locked
On ADFS 3.0, HTTP Redirect Binding Fails when MFA is enabled for traffic via Web Application Proxy RRS feed

  • Question

  • Hi,

    We have an ADFS 3.0 farm and Win Server 2012 R2 Web Application Proxy servers.

    When we use the HTTP Redirect binding method for a particular Relying Party, and turn on MFA, then we get the error message as shown below:

    Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0038: SAML Message has wrong signature.

    However, when we refresh the browser, we can authenticate to the Relying Party using the SSO Cookie that was downloaded on the machine during the ADFS authentication process.

    HTTP Post binding method works with MFA for this Relying Party.
    HTTP Redirect binding method works when we disable MFA for the Relying Party.

    We are using SHA-1 for signing the HTTP Redirect SAML Requests.

    This is exactly the same situation as described in these articles:
    https://authenticationfactor.wordpress.com/tag/msis0038-saml-message-has-wrong-signature/
    https://social.technet.microsoft.com/Forums/en-US/4acc04b7-aac7-43e9-ba50-9570503045f9/msis0038-saml-message-has-wrong-signature
    https://help.salesforce.com/apex/HTViewSolution?id=000187898&language=en_US

    However, none of these ADFS hotfixes can be installed on our servers, displaying "The Update is not applicable to your computer" error message.

    Our ADFS servers and Web Application Proxy servers have been patched with the latest Microsoft Updates last weekend.

    Is there any other hotfixes specifically for Windows Server 2012 R2 that may resolve this?

    Tuesday, April 5, 2016 2:33 PM

All replies

  • Do you mind sharing a sanitized Fiddler capture? As well as the different error messages you get in the logs?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, April 8, 2016 9:00 PM
  • Any update?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, April 15, 2016 2:23 PM
  • Hi Pierre,

    Sorry about the late reply.


    The problem we are experiencing is referenced here:

    https://help.salesforce.com/apex/HTViewSolution?id=000187898&language=en_US

    https://social.technet.microsoft.com/Forums/en-US/4acc04b7-aac7-43e9-ba50-9570503045f9/msis0038-saml-message-has-wrong-signature

    However, the MS hotfix referenced there applies to ADFS 2.0:

    https://support.microsoft.com/en-gb/kb/2896713


    Is there an equivalent MS hotfix for ADFS 3.0?

    Wednesday, May 4, 2016 10:01 AM
  • MFA Enabled

    When we have MFA Enabled, the ADFS authentication fails. 

    The SAML messages for that are shown below:

    # 4 - SAMLResponse via post binding, at 2016-05-03 12:50:57.708Z (UTC)

    <samlp :Response ID="_2756d775-4380-4aec-9035-ec8cde3a8e0f"

           Version="2.0"

           IssueInstant="2016-05-03T12:50:57.322Z"

           Destination="https://brunswickgroup.cloudforce.com?so=00D24000000g51o"

           Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"

           InResponseTo="_2CAAAAVUG3ZyBME8wMjQwMDAwMDA0Qzk1AAAAyKUek3Cbut98IUphJtw6LRx6X0WbUG9tKrEbeHWoYc4a0XZAug2CxXVSyejZh--iA3vMIXMuR0_DOO9RhpOB3m1ZU4v9wDB-z-2uiqv1kguDqmFkQF2CM-ttLLZ4NjKqbzG5b-F6wzDdmJTEjCGVu64koRiPF4ngM17EZjKT2TYfQ0NgYB7vJzR_dd6G-XcYslvJViYxjV02D87a4lGDPNf3w-GOy5j9oTRvhy0P6D47VeHlmzaW9LK6GgXiMRxQVA"

           xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

      <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.brunswickgroup.com/adfs/services/trust</Issuer>

