locked
Event ID 1020 & 1021 RRS feed

  • Question

  • Our AD FS server is running on Windows 2012 R2 machine and we often get users who are unable to authenticate when signing on to Skype.
    If they keep trying, they evantually get authenticated and this is now becoming little frusturated for us.
    Having started to look in to this, I figured best place would be AD FS server.
    In the Event Logs, under AD FS/Admin, we see tons of errors being generated mostly with Event ID's 1020 & 1021:

    1020:
    Encountered error during OAuth authorization request. 
    Additional Data 
    Exception details: 
    Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthInvalidClientRedirectUriException: MSIS9224: Received invalid OAuth authorization request. The received 'redirect_uri' parameter is not a valid registered redirect URI for the client identifier: 'd3590ed6-52b3-4102-aeff-aad2292ab01c'. Received redirect_uri: 'ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c'. 
    at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthAuthorization.OAuthAuthorizationRequestContext.Validate()


    1021:
    Encountered error during OAuth token request. 
    Additional Data 
    Exception details: 
    Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthAccessTokenUnsupportedGrantTypeException: MSIS9245: Received invalid OAuth access token request. The authorization server does not support the requested 'grant_type': 'srv_challenge'. The authorization server currently only supports 'grant_type=authorization_code'.
    at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthAccessTokenRequestContext.Validate()


    Identifier ID we see in the Event ID 1020 also matched the Activity ID users see on their screen when they are unable to authenticate.

    I have checked few threads about installing the latest updates which is installed and disabling device authentication which is disabled.

    Would like to know if anyone else has experienced this issue before and if there is anything else I can do to help resolve this issue?


    Thanks.
    Monday, July 16, 2018 10:32 AM

Answers

  • We have ADFS 2016

    We have a application group that we created per the MS documentation.

    We updated Office to the latest version

    In the Microsoft Office Application Group we had to add the following Redirect URI in the Application -> native application -> microsoft office -> Redirect URI:

    ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c (this was the fix add this bounce the service)

    along with the existing:

    msauth://com.microsoft.office.lync15/fcg80qvoM1YMKJZibjBwQcDfOno%3D

    urn:ietf:wg:oauth:2.0:oob

    If your trying for WHFB and you get the errors you might see that in adfs you have device registration enabled but in azure ad connect you dont have device writeback enabled, you have to have that setup before the errors all go bye bye.


    William Lee


    Friday, May 17, 2019 8:24 PM

All replies

  • I've got the exact same problem here. My error messages are the same as yours. Any solution yet. We've just enabled Modern Authentication for our Skype for Business.
    Tuesday, September 18, 2018 7:45 AM
  • We have same issue, still no solution out there?
    Monday, May 13, 2019 12:57 PM
  • Any update on this, were seeing the same thing?

    William Lee

    Tuesday, May 14, 2019 10:05 PM
  • Have you got Device Registration enabled on your ADFS?

    If not then give this a try on your Windows 10 clients:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityStore\Providers\{B16898C6-A148-4967-9171-64D755DA8520}\LoadParameters]

    "EnterpriseSTSTokenDisabled"=dword:00000001

    Friday, May 17, 2019 9:37 AM
  • We have ADFS 2016

    We have a application group that we created per the MS documentation.

    We updated Office to the latest version

    In the Microsoft Office Application Group we had to add the following Redirect URI in the Application -> native application -> microsoft office -> Redirect URI:

    ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c (this was the fix add this bounce the service)

    along with the existing:

    msauth://com.microsoft.office.lync15/fcg80qvoM1YMKJZibjBwQcDfOno%3D

    urn:ietf:wg:oauth:2.0:oob

    If your trying for WHFB and you get the errors you might see that in adfs you have device registration enabled but in azure ad connect you dont have device writeback enabled, you have to have that setup before the errors all go bye bye.


    William Lee


    Friday, May 17, 2019 8:24 PM