This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

SAML sign out fail on ADFS with error MSIS7098

Question
0

Sign in to vote

My Web application want to sign out from an ADFS farm through SAML 2.0 but failed and I got an error message on Event Viewer:

Microsoft.IdentityService.SecurityTokenService.RevocationValidationException: MSIS7098: The certificate identified by thumbprint '*****' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

I use the same certificate pair on my test environment and sign out success. The major different between two environment are test environment has single ADFS server only and the other has a ADFS farm with two servers.

How can I troubleshoot this problem? Can ADFS farm sign out through SAML 2.0?

Wednesday, November 1, 2017 2:13 AM

Answers

0

Sign in to vote
The ADFS server cannot access the CRL distribution point of the relying party signing certificate.

You can make sure it can :) Look at the CDP info within the certificate extensions. Or you can disable the revocation check in the mean time you figure out what to traffic to allow:

Set-AdfsRelyingPartyTrust -TargetName "Your RP Name" -SigningCertificateRevocationCheck None

Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Monday, November 13, 2017 3:52 PM
- Marked as answer by Dutyt Thursday, November 23, 2017 8:03 AM
Wednesday, November 1, 2017 4:03 PM