      <ds :Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:SignedInfo>

          <ds :CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

          <ds :SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

          <ds :Reference URI="#_2756d775-4380-4aec-9035-ec8cde3a8e0f">

            <ds:Transforms>

              <ds :Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

              <ds :Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

            </ds:Transforms>

            <ds :DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

            <ds:DigestValue>c87tDGmaG0DZiI3m8onTPa0nRe8=</ds:DigestValue>

          </ds:Reference>

        </ds:SignedInfo>

        <ds:SignatureValue>ODeHq3a2QCKpf1rs4W9sI3dS9/dL7Qk4u+Z491xDHJRvNbxZIbPirs/+5bLW8Nvywe541z4Af3SCM8UBq86yfj2SE1yxNkyRkwrO2WkJqWkcdAP7FCMS5P/OLHlTmNDw6LX371Uq/P4MFg9fRLIOFsyn19r4sD7l5mV6Ugm87NB5SVu8MuzZ0g393xPKDmjAkeKMlveaO2Ab7kI5v+VTaA+lIrqc5XsSoOOfRR0hm4sTnFeCY/mPeQ+0AI5/Cmt4mcKcEA1rROK3I9ow6sOnNOpFwENywO1tEy/noGd/0Kh7QJJqfdx+J8ZYNSmlL+5Yt5d7jiW+QMP8sxHMdomxYg==</ds:SignatureValue>

        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

          <ds:X509Data>

            <ds:X509Certificate>MIIC6jCCAdKgAwIBAgIQecyO/4XaWrdGb7lG4LlNzjANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBhZGZzLmJydW5zd2lja2dyb3VwLmNvbTAeFw0xNTExMDQyMjM2MDRaFw0xNjExMDMyMjM2MDRaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIGFkZnMuYnJ1bnN3aWNrZ3JvdXAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjfW4sGgqtGQ7207Ydqlsp/vBSfuqHbm8y7RQ7UpALkFT6b/zwK1/YYBeCK1EEcm/d8hyl1+QMiP4/HeEUkTssGXwTMCCFjcD38ilFDsGjJ2/cp7frIubwbten8aif+4aGEUXF9/xQdJS1e/tfLMnMIwfwB6Uwwiup9fQZiYJpWYBzx/VDJ849pzq5NvllgLyWc+FZq+6+8E2PbkUT6PTmxVlvEQISpYV7tDMLlqmxeE58eQv2t1JldjuQ8WO6sJem73g5EGQ2M+PxBTtVcJxh0YYJm+JdsX9Sy0/uKiY8GzQF7RKceBgi568gLVewxQVQMd8B9TzVBNCyUP9QipE6QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCDpo8RWjaApviQr+SPNO69R9ZffgBfRUFfGcIW3Yh4Gqmb9a8fYjSd/GnGNN9nHJt9ifF74H2fKViSrNeI5DNZjdYUhJhZwsyMyktYiVMbxvOieDl9TaA3rSiPZkxAIda9eQNKykY0HoKCo0acdn6kyHbxsBQaI74eDJcSaP+W85hlnDVCSrSuu+10D6Ggef8IbSKjpLZ2Y8g/YG4Kf6lhyZcXIBTYBDlieM1yfDlRsL/5Ch2F55qXSezosifcVsbfwrx+gVZrRf/aisRny7Ze3vsJqeXZ+yYYu8Vatetls5G+hG+Q7TZzhQOvUO5YKerPRfvbqqUGsztX6eP6oJwJ</ds:X509Certificate>

          </ds:X509Data>

        </KeyInfo>

      </ds:Signature>

      <samlp:Status>

        <samlp :StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />

      </samlp:Status>

    </samlp:Response>

    RelayState

    /

    # 3 - SAMLRequest via redirect binding, at 2016-05-03 12:50:57.561Z (UTC)

    <?xml version="1.0" encoding="UTF-8"?>

    <samlp :AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

           AssertionConsumerServiceURL="https://brunswickgroup.cloudforce.com?so=00D24000000g51o"

           Destination="https://adfs.brunswickgroup.com/adfs/ls/"

           ID="_2CAAAAVUG3ZyBME8wMjQwMDAwMDA0Qzk1AAAAyKUek3Cbut98IUphJtw6LRx6X0WbUG9tKrEbeHWoYc4a0XZAug2CxXVSyejZh--iA3vMIXMuR0_DOO9RhpOB3m1ZU4v9wDB-z-2uiqv1kguDqmFkQF2CM-ttLLZ4NjKqbzG5b-F6wzDdmJTEjCGVu64koRiPF4ngM17EZjKT2TYfQ0NgYB7vJzR_dd6G-XcYslvJViYxjV02D87a4lGDPNf3w-GOy5j9oTRvhy0P6D47VeHlmzaW9LK6GgXiMRxQVA"

