SAML sign out fail on ADFS with error MSIS7098 RRS feed

  • Question

  • My Web application want to sign out from an ADFS farm through SAML 2.0 but failed and I got an error message on Event Viewer:

    Microsoft.IdentityService.SecurityTokenService.RevocationValidationException: MSIS7098: The certificate identified by thumbprint '*****' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

    I use the same certificate pair on my test environment and sign out success. The major different between two environment are test environment has single ADFS server only and the other has a ADFS farm with two servers.

    How can I troubleshoot this problem? Can ADFS farm sign out through SAML 2.0?

    Wednesday, November 1, 2017 2:13 AM


  • The ADFS server cannot access the CRL distribution point of the relying party signing certificate.

    You can make sure it can :) Look at the CDP info within the certificate extensions. Or you can disable the revocation check in the mean time you figure out what to traffic to allow:

    Set-AdfsRelyingPartyTrust -TargetName "Your RP Name" -SigningCertificateRevocationCheck None

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Wednesday, November 1, 2017 4:03 PM