locked
ADFS 3.0 Event ID 342 error every 30 seconds (The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.) RRS feed

  • Question

  • Has anyone else seen the ADFS 3.0 Event ID 342 with "ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied" message. I get this error every 30 seconds on my ADFS 3.0 windows 2012 R2 server. Disabling the relying party trusts one at time, didn't help and I have also done resync of time. Any other suggestions? Thanks

    Source:        AD FS
    Date:          1/21/2016 11:11:47 AM
    Event ID:      342
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    Description:
    Token validation failed. 

    Additional Data

    Token Type:
    urn:oasis:names:tc:SAML:1.0:assertion
    %Error message:
    ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
    NotOnOrAfter: '11/23/2015 1:51:51 AM'
    Current time: '1/21/2016 4:11:47 PM'

    Exception details:
    Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
    NotOnOrAfter: '11/23/2015 1:51:51 AM'
    Current time: '1/21/2016 4:11:47 PM'
       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)
       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.BaseSaml11TokenHandler.ValidateToken(SecurityToken token)
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>342</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2016-01-21T16:11:47.124510300Z" />
        <EventRecordID>219937</EventRecordID>
        <Correlation />
        <Execution ProcessID="70964" ThreadID="72428" />
        <Channel>AD FS/Admin</Channel>
            <Security UserID="S-1-5-21-645823678-4208181581-3313131649-4120" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>urn:oasis:names:tc:SAML:1.0:assertion</Data>
            <Data>ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
    NotOnOrAfter: '11/23/2015 1:51:51 AM'
    Current time: '1/21/2016 4:11:47 PM'</Data>
            <Data>Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
    NotOnOrAfter: '11/23/2015 1:51:51 AM'
    Current time: '1/21/2016 4:11:47 PM'
       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)
       at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.BaseSaml11TokenHandler.ValidateToken(SecurityToken token)</Data>
          </EventData>
        </Event>
      </UserData>
    </Event>


    Thursday, January 21, 2016 6:32 PM

Answers

  • That's a big time differential between NotOnOrAfter and Current time..

    NotOnOrAfter: '11/23/2015 1:51:51 AM'
    Current time: '1/21/2016 4:11:47 PM'

    How are you doing your timesync? With all RPs disabled do you get the same event?

    Do you have any monitoring software running checking your AD FS availability or a bit of test code running.. something that might inject a stale token?


    http://blog.auth360.net



    Thursday, January 21, 2016 9:01 PM

All replies

  • That's a big time differential between NotOnOrAfter and Current time..

    NotOnOrAfter: '11/23/2015 1:51:51 AM'
    Current time: '1/21/2016 4:11:47 PM'

    How are you doing your timesync? With all RPs disabled do you get the same event?

    Do you have any monitoring software running checking your AD FS availability or a bit of test code running.. something that might inject a stale token?


    http://blog.auth360.net



    Thursday, January 21, 2016 9:01 PM
  • I see the error even with all the RP's disabled. Only additional information I have we migrated from ADFS 2.0 to ADFS 3.0 using the Microsoft migration documentation and using export-federationconfiguration.ps1 and import-federationconfiguration.ps1 provided in the 2012 R2 image. Thanks

    Tuesday, February 2, 2016 9:02 PM
  • Hi Devang,

    Was there any resolution? I am facing the same issue.

    Regards


    -Bugs!


    • Edited by Bugs! Thursday, May 5, 2016 11:24 AM
    Thursday, May 5, 2016 11:24 AM
  • Hi,

    please anyone to help us, same thing for me, every seconde i have this error 342 and some user see their account locked

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          5/20/2016 3:31:21 PM
    Event ID:      342
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          domain\adfsservice
    Computer:      adfs.domain.local
    Description:
    Token validation failed.  

    Additional Data 

    Token Type: 
    http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName 
    %Error message: 
    domain.local\user-The user name or password is incorrect 


    Exception details: 
    System.IdentityModel.Tokens.SecurityTokenValidationException: domain.local\user ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>342</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2016-05-20T13:31:21.956168100Z" />
        <EventRecordID>3443034</EventRecordID>
        <Correlation />
        <Execution ProcessID="3780" ThreadID="5132" />
        <Channel>AD FS/Admin</Channel>
        <Computer>adfs.domain.local</Computer>
        <Security UserID="S-1-5-21-3378194897-855616612-2746067953-14321" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</Data>
            <Data>domain.local\user-The user name or password is incorrect</Data>
            <Data>System.IdentityModel.Tokens.SecurityTokenValidationException: domain.local\user ---&gt; System.ComponentModel.Win32Exception: The user name or password is incorrect
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle&amp; tokenHandle, SafeLsaReturnBufferHandle&amp; profileHandle)
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime&amp; nextPasswordChange, DateTime&amp; lastPasswordChange, String authenticationType, String issuerName)
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime&amp; nextPasswordChange, DateTime&amp; lastPasswordChange, String issuerName)
       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle&amp; tokenHandle, SafeLsaReturnBufferHandle&amp; profileHandle)
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime&amp; nextPasswordChange, DateTime&amp; lastPasswordChange, String authenticationType, String issuerName)
       at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime&amp; nextPasswordChange, DateTime&amp; lastPasswordChange, String issuerName)
       at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)</Data>
          </EventData>
        </Event>
      </UserData>
    </Event>


    Friday, May 20, 2016 2:02 PM
  • Any solution to this? same issue...
    Tuesday, March 20, 2018 1:58 AM
  • I have the same issue as well.
    Tuesday, March 20, 2018 6:39 PM
  • What issue? The time issue? Or the lockdown issue?

    Please create a new post with your own logs. Thanks!


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, March 20, 2018 7:42 PM