none
SessionSecurityToken does not contain a single AnchorID claim error in log RRS feed

  • Question

  • Hi, I am trying to configure ADFS 4.0 to authenticate against a ldap server.  I successfully add the ldap local claims provider. However, when testing the authentication from the idpinitatedsignon page using the Microsoft ClaimsXray relying party trust, I got the following error once I logged in (without going to the ClaimsXray response page). Can someone suggest what might the cause of the issue? Thanks.

    Relying Party:
    urn:microsoft:adfs:claimsxray

    Exception details:
    Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> Microsoft.IdentityServer.Service.Authentication.SingleSignOnIdentityInvalidException:

    <Data>Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---&gt; Microsoft.IdentityServer.Service.Authentication.SingleSignOnIdentityInvalidException: SessionSecurityToken does not contain a single AnchorID claim.
       at Microsoft.IdentityServer.Web.SessionTokenManager.SingleSignOnTokenHelper.ValidateToken(SessionSecurityToken token, SessionSecurityToken currentToken)
       at Microsoft.IdentityServer.Web.SessionTokenManager.SingleSignOnTokenHelper.AddToken(SessionSecurityToken newToken)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateSingleSignOnTokenInContext(ProtocolContext context, SecurityToken ssoToken)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateSingleSignOnTokenInContext(ProtocolContext context, SecurityToken ssoToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken&amp; ssoSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

    Microsoft.IdentityServer.Service.Authentication.SingleSignOnIdentityInvalidException: SessionSecurityToken does not contain a single AnchorID claim.
       at Microsoft.IdentityServer.Web.SessionTokenManager.SingleSignOnTokenHelper.ValidateToken(SessionSecurityToken token, SessionSecurityToken currentToken)
       at Microsoft.IdentityServer.Web.SessionTokenManager.SingleSignOnTokenHelper.AddToken(SessionSecurityToken newToken)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.UpdateSingleSignOnTokenInContext(ProtocolContext context, SecurityToken ssoToken)

    Monday, July 8, 2019 8:28 PM

Answers

All replies

  • The message suggests that a token request cannot be processed because the LDAP store did not return any Anchor Attribute. I'd say, look at your LDAP claim provider: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-authenticate-users-stored-in-ldap-directories

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by hkg04 Friday, July 12, 2019 6:45 PM
    Monday, July 8, 2019 8:59 PM
    Owner
  • Thanks for the quick response.

    I have another ldap server which host almost the same directory and I can authenticate using the same anchorID claims (email in our case). I queried both ldap servers using a Windows ldap client (the working one and the one with the above error) for the same user ID and the same result was returned, e.g. same attribute names, sn, givenName. So I am not sure what to look at at the moment.


    • Edited by hkg04 Monday, July 8, 2019 9:13 PM
    Monday, July 8, 2019 9:07 PM
  • I noticed that when I ran get-adfslocalclaimsprovidertrust -name "claims-provider" | select ldapattributetoclaimmapping, I didn't see any mapping there even thought I did add all the mapping when creating the ldap localclaimsprovidertrust earlier.

    The claims type I used in the ldap instance is the typical givenName,surname,mail, uid

    $GivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"

    $Surname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"

    $NameIdentifier = New-AdfsLdapAttributeToClaimMapping -LdapAttribute uid -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"

    $EmailAddress = New-AdfsLdapAttributeToClaimMapping -LdapAttribute mail -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

    • Edited by hkg04 Wednesday, July 10, 2019 9:17 PM
    Wednesday, July 10, 2019 9:13 PM
  • Thanks I got the problem resolved. The reason was that I always copied and pasted the entire add-adfslocalclaimsprovidertrust cmdlet from a notepad into Powershell. Even the cmdlet was successfully ran, some of the parameter didn't get added. I manually typed the whole cmdlet and it fixed the problem.

    Thanks again for your help.
    Friday, July 12, 2019 6:45 PM