locked
ADFS 3.0 Client Authentication Error 1000 - Federation to AzureAD RRS feed

  • Question

  • At one Customer we see ADFS Events 1000 and 111 regardint the Federation between ADFS and AzureAD. Generally the Federation works ok, but we still have some issues.

    Logs telling me that there was a token issuance request *from the client* that cannot be fulfilled.
    So I enabled ADFS Auditing for further and got some more Detail.
    Event 413 tells again that token request for AzureAD federation from an Application could not be fulfilled - but gives me no idea why it failed.
    So I scanned for correlated Events. Here is what I got in chronologic order.
    -----
    Event 300 (The error - giving me no hint what exactly failed...)

       The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request. 
       Activity ID: <GUID>
       Request type: http://xxxx.xx/ws-sx/ws-trust/200512/RST/Issue 
       Additional Data 
       Exception details: 
       Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your    administrator for details.
       at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)

    Event 413 (Summary)
       An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.  
       Additional Data 
       Activity ID: <GUID>
       Caller: <ClientName>
       OnBehalfOf user:  - 
       ActAs user: - 
       Target Relying Party: urn:federation:MicrosoftOnline 
       Device identity: - 
       Client IP: xx.xx.xx.xx
    -----

    An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. 

    Additional Data

    Caller:

    domain\user

    OnBehalfOf user:

     

    ActAs user:

     

    Target Relying Party:

    https://xxxx.xx.com/CRM/XRMServices/2011/Organization.svc

    Device identity:

     

    User action:

    Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.

    Any idea what exactly is worng?

    Wednesday, May 9, 2018 5:17 AM