s2359"="PM"
    "sCountry"="United States"
    "sCurrency"="$"
    "sDate"="/"
    "sDecimal"="."
    "sGrouping"="3;0"
    "sLanguage"="ENU"
    "sList"=","
    "sLongDate"="dddd, MMMM d, yyyy"
    "sMonDecimalSep"="."
    "sMonGrouping"="3;0"
    "sMonThousandSep"=","
    "sNativeDigits"="0123456789"
    "sNegativeSign"="-"
    "sPositiveSign"=""
    "sShortDate"="M/d/yyyy"
    "sThousand"=","
    "sTime"=":"
    "sTimeFormat"="h:mm:ss tt"
    "sShortTime"="h:mm tt"
    "sYearMonth"="MMMM yyyy"
    "iCalendarType"="1"
    "iCountry"="1"
    "iCurrDigits"="2"
    "iCurrency"="0"
    "iDate"="0"
    "iDigits"="2"
    "NumShape"="1"
    "iFirstDayOfWeek"="6"
    "iFirstWeekOfYear"="0"
    "iLZero"="1"
    "iMeasure"="1"
    "iNegCurr"="0"
    "iNegNumber"="1"
    "iPaperSize"="1"
    "iTime"="0"
    "iTimePrefix"="0"
    "iTLZero"="0"
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\Geo]
    "Nation"="244"
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\User Profile]
    "Languages"=hex(7):65,00,6e,00,2d,00,55,00,53,00,00,00
    "ShowAutoCorrection"=dword:00000001
    "ShowTextPrediction"=dword:00000001
    "ShowCasing"=dword:00000001
    "ShowShiftLock"=dword:00000001
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\User Profile\en-US]
    "0409:00000409"=dword:00000001
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\User Profile System Backup]
    "Languages"=hex(7):65,00,6e,00,2d,00,55,00,53,00,00,00
    "ShowAutoCorrection"=dword:00000001
    "ShowTextPrediction"=dword:00000001
    "ShowCasing"=dword:00000001
    "ShowShiftLock"=dword:00000001
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\User Profile System Backup\en-US]
    "0409:00000409"=dword:00000001
    
    

    Of course, replace the SID with the SID of your service account for ADFS and merge that file on your ADFS nodes.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, September 8, 2017 6:32 PM

All replies

  • Same issue!
    Friday, May 26, 2017 1:25 PM
  • I also have the same issue, any news ?
    Friday, June 16, 2017 8:37 AM
  • Hi

    I got the same issue and found a solution:

    Encountered error during federation passive request.

    Additional Data Protocol Name: wsfed

    Relying Party:
    urn:federation:MicrosoftOnline

    Exception details:Microsoft.IdentityServer.Web.WebConfigurationException: No style sheet is configured in the active theme for default locale [nl-BE/2067]. at Microsoft.IdentityServer.Web.UI.ThemeAuthoringEngine.PrepareTheme() at Microsoft.IdentityServer.Web.UI.PageBase.get_ThemeAuthoringEngine() at Microsoft.IdentityServer.Web.Authentication.External.AdapterPresentationManager.get_ResponseCulture() at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    We are using win2016 Servers with ADFS 4.0
    Our MFA provider only supports en-US/1033 for their webpage

    The MFA webpage works when the preferred language setting of the user who is accessing the webpage is set to en-US as well or Firefox/Chrome is used instead of IE

    IE is using the html header locale of the accessing user for the MFA webpage and therefore fails because it does not exist, in chrome and Firefox it switches to the one that is available

    I found out that this only happens when you run the "Active Directory Federation Service" service with the Local System Account user or the Domain Built in Administrator

    So if you create a Domain Admin an let the service run with it you do not encounter the above problems at all
    Seems to me like a Microsoft Bug


     


    Thursday, June 29, 2017 12:16 PM
  • We are having this same issue but we're using a Group-Managed Service Account. I guess I'll have to reinstall the farm to use an 'ordinary' service account then :S

    Has anyone bothered opening a support case for this yet? Kinda curious what MS has to say.

