Symptoms

  • Sign-in fails
  • The following events are logged in the AD FS 2.0/Admin event log:

Event log

Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 07/28/2011 05:15:28 PM
Event ID: 364
Level: Error
User: CONTOSO\ADMIN
Computer: adfs.contoso.com
Encountered error during federation passive request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)    --- End of inner exception stack trace ---    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status) System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: 07/28/2011 05:15:28 PM
Event ID: 261
Level: Error  
User: CONTOSO\ADMIN     
Computer: adfs.contoso.com
                        
The request specified an Assertion Consumer Service URL 'some-URL' that is not  configured on the relying party 'URI-for-a-Relying-Party-Trust'.
Assertion Consumer Service URL: some-URL
Relying party: URI-for-a-Relying-Party-Trust
This request failed. 

User Action

Use the AD FS 2.0 Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party.

Cause

The Relying Party is sending a SAML 2.0 SAMLRequest containing an AuthnRequest which is specifying a AssertionConsumerService URL value. This AssertionConsumerService URL value does not match the AssertionConsumerService URL value configured on the Relying Party Trust in AD FS 2.0.

From SAML 2.0 Core specification:

AssertionConsumerServiceURL

[Optional]

Specifies by value the location to which the <Response> message MUST be returned to the requester. The responder MUST ensure by some means that the value specified is in fact associated

with the requester.

[SAMLMeta] provides one possible mechanism; signing the enclosing <AuthnRequest> message is another.

This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute.

AssertionConsumerService is an optional attribute of a AuthnRequest, which means that AD FS 2.0 can respond appropriately without it since AD FS 2.0 knows the AssertionConsumerService URL from the RP Trust configuration. When the RP sends this information in the AuthnRequest, the information is redundant, and the included value is still required to match the URL value specified on the RP Trust configuration. The sign-in is failing because the RP is choosing to provide this optional information, and the information does not match the value that AD FS 2.0 holds for that RP.

Resolution

There are two options:

  1. Configure the RP so that AssertionConsumerService is not specified in the AuthnRequest
  2. Configure the RP to send a AssertionConsumerService value in the AuthnRequest which matches the AssertionConsumerService value on the Endpoints tab of the RP Trust in AD FS 2.0.