none
ADFS 4.0, federation problem with Edge and IE 11

    Question

  • Hi, I'm building an ADFS 4.0 solution based on Windows Server 2016, and have problem with IE/ Edge.

    The solution has one ADFS (resource ADFS) with one Relying Party Trust (web site). This ADFS has a Web Application Proxy (WAP). I also have and one Tenant domain (Tenant ADFS) that is federated with the resource ADFS.

    The Tenant ADFS is added a Trusted Claim Provider on the resource ADFS and the resource ADFS is added as a relying party trust on the Tenant ADFS.

    If I use Chrome IE on a Windows Server 2012 R2, I can logon to the Web site with accounts in both domains.

    If I use IE from a Windows Server 2016 or Windows 10, the logon fails when I use an account from the Tenant Domain. The same problem is also on Edge.

    I have enabled the test logon page (IdpInitiatedSignon.aspx) on the resource ADFS, and I have the same issue there.

    This IE version works: IE11 version 11.0.9600.18500 - Update Versions: 11.0.36 (KB3104002) 2013

    This IE version fails: 11.321.14393.0 - Update Versions: 11.0.36 (KB3191492) 2015

    This is the error text on the browser: Authentication attempt failed. Select a different sign in option or close the web browser and sign in again. Contact your administrator for more information

    On the resource ADFS this is logged in Eventlog:

    First an information with Event ID 441:

    A token with a bad token binding key was found.

    Then an warning with event ID 1000:

    An error occurred during processing of a token request.

    The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.

    Additional Data Caller:

    TENANT\myrap OnBehalfOf user:

     ActAs user:

    Target Relying Party: https://web1.test.local/PassiveRedirectBasedClaimsAwareWebApp/

    Then an error with event ID 364:

    Encountered error during federation passive request.

    Additional Data Protocol Name:

    wsfed

    Relying Party:

    Exception details: Microsoft.IdentityServer.AuthenticationFailedException: MSIS5015: Authentication of the presented token failed. Token Binding claim in token must match the binding provided by the channel. ---> Microsoft.IdentityServer.Service.SecurityTokenService.TokenBindingVerificationException: MSIS5015: Authentication of the presented token failed. Token Binding claim in token must match the binding provided by the channel. at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.ValidateTokenBinding(IClaimsPrincipal principal) at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.RequestBearerToken(MSISSignInRequestMessage signInRequest, SecurityTokenElement onBehalfOf, SecurityToken primaryAuthToken, SecurityToken deviceSecurityToken, String desiredTokenType, WrappedHttpListenerContext httpContext, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, MSISSession& session) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSerializedToken(MSISSignInRequestMessage wsFederationPassiveRequest, WrappedHttpListenerContext context, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.SendSignInResponseForSecurityToken(GenericProtocolRequest originalRequest, SecurityTokenElement requestedTokenElement, ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context) Microsoft.IdentityServer.Service.SecurityTokenService.TokenBindingVerificationException: MSIS5015: Authentication of the presented token failed. Token Binding claim in token must match the binding provided by the channel. at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.ValidateTokenBinding(IClaimsPrincipal principal) at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state) at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)

    Hope someone can help me with this issue.

    /Per

    
    Monday, November 21, 2016 8:28 AM

Answers

  • Hi,

    An update on this issue:

    Setting the "IgnoreTokenBinding" to "True" on the Recource ADFS solved my problem.

    Set-ADFSProperties -IgnoreTokenBinding $True

    If this is a good solution, I don't know but I will use this solution for now.

    /Per

    • Marked as answer by Per Kristian Friday, December 16, 2016 11:34 AM
    Friday, December 16, 2016 11:33 AM

All replies

  • Hi,

    An update on this issue:

    Setting the "IgnoreTokenBinding" to "True" on the Recource ADFS solved my problem.

    Set-ADFSProperties -IgnoreTokenBinding $True

    If this is a good solution, I don't know but I will use this solution for now.

    /Per

    • Marked as answer by Per Kristian Friday, December 16, 2016 11:34 AM
    Friday, December 16, 2016 11:33 AM
  • Thank you, this saved my day !

    - Tim

    Wednesday, May 31, 2017 11:19 AM