locked
AD FS not issuing token RRS feed

  • Question

  • Hi, We currently have ADFS on Server 2012 R2 running successfully with Azure for Skype for Business. This is working well and we have no issues. We have recently added a relay trust for a new partner (we're the iDP) in the relationship and they are using a self-written fed service. The relay trust is set up to not use encryption or signing (Encryptclaims set to false and SignedSamlRequestRequired set to false) and they are expecting us to authenticate our user and issue a token with the users email address, allowing them to log in. The identifier that we have specified in the relay trust (https://xxxxxxx.com) does not have a valid certificate but my understanding is that the identifier isn't validated against, so that's not important. However, when we try to connect to the claims aware app, we are successfully redirected to our own ADFS server, the credentials are entered and we are then redirected to the claims app. 

    At this point, we get an error on the claims app server that there is an error with the logon. In the AD FS admin log on our AD FS server, there are 2 errors;

    1 -  Event ID 303 - The federation encountered an error while processing the SAML authentication request - Signature verification failed: MSIS0037 No signature verification certificate error found for issuer https://xxxxxxx.com

    2 - Event ID 364 - Encountered error during federation passive request - Signature verification failed: MSIS0037 No signature verification certificate error found for issuer https://xxxxxxx.com

    As the SAML request is coming to us as unsigned and we're not signing the response, I'm a little confused as to why we're failing on a signing certificate, as it shouldn't come into play.

    Does anyone have any ideas?

    Friday, July 7, 2017 8:07 AM

All replies

  • Run get-adfsproperties and check for the attribute SignedSAMLRequestRequired is set to false
    Thursday, July 13, 2017 7:45 AM
  • Thanks for the reply, Jai. That setting is set to False. My understanding is that whether a token is encrypted or signed is dependent entirely on the settings on the relay trust and that there isn't a 'general' setting that forces all of the tokens to be encrypted or signed. 

    I've read the MS documents on certificates and I'm happy that I understand what each of the certificates does, so why does the certificate for our partners identifier get checked if we're not encrypting or signing tokens?

    Is there a list of MSIS codes anywhere with a better explanation of what they mean?

    Thursday, July 13, 2017 12:05 PM
  • Do you have a signing certificate for the RP?


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, July 13, 2017 12:32 PM
  • Hi Pierre. No, we don't have a signing certificate. They're sending their tokens unsigned.
    Thursday, July 13, 2017 1:28 PM
  • Update on this. After running the requests with Fiddler switched on, I have confirmed with the sender that they are signing the certificate, as it's embedded in the http header. They're stating that the library that they're using to create the token is signing the certificate with a self-signed certificate and that as we have SignedSAMLRequestRequired set to $False, then ADFS will ignore the signature.

    My belief is that SignedSAMLRequestRequired will only reject tokens if it is set to $True and a token comes through unsigned. If the setting is $False and a signed token comes through, then ADFS will still try to validate the signature. Can anyone confirm if that is the correct interpretation?

     
    Tuesday, August 1, 2017 10:10 AM