           IssueInstant="2016-05-03T12:50:35.132Z"

           ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

           Version="2.0">

      <saml :Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://brunswickgroup.cloudforce.com</saml:Issuer>

    </samlp:AuthnRequest>

    RelayState

    /

    SigAlg

    http://www.w3.org/2000/09/xmldsig#rsa-sha1

    Signature

    bKF0FvFLtaro8F7bp/shdl6j+liWx0ITTaEOS1NMVmXm9y6+RRP16spjQ0S/myGhiDwRyDSQd6reYl2J2604YXExBjx1B2K9+Ac0WrqC/gQ5vx7fgX+O9XiKwWt6yzPpuYE4djAeENJKRF2mXcXx29usGjR1l7sGgE3YWEaQyHDwQSszhaA3vBQWwRE7rqgx3nFxPeb98j9IfjIEs88g7TGHTsKL4FzM2/9vg2qsDMBT+iWvxSh0urEIU7gL+vDYOrvMfKmhYH7Mi49/UNZ/zcNP6EA5wTArcbO7JXV/d9eozhWUxI5QsqS3Te9pP2BDvAovIp9yMBNvekchcHEwfQ==

    # 2 - SAMLRequest via redirect binding, at 2016-05-03 12:50:43.983Z (UTC)

    <?xml version="1.0" encoding="UTF-8"?>

    <samlp :AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

           AssertionConsumerServiceURL="https://brunswickgroup.cloudforce.com?so=00D24000000g51o"

           Destination="https://adfs.brunswickgroup.com/adfs/ls/"

           ID="_2CAAAAVUG3ZyBME8wMjQwMDAwMDA0Qzk1AAAAyKUek3Cbut98IUphJtw6LRx6X0WbUG9tKrEbeHWoYc4a0XZAug2CxXVSyejZh--iA3vMIXMuR0_DOO9RhpOB3m1ZU4v9wDB-z-2uiqv1kguDqmFkQF2CM-ttLLZ4NjKqbzG5b-F6wzDdmJTEjCGVu64koRiPF4ngM17EZjKT2TYfQ0NgYB7vJzR_dd6G-XcYslvJViYxjV02D87a4lGDPNf3w-GOy5j9oTRvhy0P6D47VeHlmzaW9LK6GgXiMRxQVA"

           IssueInstant="2016-05-03T12:50:35.132Z"

           ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

           Version="2.0">

      <saml :Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://brunswickgroup.cloudforce.com</saml:Issuer>

    </samlp:AuthnRequest>

    RelayState

    /

    SigAlg

    http://www.w3.org/2000/09/xmldsig#rsa-sha1

    Signature

    bKF0FvFLtaro8F7bp/shdl6j+liWx0ITTaEOS1NMVmXm9y6+RRP16spjQ0S/myGhiDwRyDSQd6reYl2J2604YXExBjx1B2K9+Ac0WrqC/gQ5vx7fgX+O9XiKwWt6yzPpuYE4djAeENJKRF2mXcXx29usGjR1l7sGgE3YWEaQyHDwQSszhaA3vBQWwRE7rqgx3nFxPeb98j9IfjIEs88g7TGHTsKL4FzM2/9vg2qsDMBT+iWvxSh0urEIU7gL+vDYOrvMfKmhYH7Mi49/UNZ/zcNP6EA5wTArcbO7JXV/d9eozhWUxI5QsqS3Te9pP2BDvAovIp9yMBNvekchcHEwfQ==

    # 1 - SAMLRequest via redirect binding, at 2016-05-03 12:50:35.369Z (UTC)

    <?xml version="1.0" encoding="UTF-8"?>

    <samlp :AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

           AssertionConsumerServiceURL="https://brunswickgroup.cloudforce.com?so=00D24000000g51o"

           Destination="https://adfs.brunswickgroup.com/adfs/ls/"

