locked
ADFS 4 on WAP: Event ID 364: MSIS3111: Non domain user is not supported by AD FS RRS feed

  • Question

  • I just built two new WAP servers.  One worked fine to access metadata at https://sts.domain.com/federationmetadata/2007-06/federationmetadata.xml as well as were able to authenticate through https://sts.doamin.com/adfs/ls/idpinitiatedsignon.aspx.  But other WAP was only able to access the metadata.  When it tried to authenticate at https://sts.doamin.com/adfs/ls/idpinitiatedsignon.aspx, it errored out with an Event 364 and MSIS3111.  Can any one help?  Thanks!

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          10/27/2017 9:32:26 AM
    Event ID:      364
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          ADFS Service Account
    Computer:      COMPUTER.DOMAIN.COM
    Description:
    Encountered error during federation passive request. 

    Additional Data 

    Protocol Name: 
    Saml 

    Relying Party: 
    http://sts.houstonisd.org/adfs/services/trust 

    Exception details: 
    Microsoft.IdentityServer.AuthenticationFailedException: MSIS3111: Non domain user is not supported by AD FS. ---> System.IdentityModel.Tokens.SecurityTokenValidationException: MSIS3111: Non domain user is not supported by AD FS.
       at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ProcessPrincipal(IClaimsPrincipal incomingPrincipal)
       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSignOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    System.IdentityModel.Tokens.SecurityTokenValidationException: MSIS3111: Non domain user is not supported by AD FS.
       at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ProcessPrincipal(IClaimsPrincipal incomingPrincipal)
       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)


    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>364</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2017-10-27T14:32:26.134507200Z" />
        <EventRecordID>204670</EventRecordID>
        <Correlation ActivityID="{EC735D78-22DA-4DFB-C201-0080000000D8}" />
        <Execution ProcessID="2920" ThreadID="2456" />
        <Channel>AD FS/Admin</Channel>
        <Computer>ADFSAWSPROD01.AD.HISD.ORG</Computer>
        <Security UserID="S-1-5-21-96542473-2255485000-3093417802-697110" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Saml</Data>
            <Data>http://sts.houstonisd.org/adfs/services/trust</Data>
            <Data>Microsoft.IdentityServer.AuthenticationFailedException: MSIS3111: Non domain user is not supported by AD FS. ---&gt; System.IdentityModel.Tokens.SecurityTokenValidationException: MSIS3111: Non domain user is not supported by AD FS.
       at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ProcessPrincipal(IClaimsPrincipal incomingPrincipal)
       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1&amp; identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1&amp; identityClaimCollection)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1&amp; identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri&amp; replyTo, IList`1&amp; identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSignOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken&amp; ssoSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    System.IdentityModel.Tokens.SecurityTokenValidationException: MSIS3111: Non domain user is not supported by AD FS.
       at Microsoft.IdentityServer.Service.LocalAccountStores.ActiveDirectory.ActiveDirectoryCpTrustStore.ProcessPrincipal(IClaimsPrincipal incomingPrincipal)
       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1&amp; identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1&amp; identityClaimCollection)

    </Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    Friday, October 27, 2017 2:46 PM

All replies

  • Are you using an alternate ID?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, October 27, 2017 3:29 PM