Remove From My Forums

Event ID 1020 & 1021

Question
2

Sign in to vote

Our AD FS server is running on Windows 2012 R2 machine and we often get users who are unable to authenticate when signing on to Skype.
If they keep trying, they evantually get authenticated and this is now becoming little frusturated for us.
Having started to look in to this, I figured best place would be AD FS server.
In the Event Logs, under AD FS/Admin, we see tons of errors being generated mostly with Event ID's 1020 & 1021:

1020:
Encountered error during OAuth authorization request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthInvalidClientRedirectUriException: MSIS9224: Received invalid OAuth authorization request. The received 'redirect_uri' parameter is not a valid registered redirect URI for the client identifier: 'd3590ed6-52b3-4102-aeff-aad2292ab01c'. Received redirect_uri: 'ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c'.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationRequestContext.Validate()

1021:
Encountered error during OAuth token request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenUnsupportedGrantTypeException: MSIS9245: Received invalid OAuth access token request. The authorization server does not support the requested 'grant_type': 'srv_challenge'. The authorization server currently only supports 'grant_type=authorization_code'.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthAccessTokenRequestContext.Validate()

Identifier ID we see in the Event ID 1020 also matched the Activity ID users see on their screen when they are unable to authenticate.

I have checked few threads about installing the latest updates which is installed and disabling device authentication which is disabled.

Would like to know if anyone else has experienced this issue before and if there is anything else I can do to help resolve this issue?

Thanks.

Monday, July 16, 2018 10:32 AM

Answers

0

Sign in to vote
We have ADFS 2016

We have a application group that we created per the MS documentation.

We updated Office to the latest version

In the Microsoft Office Application Group we had to add the following Redirect URI in the Application -> native application -> microsoft office -> Redirect URI:

ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c (this was the fix add this bounce the service)

along with the existing:

msauth://com.microsoft.office.lync15/fcg80qvoM1YMKJZibjBwQcDfOno%3D

urn:ietf:wg:oauth:2.0:oob

If your trying for WHFB and you get the errors you might see that in adfs you have device registration enabled but in azure ad connect you dont have device writeback enabled, you have to have that setup before the errors all go bye bye.

William Lee
- Edited by William Lee Friday, May 17, 2019 8:25 PM
- Proposed as answer by William Lee Friday, May 17, 2019 8:25 PM
- Marked as answer by Hamid Sadeghpour SalehMVP Thursday, September 5, 2019 7:59 AM
Friday, May 17, 2019 8:24 PM

All replies

0

Sign in to vote

I've got the exact same problem here. My error messages are the same as yours. Any solution yet. We've just enabled Modern Authentication for our Skype for Business.

Tuesday, September 18, 2018 7:45 AM
0

Sign in to vote

We have same issue, still no solution out there?

Monday, May 13, 2019 12:57 PM
0

Sign in to vote

Any update on this, were seeing the same thing?
William Lee

Tuesday, May 14, 2019 10:05 PM
0

Sign in to vote

Have you got Device Registration enabled on your ADFS?

If not then give this a try on your Windows 10 clients:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\Providers\{B16898C6-A148-4967-9171-64D755DA8520}\LoadParameters]

"EnterpriseSTSTokenDisabled"=dword:00000001

Friday, May 17, 2019 9:37 AM
0

Sign in to vote
We have ADFS 2016

We have a application group that we created per the MS documentation.

We updated Office to the latest version

In the Microsoft Office Application Group we had to add the following Redirect URI in the Application -> native application -> microsoft office -> Redirect URI:

ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c (this was the fix add this bounce the service)

along with the existing:

msauth://com.microsoft.office.lync15/fcg80qvoM1YMKJZibjBwQcDfOno%3D

urn:ietf:wg:oauth:2.0:oob

If your trying for WHFB and you get the errors you might see that in adfs you have device registration enabled but in azure ad connect you dont have device writeback enabled, you have to have that setup before the errors all go bye bye.

William Lee
- Edited by William Lee Friday, May 17, 2019 8:25 PM
- Proposed as answer by William Lee Friday, May 17, 2019 8:25 PM
- Marked as answer by Hamid Sadeghpour SalehMVP Thursday, September 5, 2019 7:59 AM
Friday, May 17, 2019 8:24 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Event ID 1020 & 1021

Question

Answers

All replies