           ID="_2CAAAAVUG3ZyBME8wMjQwMDAwMDA0Qzk1AAAAyKUek3Cbut98IUphJtw6LRx6X0WbUG9tKrEbeHWoYc4a0XZAug2CxXVSyejZh--iA3vMIXMuR0_DOO9RhpOB3m1ZU4v9wDB-z-2uiqv1kguDqmFkQF2CM-ttLLZ4NjKqbzG5b-F6wzDdmJTEjCGVu64koRiPF4ngM17EZjKT2TYfQ0NgYB7vJzR_dd6G-XcYslvJViYxjV02D87a4lGDPNf3w-GOy5j9oTRvhy0P6D47VeHlmzaW9LK6GgXiMRxQVA"

           IssueInstant="2016-05-03T12:50:35.132Z"

           ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

           Version="2.0">

      <saml :Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://brunswickgroup.cloudforce.com</saml:Issuer>

    </samlp:AuthnRequest>

    RelayState

    /

    SigAlg

    http://www.w3.org/2000/09/xmldsig#rsa-sha1

    Signature

    bKF0FvFLtaro8F7bp/shdl6j+liWx0ITTaEOS1NMVmXm9y6+RRP16spjQ0S/myGhiDwRyDSQd6reYl2J2604YXExBjx1B2K9+Ac0WrqC/gQ5vx7fgX+O9XiKwWt6yzPpuYE4djAeENJKRF2mXcXx29usGjR1l7sGgE3YWEaQyHDwQSszhaA3vBQWwRE7rqgx3nFxPeb98j9IfjIEs88g7TGHTsKL4FzM2/9vg2qsDMBT+iWvxSh0urEIU7gL+vDYOrvMfKmhYH7Mi49/UNZ/zcNP6EA5wTArcbO7JXV/d9eozhWUxI5QsqS3Te9pP2BDvAovIp9yMBNvekchcHEwfQ=

    Wednesday, May 4, 2016 10:09 AM
  • The ADFS Tracing Logs show that MFA is authenticated successfully but then the ADFS throws an error for wrong SAML signature:


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      54
    Task Category: None
    Level:         Information
    Keywords:      ADFSSTS
    User:          DOMAIN\xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
    Received request with following properties:

    2016-05-04 08:59:27 10.99.2.24 POST /adfs/ls/wia ?SAMLRequest=jZLbcqowFIZfhck9ChQ8MMUOoLZyUFCkhxuGQ0QEEpoEqT59re7OdO%2BLzl4z6yJZK%2F%2BflXz3Dx91xR0hoQVGGhB7AuAgSnFWoFwD22DOj8DD5J7GddWoesv2aA3fW0gZdzmHqHotaKAlSMUxLaiK4hpSlaXqRncdVeoJakMwwymuAKdTCgm7GJkY0baGZAPJsUjhdu1oYM9YQ9V%2BPyEtol2RljnBbdNLK9xmO0xS2Etx%2FUCxJghTSRaukSsiBtz0cp0Cxew6wbdMnO1o718tXF%2F3%2BxXtA24x1UAkmfolwq3jmqPQnY069%2BB37lT%2FSsE%2Fl%2BJX%2BeRYeobt48KBUFkrnr1Z7%2BQq4k2flM1B6ooc1iUdi93Si7Dx9rgU61hfy0XD7Hb1WiWmTaQUu3KEF%2BdVGjylz5bDFvo5fxyb9mvimyP2KM3G9imzx5kUZY5hRYZsMS8LhTI2LLYL7Go5jeHScxprVr40btJkES%2BZ7l5%2Fzw5p6xu7Qhm6a28gx9HAL%2BXT6zmMsqHBqny5PaJsL8CXwSYcJuFdMNu2q5MTzXnLhieS8N1wH68%2BrKfDttuhfIgWM3Mkno5UnC%2Bf6V3kmHP%2F8lqUtnCBKIsR04AkiANeUHhBDoSRqoxVUelJA%2FkNcN6f3zYKdGPoNzSSWxNVn4LA473VJgBc%2BM3ipQHcyFOv5uQHcr%2FLxt%2Bcgcl%2FUXXf%2F%2BEyua3%2Bpn3yCQ%3D%3D&RelayState=%2F&SigAlg=http:%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=fdlIBgK%2BD19XzalYkhb9FGZXDLnVC9%2F1srQtuq7THhBlTvKvc2w7bAeOLY%2FnZ7v1krPaWFU2VOOoAQ6J9da6E%2BAHmAxHbQ1XMaF%2FBVilGb5A37VKqzk%2BtEGSMdVe6GnNmQb8tckcbKD%2FDkB3XI1Cx2V3MUXrUcdcPGdv20AZVbN0j51xGfJdhTwpPBJK2vj2cg81kgS3cShyrLrjxwlbugJnBrGmHmvpgqwxfRx4Bn6CItlRK5V7%2BUmAEAXuOKyfxmjm1flJs8UmOCQYOledjA5C2twH7Yvu15U0%2F73xqPdapi9z06JaHuvWKvlx0En3Zc3bt%2F8FSaDv59el0aMfWA%3D%3D 443 - 10.101.0.56 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; Touch; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729; Tablet PC 2.0) - - - - 3409


