Answered by:
ADFS 3.0 Event ID 342 error every 30 seconds (The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.)

Question
-
Has anyone else seen the ADFS 3.0 Event ID 342 with "ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied" message. I get this error every 30 seconds on my ADFS 3.0 windows 2012 R2 server. Disabling the relying party trusts one at time, didn't help and I have also done resync of time. Any other suggestions? Thanks
Source: AD FS
Date: 1/21/2016 11:11:47 AM
Event ID: 342
Task Category: None
Level: Error
Keywords: AD FS
Description:
Token validation failed.Additional Data
Token Type:
urn:oasis:names:tc:SAML:1.0:assertion
%Error message:
ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
NotOnOrAfter: '11/23/2015 1:51:51 AM'
Current time: '1/21/2016 4:11:47 PM'Exception details:
Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
NotOnOrAfter: '11/23/2015 1:51:51 AM'
Current time: '1/21/2016 4:11:47 PM'
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.BaseSaml11TokenHandler.ValidateToken(SecurityToken token)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
<EventID>342</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2016-01-21T16:11:47.124510300Z" />
<EventRecordID>219937</EventRecordID>
<Correlation />
<Execution ProcessID="70964" ThreadID="72428" />
<Channel>AD FS/Admin</Channel>
<Security UserID="S-1-5-21-645823678-4208181581-3313131649-4120" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<Data>urn:oasis:names:tc:SAML:1.0:assertion</Data>
<Data>ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
NotOnOrAfter: '11/23/2015 1:51:51 AM'
Current time: '1/21/2016 4:11:47 PM'</Data>
<Data>Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
NotOnOrAfter: '11/23/2015 1:51:51 AM'
Current time: '1/21/2016 4:11:47 PM'
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateConditions(SamlConditions conditions, Boolean enforceAudienceRestriction)
at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.BaseSaml11TokenHandler.ValidateToken(SecurityToken token)</Data>
</EventData>
</Event>
</UserData>
</Event>- Edited by Pierre Audonnet [MSFT]Microsoft employee Tuesday, March 20, 2018 7:42 PM Making title specific
Thursday, January 21, 2016 6:32 PM
Answers
-
That's a big time differential between NotOnOrAfter and Current time..
NotOnOrAfter: '11/23/2015 1:51:51 AM'
Current time: '1/21/2016 4:11:47 PM'How are you doing your timesync? With all RPs disabled do you get the same event?
Do you have any monitoring software running checking your AD FS availability or a bit of test code running.. something that might inject a stale token?
http://blog.auth360.net
- Edited by Mylo Thursday, January 21, 2016 9:30 PM
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, March 20, 2018 7:41 PM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, March 20, 2018 7:41 PM
Thursday, January 21, 2016 9:01 PM
All replies
-
That's a big time differential between NotOnOrAfter and Current time..
NotOnOrAfter: '11/23/2015 1:51:51 AM'
Current time: '1/21/2016 4:11:47 PM'How are you doing your timesync? With all RPs disabled do you get the same event?
Do you have any monitoring software running checking your AD FS availability or a bit of test code running.. something that might inject a stale token?
http://blog.auth360.net
- Edited by Mylo Thursday, January 21, 2016 9:30 PM
- Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, March 20, 2018 7:41 PM
- Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Tuesday, March 20, 2018 7:41 PM
Thursday, January 21, 2016 9:01 PM -
I see the error even with all the RP's disabled. Only additional information I have we migrated from ADFS 2.0 to ADFS 3.0 using the Microsoft migration documentation and using export-federationconfiguration.ps1 and import-federationconfiguration.ps1 provided in the 2012 R2 image. Thanks
Tuesday, February 2, 2016 9:02 PM -
Hi Devang,
Was there any resolution? I am facing the same issue.
Regards
-Bugs!
- Edited by Bugs! Thursday, May 5, 2016 11:24 AM
Thursday, May 5, 2016 11:24 AM -
Hi,
please anyone to help us, same thing for me, every seconde i have this error 342 and some user see their account locked
Log Name: AD FS/Admin
Source: AD FS
Date: 5/20/2016 3:31:21 PM
Event ID: 342
Task Category: None
Level: Error
Keywords: AD FS
User: domain\adfsservice
Computer: adfs.domain.local
Description:
Token validation failed.
Additional Data
Token Type:
http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName
%Error message:
domain.local\user-The user name or password is incorrect
Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: domain.local\user ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
<EventID>342</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2016-05-20T13:31:21.956168100Z" />
<EventRecordID>3443034</EventRecordID>
<Correlation />
<Execution ProcessID="3780" ThreadID="5132" />
<Channel>AD FS/Admin</Channel>
<Computer>adfs.domain.local</Computer>
<Security UserID="S-1-5-21-3378194897-855616612-2746067953-14321" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<Data>http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName</Data>
<Data>domain.local\user-The user name or password is incorrect</Data>
<Data>System.IdentityModel.Tokens.SecurityTokenValidationException: domain.local\user ---> System.ComponentModel.Win32Exception: The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)</Data>
</EventData>
</Event>
</UserData>
</Event>- Edited by Jean_Olivier_H Friday, May 20, 2016 2:02 PM
Friday, May 20, 2016 2:02 PM -
Any solution to this? same issue...Tuesday, March 20, 2018 1:58 AM
-
I have the same issue as well.Tuesday, March 20, 2018 6:39 PM
-
What issue? The time issue? Or the lockdown issue?
Please create a new post with your own logs. Thanks!
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Tuesday, March 20, 2018 7:42 PM