    Wednesday, August 2, 2017 10:02 AM
  • Unfortunately this doesn't fix anything for us. I've reconfigured the farm to run under a normal service account instead of a group-managed service account and also made the service account domain admin. But we keep getting the same error:

    Exception details: 
    Microsoft.IdentityServer.Web.WebConfigurationException: No style sheet is configured in the active theme for default locale [nl-NL/1043].
       at Microsoft.IdentityServer.Web.UI.ThemeAuthoringEngine.PrepareTheme()
       at Microsoft.IdentityServer.Web.UI.PageBase.get_ThemeAuthoringEngine()
       at Microsoft.IdentityServer.Web.Authentication.External.AdapterPresentationManager.get_ResponseCulture()
       at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
    
    
    Any other suggestions anyone?

    Friday, September 8, 2017 9:39 AM
  • Create a .reg file with the following content:

    Windows Registry Editor Version 5.00
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International]
    "Locale"="00000409"
    "LocaleName"="en-US"
    "s1159"="AM"
    "s2359"="PM"
    "sCountry"="United States"
    "sCurrency"="$"
    "sDate"="/"
    "sDecimal"="."
    "sGrouping"="3;0"
    "sLanguage"="ENU"
    "sList"=","
    "sLongDate"="dddd, MMMM d, yyyy"
    "sMonDecimalSep"="."
    "sMonGrouping"="3;0"
    "sMonThousandSep"=","
    "sNativeDigits"="0123456789"
    "sNegativeSign"="-"
    "sPositiveSign"=""
    "sShortDate"="M/d/yyyy"
    "sThousand"=","
    "sTime"=":"
    "sTimeFormat"="h:mm:ss tt"
    "sShortTime"="h:mm tt"
    "sYearMonth"="MMMM yyyy"
    "iCalendarType"="1"
    "iCountry"="1"
    "iCurrDigits"="2"
    "iCurrency"="0"
    "iDate"="0"
    "iDigits"="2"
    "NumShape"="1"
    "iFirstDayOfWeek"="6"
    "iFirstWeekOfYear"="0"
    "iLZero"="1"
    "iMeasure"="1"
    "iNegCurr"="0"
    "iNegNumber"="1"
    "iPaperSize"="1"
    "iTime"="0"
    "iTimePrefix"="0"
    "iTLZero"="0"
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\Geo]
    "Nation"="244"
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\User Profile]
    "Languages"=hex(7):65,00,6e,00,2d,00,55,00,53,00,00,00
    "ShowAutoCorrection"=dword:00000001
    "ShowTextPrediction"=dword:00000001
    "ShowCasing"=dword:00000001
    "ShowShiftLock"=dword:00000001
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\User Profile\en-US]
    "0409:00000409"=dword:00000001
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\User Profile System Backup]
    "Languages"=hex(7):65,00,6e,00,2d,00,55,00,53,00,00,00
    "ShowAutoCorrection"=dword:00000001
    "ShowTextPrediction"=dword:00000001
    "ShowCasing"=dword:00000001
    "ShowShiftLock"=dword:00000001
    
    [HKEY_USERS\S-1-5-21-4069415233-2330438878-1236157477-2602\Control Panel\International\User Profile System Backup\en-US]
    "0409:00000409"=dword:00000001
    
    

    Of course, replace the SID with the SID of your service account for ADFS and merge that file on your ADFS nodes.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, September 8, 2017 6:32 PM
  • This did the trick in our case, thanks!

    Best regards,

    Enrico

    Monday, September 18, 2017 11:12 AM
  • Hi,

    We used this solution initially for a regular service account and used it later again when we moved to a gMSA. In both cases it worked perfectly!

    Thanks!

    regards,

    jorge


    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Monday, October 15, 2018 11:18 PM