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      155
    Task Category: None
    Level:         Information
    Keywords:      ADFSPassivePipeline
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
            ENTER: AuthenticationPolicyEvaluator.RequiresSecondStageAuthentication


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      155
    Task Category: None
    Level:         Information
    Keywords:      ADFSPassivePipeline
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
          Second stage authDomain: AuthenticationMethods:
      http://schemas.microsoft.com/ws/2012/12/authmethod/otp
    ProviderAuthInfoList:
      SafeNet-MFA
    UseProviderAuthInfoList: True


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      155
    Task Category: None
    Level:         Information
    Keywords:      ADFSPassivePipeline
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
        Processing authHandler , Identifier = Options. The request ID is 00000000-0000-0000-a7d9-0080020000e7.


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      69
    Task Category: None
    Level:         Information
    Keywords:      ADFSProtocol
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
        Authentication method: SafeNet-MFA.


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      185
    Task Category: None
    Level:         Information
    Keywords:      ExternalAuthentication
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
        Continuing authentication Identifier: SafeNet-MFA, ContextId: 71f8c1d3-58ae-44a9-ab7c-e15eb512040c


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      185
    Task Category: None
    Level:         Information
    Keywords:      ExternalAuthentication
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
        Claims returned from external auth adapter:
        Claim http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod: http://schemas.microsoft.com/ws/2012/12/authmethod/otp
    Identifier: SafeNet-MFA, ContextId: 71f8c1d3-58ae-44a9-ab7c-e15eb512040c


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      185
    Task Category: None
    Level:         Information
    Keywords:      ExternalAuthentication
    User:          DOMAIN\xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
        ExternalAuthenticationHandler.Process() returning external authentication token with claims:
        Claim http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod: http://schemas.microsoft.com/ws/2012/12/authmethod/otp
        Claim http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant: 2016-05-04T08:59:27.793Z
        Claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn: aanwar@brunswickgroup.com
        Claim http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid: S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxx-xxxxx
        Claim http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname: DOMAIN\xxxxxxxx
    Identifier: SafeNet-MFA, ContextId: 71f8c1d3-58ae-44a9-ab7c-e15eb512040c


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      54
    Task Category: None
    Level:         Information
    Keywords:      ADFSSTS
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
            ServiceHostManager.LogSuccessAuthenticationInfo: Token of type 'urn:externalauth' got successfully authenticated


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      47
    Task Category: None
    Level:         Error
    Keywords:      ADFSSamlProtocol
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
    Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0038: SAML Message has wrong signature. Issuer: 'https://brunswickgroup.cloudforce.com'.
       at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      77
    Task Category: None
    Level:         Error
    Keywords:      ADFSWSFederation
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
    Unable to issue a token.


    Log Name:      AD FS Tracing/Debug
    Source:        AD FS Tracing
    Date:          04/05/2016 09:59:27
    Event ID:      153
    Task Category: None
    Level:         Error
    Keywords:      ADFSPassivePipeline
    User:          DOMAIN\ xxxxxxxxxx
    Computer:      SERVER.domain.com
    Description:
    Exception: MSIS0038: SAML Message has wrong signature. Issuer: 'https://brunswickgroup.cloudforce.com'.
    StackTrace:    at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    Wednesday, May 4, 2016 10:11 AM
  • MFA Enabled

    When we have MFA Enabled, the ADFS authentication fails. 

