locked
Secondary Server Fails to pass authentication RRS feed

  • General discussion

  • We have two ADFS servers in our enviroment. The primary works for all trust authentications for all of our trusts.

    The secondary server on the other hand, works for all of our trusts except for one. It appears this occurred after the internal cert performed it's auto renewal. 

    Logs show all the syncs are working properly, as far as I can tell all the certs that exist on the primary server also exist on the secondary server. 

    Any ideas on how I can figure out why this one particular trust fails on the secondary server? 

    Tuesday, December 20, 2016 10:12 PM

All replies

  • Hiya,

    Maybe that particular trust is using a encryption certificate, which is only located on the primary server currently?

    Wednesday, December 21, 2016 12:25 PM
  • Have you checked that trust configuration may be it is using certificate which is unknown for the secondary
    Wednesday, December 21, 2016 12:32 PM
  • Hi Doug,

    Another possibility is that it is the client that is failing against the second server. 

    Do you have a fallback certificate configured - and was it updated when you last changed the Service Communication certificate?

    Are your servers in a farm, and is the farm synchronizing?

    Is the same service account used to run the ADFS service on both servers?

    Good Luck!

    Shane

    Wednesday, December 21, 2016 2:45 PM
  • As far as I can tell all the ADFS certs that exist on the primary are on the secondary.

    And when I mean it doesn't work instead of authenticating and moving forward to the ADP site after authentication users are presented a page asking them to select which trust they want to authenticate to. During testing if I select any of the trusts from the drop down it will authenticate and pass on except for ADP. It straight up fails. 

    Wednesday, December 21, 2016 7:21 PM
  • https://<adfs server not working>/adfs/ls/idpinitiatedsignon.aspx

    Does that page work on both servers?

    Can you authenticate from any of the relying parties on both servers?

    Thursday, December 22, 2016 10:19 AM
  • Yes both servers the page works. And I'm able to sign into all trusts on both servers except for the ADP trust. 
    Tuesday, January 3, 2017 4:12 PM
  • Hi,

    If you open Event Viewer and go down to the ADFS Administrative log, which error are you getting on the server that fails, when you try to log in?

    Kind Regards

    Wednesday, January 4, 2017 10:42 AM