locked
update password endpoint works only sometimes RRS feed

  • Question

  • sometimes when a users password is expired, and they try and log in using our adfs page, they are successfully re-directed to the updatepassword page and can change their password, but sometimes they are not, and simply get a message saying 'Your password has expired. Type your updated password and try again.'

    For simplicity, there is only one ADFS 2012r2 server in the mix, with no proxy.

    while enabling trace logs, whenever someone fails to be re-directed, I see an eventID 171: 'Password Update Page is not enabled, so falling back to forms page'

    but it is enabled.

    get-adfsendpoint
    
    ClientCredentialType : Anonymous
    Enabled              : True
    FullUrl              : https://adfs.server.com/adfs/portal/updatepassword/
    Proxy                : True
    Protocol             : HTTP
    SecurityMode         : Transport
    AddressPath          : /adfs/portal/updatepassword/
    Version              : default

    I rebooted, restarted services, etc after setting this to make sure it took, and sometimes it works!, but sometimes it just refuses to redirect

    failing log flow:

    Event ID 52

    ServiceHostManager.LogFailedAuthenticationInfo: Token of type 'http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName' validation failed with following exception details: System.IdentityModel.Tokens.SecurityTokenValidationException: domain.com\testnc11 ---> System.ComponentModel.Win32Exception: The user's password must be changed before signing in --- End of inner exception stack trace --- at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token) at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

    MSIS3144: MSISWindowsUserNameSecurityTokenHandler.ValidateToken: Incoming security token failed validation.
    domain.com\testnc11-The user's password must be changed before signing in

    Event ID 69 EXIT: PassiveProtocolHandler.RequestSingleSingOnToken

    Event ID 79

    EXIT: WSFederationProtocolHandler.BuildSignInResponse

    event id 996 Exception: MSIS7012: An error occurred while processing the request. Contact your administrator for details. StackTrace: at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context) Exception: MSIS3125: The password for domain.com\testnc11 has expired. StackTrace: at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token) at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection) at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection) at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSingOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken security

    Token, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponseCoreWithSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken) at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSignInResponse(WSFederationSignInContext federationPassiveContext, SecurityToken securityToken, SecurityToken deviceSecurityToken)  
     
    eventID 171
    
    Password Update Page is not enabled, so falling back to forms page

    When I open a browser and try, and it successfully redirects me to the updatepassword page, it works for all my test users as long as I don't log in, then log out, or close the browser.

    If I close the browser session, then it's up in the air as to whether the same usernames will succeed to redirect me to the updatepassword page, or not.

    It is not tied to the requestID of the browser session, as I can have it generate a new session by refreshing the page, get a new request id, and still have it re-direct me properly.

    i'm really scratching my head on this one!

    any help would be appreciated : )

    Thursday, January 17, 2019 4:20 PM

Answers

  • "there is only one ADFS 2012r2 server in the mix, with no proxy."

    The feature is not intended to be used internally. Since users connected internally have to log-in to their domain-joined machine, if the password has to be changed, it will be asked as the Windows level while opening the session. The feature is meant for users connected externally (through WAP) to make sure they are not stuck if their password has to be changed and they do not have access to a device with a line of sight of a domain controller.

    That said, non-domain joined assets connected internally might use them, but then they have to do so with a browser for which the user-agent string is NOT in the list of supported UAC for Windows Authentication. Else, when user try to auth against a RP and get redirected to ADFS, they will not be redirected to the password update page, but instead will be authenticated right away with the failure you mentioned.

    Now, if the user is going to the page directory (not being redirected during a logon attempt), the page will work. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 22, 2019 1:45 PM

All replies

  • Have you looked at DEBUG logging to see if that gives you any additional info?

    Cheers,

    Jorge de Almeida Pinto

    Principal Consultant | MVP Directory Services | IAM Technologies

    COMMUNITY...:

    DISCLAIMER: This post is provided "AS IS" with no warranties of any kind, either expressed or implied, and confers no rights! Always evaluate/test yourself before using/implementing this!

    Thursday, January 17, 2019 10:26 PM
  • "there is only one ADFS 2012r2 server in the mix, with no proxy."

    The feature is not intended to be used internally. Since users connected internally have to log-in to their domain-joined machine, if the password has to be changed, it will be asked as the Windows level while opening the session. The feature is meant for users connected externally (through WAP) to make sure they are not stuck if their password has to be changed and they do not have access to a device with a line of sight of a domain controller.

    That said, non-domain joined assets connected internally might use them, but then they have to do so with a browser for which the user-agent string is NOT in the list of supported UAC for Windows Authentication. Else, when user try to auth against a RP and get redirected to ADFS, they will not be redirected to the password update page, but instead will be authenticated right away with the failure you mentioned.

    Now, if the user is going to the page directory (not being redirected during a logon attempt), the page will work. 


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, January 22, 2019 1:45 PM