    The SAML messages for that are shown below:

    # 4 - SAMLResponse via post binding, at 2016-05-03 12:50:57.708Z (UTC)

    <samlp :Response ID="_2756d775-4380-4aec-9035-ec8cde3a8e0f"

           Version="2.0"

           IssueInstant="2016-05-03T12:50:57.322Z"

           Destination="https://brunswickgroup.cloudforce.com?so=00D24000000g51o"

           Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified"

           InResponseTo="_2CAAAAVUG3ZyBME8wMjQwMDAwMDA0Qzk1AAAAyKUek3Cbut98IUphJtw6LRx6X0WbUG9tKrEbeHWoYc4a0XZAug2CxXVSyejZh--iA3vMIXMuR0_DOO9RhpOB3m1ZU4v9wDB-z-2uiqv1kguDqmFkQF2CM-ttLLZ4NjKqbzG5b-F6wzDdmJTEjCGVu64koRiPF4ngM17EZjKT2TYfQ0NgYB7vJzR_dd6G-XcYslvJViYxjV02D87a4lGDPNf3w-GOy5j9oTRvhy0P6D47VeHlmzaW9LK6GgXiMRxQVA"

           xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

      <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.brunswickgroup.com/adfs/services/trust</Issuer>

      <ds :Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:SignedInfo>

          <ds :CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

          <ds :SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

          <ds :Reference URI="#_2756d775-4380-4aec-9035-ec8cde3a8e0f">

            <ds:Transforms>

              <ds :Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

              <ds :Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

            </ds:Transforms>

            <ds :DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

            <ds:DigestValue>c87tDGmaG0DZiI3m8onTPa0nRe8=</ds:DigestValue>

          </ds:Reference>

        </ds:SignedInfo>

        <ds:SignatureValue>ODeHq3a2QCKpf1rs4W9sI3dS9/dL7Qk4u+Z491xDHJRvNbxZIbPirs/+5bLW8Nvywe541z4Af3SCM8UBq86yfj2SE1yxNkyRkwrO2WkJqWkcdAP7FCMS5P/OLHlTmNDw6LX371Uq/P4MFg9fRLIOFsyn19r4sD7l5mV6Ugm87NB5SVu8MuzZ0g393xPKDmjAkeKMlveaO2Ab7kI5v+VTaA+lIrqc5XsSoOOfRR0hm4sTnFeCY/mPeQ+0AI5/Cmt4mcKcEA1rROK3I9ow6sOnNOpFwENywO1tEy/noGd/0Kh7QJJqfdx+J8ZYNSmlL+5Yt5d7jiW+QMP8sxHMdomxYg==</ds:SignatureValue>

        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

          <ds:X509Data>

            <ds:X509Certificate>MIIC6jCCAdKgAwIBAgIQecyO/4XaWrdGb7lG4LlNzjANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDEyZBREZTIFNpZ25pbmcgLSBhZGZzLmJydW5zd2lja2dyb3VwLmNvbTAeFw0xNTExMDQyMjM2MDRaFw0xNjExMDMyMjM2MDRaMDExLzAtBgNVBAMTJkFERlMgU2lnbmluZyAtIGFkZnMuYnJ1bnN3aWNrZ3JvdXAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjfW4sGgqtGQ7207Ydqlsp/vBSfuqHbm8y7RQ7UpALkFT6b/zwK1/YYBeCK1EEcm/d8hyl1+QMiP4/HeEUkTssGXwTMCCFjcD38ilFDsGjJ2/cp7frIubwbten8aif+4aGEUXF9/xQdJS1e/tfLMnMIwfwB6Uwwiup9fQZiYJpWYBzx/VDJ849pzq5NvllgLyWc+FZq+6+8E2PbkUT6PTmxVlvEQISpYV7tDMLlqmxeE58eQv2t1JldjuQ8WO6sJem73g5EGQ2M+PxBTtVcJxh0YYJm+JdsX9Sy0/uKiY8GzQF7RKceBgi568gLVewxQVQMd8B9TzVBNCyUP9QipE6QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCDpo8RWjaApviQr+SPNO69R9ZffgBfRUFfGcIW3Yh4Gqmb9a8fYjSd/GnGNN9nHJt9ifF74H2fKViSrNeI5DNZjdYUhJhZwsyMyktYiVMbxvOieDl9TaA3rSiPZkxAIda9eQNKykY0HoKCo0acdn6kyHbxsBQaI74eDJcSaP+W85hlnDVCSrSuu+10D6Ggef8IbSKjpLZ2Y8g/YG4Kf6lhyZcXIBTYBDlieM1yfDlRsL/5Ch2F55qXSezosifcVsbfwrx+gVZrRf/aisRny7Ze3vsJqeXZ+yYYu8Vatetls5G+hG+Q7TZzhQOvUO5YKerPRfvbqqUGsztX6eP6oJwJ</ds:X509Certificate>

