locked
Token Validation failed when using SMAAccount (Domain\username) event ID :342 RRS feed

  • Question

  • i have recently installed ADFS 4.0 everything works fine. one issue is that when user is using domain\username (SMA Account) it gives Token validation failed and in event viewer i can see event ID 342 (Token Validation Failed) but everything works fine if i use UPN  username@domain.com any thought what rule i need to add it to ADFS.

    Error: 

    Token validation failed.  

    Additional Data 

    Token Type: 
    http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName 
    %Error message: 
    UserName -The user name or password is incorrect 

    Exception details: 
    System.IdentityModel.Tokens.SecurityTokenValidationException: esanchez ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
       at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
       at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
       at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUser(String domain, String username, String password, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateTokenInternal(UsernameAuthenticationContext usernameAuthenticationContext, SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MsisLocalCpUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
       at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
       at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
       at Microsoft.IdentityServer.Tokens.LsaLogonUserHelper.GetLsaLogonUser(String domain, String username, String password, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
       at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ValidateUser(IAuthenticationContext context)

    Thank you, 

    Wednesday, May 24, 2017 4:55 PM

All replies

  • This error is coming from LSASS. On ADFS server, check if your user can authenticate using domain\user format?

    On an elevated command prompt, run following command

    runas /user:domain\username cmd.exe

    Check if the authentication also fails here

    Thursday, July 13, 2017 8:03 AM
  • Hi Jai,

    Encountered the same error.. what if runas /user:domain\username cmd.exe is failing ?


    Regards | Jack

    Monday, August 14, 2017 12:19 PM