I have an clean installation of AD FS 3.0 installed on windows server 2012. I am trying to create MFA on my internal network using this Codeplex.
AD FS Management > Authentication Policies
- Multi-factor locations: Intranet
- Selected Multi factor Authentication Extension (name from codeplex)
When I go to my adfs site (https://adfs.xx.com/adfs/ls/IdpInitiatedSignon.aspx) and login with valid credentials, I get the following error:
On site
- Activity ID: 00000000-0000-0000-3d00-0080000000e9
- Error time: Mon, 01 Feb 2016 09:04:18 GMT
- Cookie: enabled
- User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97
Safari/537.36
On server (Event viewer > Appl. and Serv. Logs > AD FS > Admin)
Level: Error, Source: AD FS, Event ID: 364, Task Category: None
.
Encountered error during federation passive request.
Additional Data
Protocol Name: Saml
Relying Party: http://adfs.xx.com/adfs/services/trust
Exception details: System.FormatException: Input string was not in a
correct format. at
System.Text.StringBuilder.AppendFormat(IFormatProvider provider,
String format, Object[] args) at
System.String.Format(IFormatProvider provider, String format, Object[]
args) at
Neos.IdentityServer.MultiFactor.AuthenticationProvider.IsAvailableForUser(Claim
identityClaim, IAuthenticationContext context) at
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.IsAvailableForUser(Claim
identityClaim, IAuthenticationContext authContext) at
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext
context, IAuthenticationContext authContext, IAccountStoreUserData
userData) at
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext
context) at
Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext
context) at
Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext
context)
I have tried to fix the problem by checking the SSL certificates; they are all correct installed. There are no ping errors. I've also checked the code from the project and there are also no faults to see.
Does anyone know about this error or give me an push into the right direction? Any help much appreciated!
[Update 1]
The loglevel is level 2; an basic error.
[Update 2]
See the Codeplex Issues.
[Update 3]
New version available with fixed bugs. The errormessages are fixed.
Best Answer
The Microsoft TechNet reference for ADFS 2.0 states the following for Event 364:
https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-fedpassive-request-failures(v=ws.10).
I realize you're using a newer version of ADFS but I couldn't find an updated reference in the 2012 R2 documentation. However, the description isn't all that helpful anyway.
References from some other sources usually point to certificate issues (revocation checking, missing certificate in chain) or a time skew.
http://www.gfi.com/blog/how-to-resolve-adfs-issues-with-event-id-364/
I know you said the certificates were installed correctly but you may want to double check that you can complete the revocation check and the chain validates. The easiest way to do this would be to open the certificate on the server from the Certificates snap-in and make sure there are no errors are warnings on the General and Certification Path tabs.
I've had time skew issues bite me in other authentication scenarios so definitely make sure all of your clocks match up as well.
Another thread I ran into mentioned an issue with SPNs. I know when I setup an ADFS 2012 R2 environment I ran into a problem with the SPN registration because my server's FQDN was the same as my intended Federation Service name (adfs.domain.com) so it was unable to register the SPN for ADFS. I fixed this by changing the hostname to something else and manually registering the SPNs. Unfortunately, I don't remember if this issue caused an event 364 though.
One thing I am curious about that you didn't mention if you had tried is whether or not you tested authentication to ADFS without the MFA extension. The extension name showing up in the exception stack seems to indicate it is part of the issue but that test could help you rule out issues with other aspects of your ADFS deployment.
Finally, if none of the above seems to help I would recheck the extension documentation to make sure that you didn't miss any steps in the setup. Hope that helps!