          </ds:X509Data>

        </KeyInfo>

      </ds:Signature>

      <samlp:Status>

        <samlp :StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />

      </samlp:Status>

    </samlp:Response>

    RelayState

    /

    # 3 - SAMLRequest via redirect binding, at 2016-05-03 12:50:57.561Z (UTC)

    <?xml version="1.0" encoding="UTF-8"?>

    <samlp :AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

           AssertionConsumerServiceURL="https://brunswickgroup.cloudforce.com?so=00D24000000g51o"

           Destination="https://adfs.brunswickgroup.com/adfs/ls/"

           ID="_2CAAAAVUG3ZyBME8wMjQwMDAwMDA0Qzk1AAAAyKUek3Cbut98IUphJtw6LRx6X0WbUG9tKrEbeHWoYc4a0XZAug2CxXVSyejZh--iA3vMIXMuR0_DOO9RhpOB3m1ZU4v9wDB-z-2uiqv1kguDqmFkQF2CM-ttLLZ4NjKqbzG5b-F6wzDdmJTEjCGVu64koRiPF4ngM17EZjKT2TYfQ0NgYB7vJzR_dd6G-XcYslvJViYxjV02D87a4lGDPNf3w-GOy5j9oTRvhy0P6D47VeHlmzaW9LK6GgXiMRxQVA"

           IssueInstant="2016-05-03T12:50:35.132Z"

           ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

           Version="2.0">

      <saml :Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://brunswickgroup.cloudforce.com</saml:Issuer>

    </samlp:AuthnRequest>

    RelayState

    /

    SigAlg

    http://www.w3.org/2000/09/xmldsig#rsa-sha1

    Signature

    bKF0FvFLtaro8F7bp/shdl6j+liWx0ITTaEOS1NMVmXm9y6+RRP16spjQ0S/myGhiDwRyDSQd6reYl2J2604YXExBjx1B2K9+Ac0WrqC/gQ5vx7fgX+O9XiKwWt6yzPpuYE4djAeENJKRF2mXcXx29usGjR1l7sGgE3YWEaQyHDwQSszhaA3vBQWwRE7rqgx3nFxPeb98j9IfjIEs88g7TGHTsKL4FzM2/9vg2qsDMBT+iWvxSh0urEIU7gL+vDYOrvMfKmhYH7Mi49/UNZ/zcNP6EA5wTArcbO7JXV/d9eozhWUxI5QsqS3Te9pP2BDvAovIp9yMBNvekchcHEwfQ==

    # 2 - SAMLRequest via redirect binding, at 2016-05-03 12:50:43.983Z (UTC)

    <?xml version="1.0" encoding="UTF-8"?>

    <samlp :AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

           AssertionConsumerServiceURL="https://brunswickgroup.cloudforce.com?so=00D24000000g51o"

           Destination="https://adfs.brunswickgroup.com/adfs/ls/"

           ID="_2CAAAAVUG3ZyBME8wMjQwMDAwMDA0Qzk1AAAAyKUek3Cbut98IUphJtw6LRx6X0WbUG9tKrEbeHWoYc4a0XZAug2CxXVSyejZh--iA3vMIXMuR0_DOO9RhpOB3m1ZU4v9wDB-z-2uiqv1kguDqmFkQF2CM-ttLLZ4NjKqbzG5b-F6wzDdmJTEjCGVu64koRiPF4ngM17EZjKT2TYfQ0NgYB7vJzR_dd6G-XcYslvJViYxjV02D87a4lGDPNf3w-GOy5j9oTRvhy0P6D47VeHlmzaW9LK6GgXiMRxQVA"

           IssueInstant="2016-05-03T12:50:35.132Z"

           ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

           Version="2.0">

      <saml :Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://brunswickgroup.cloudforce.com</saml:Issuer>

    </samlp:AuthnRequest>

    RelayState

    /

    SigAlg

    http://www.w3.org/2000/09/xmldsig#rsa-sha1

    Signature

    bKF0FvFLtaro8F7bp/shdl6j+liWx0ITTaEOS1NMVmXm9y6+RRP16spjQ0S/myGhiDwRyDSQd6reYl2J2604YXExBjx1B2K9+Ac0WrqC/gQ5vx7fgX+O9XiKwWt6yzPpuYE4djAeENJKRF2mXcXx29usGjR1l7sGgE3YWEaQyHDwQSszhaA3vBQWwRE7rqgx3nFxPeb98j9IfjIEs88g7TGHTsKL4FzM2/9vg2qsDMBT+iWvxSh0urEIU7gL+vDYOrvMfKmhYH7Mi49/UNZ/zcNP6EA5wTArcbO7JXV/d9eozhWUxI5QsqS3Te9pP2BDvAovIp9yMBNvekchcHEwfQ==

    # 1 - SAMLRequest via redirect binding, at 2016-05-03 12:50:35.369Z (UTC)

    <?xml version="1.0" encoding="UTF-8"?>

    <samlp :AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"

           AssertionConsumerServiceURL="https://brunswickgroup.cloudforce.com?so=00D24000000g51o"

           Destination="https://adfs.brunswickgroup.com/adfs/ls/"

           ID="_2CAAAAVUG3ZyBME8wMjQwMDAwMDA0Qzk1AAAAyKUek3Cbut98IUphJtw6LRx6X0WbUG9tKrEbeHWoYc4a0XZAug2CxXVSyejZh--iA3vMIXMuR0_DOO9RhpOB3m1ZU4v9wDB-z-2uiqv1kguDqmFkQF2CM-ttLLZ4NjKqbzG5b-F6wzDdmJTEjCGVu64koRiPF4ngM17EZjKT2TYfQ0NgYB7vJzR_dd6G-XcYslvJViYxjV02D87a4lGDPNf3w-GOy5j9oTRvhy0P6D47VeHlmzaW9LK6GgXiMRxQVA"

           IssueInstant="2016-05-03T12:50:35.132Z"

           ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

           Version="2.0">

      <saml :Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://brunswickgroup.cloudforce.com</saml:Issuer>

    </samlp:AuthnRequest>

    RelayState

    /

    SigAlg

    http://www.w3.org/2000/09/xmldsig#rsa-sha1

    Signature

    bKF0FvFLtaro8F7bp/shdl6j+liWx0ITTaEOS1NMVmXm9y6+RRP16spjQ0S/myGhiDwRyDSQd6reYl2J2604YXExBjx1B2K9+Ac0WrqC/gQ5vx7fgX+O9XiKwWt6yzPpuYE4djAeENJKRF2mXcXx29usGjR1l7sGgE3YWEaQyHDwQSszhaA3vBQWwRE7rqgx3nFxPeb98j9IfjIEs88g7TGHTsKL4FzM2/9vg2qsDMBT+iWvxSh0urEIU7gL+vDYOrvMfKmhYH7Mi49/UNZ/zcNP6EA5wTArcbO7JXV/d9eozhWUxI5QsqS3Te9pP2BDvAovIp9yMBNvekchcHEwfQ==

    Wednesday, May 4, 2016 10:12 AM
  • I see you are using the SafeNet-MFA provider. What does their support say?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, May 6, 2016 7:26 PM
  • Hey Abir,

    Did you ever find resolution to this? We're facing something extremely similar minus the MFA

    Saturday, May 28, 2016 7:12 PM
  • The whole issue is about MFA. So I you have the same without the MFA... It really isn't the same :)

    Please post a new message with your scenario and logs. Thanks!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, May 29, 2016 9:22 PM