I have a Spring SAML Project that has been under development for about a month. I've integrated with ADFS and everything has been working well. I'm getting an intermittent error that is becoming problematic because I have to wait for it to seemingly decide to start working again. It is now showing the error more often than it works. I see this error after performing a login with any number of test AD accounts.
Error ID 111 in the event log
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue
Additional Data
Exception details:
System.ArgumentOutOfRangeException: Not a valid Win32 FileTime.
Parameter name: fileTime
at System.DateTime.FromFileTimeUtc(Int64 fileTime)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetPasswordExpiryDetails(SafeLsaReturnBufferHandle profileHandle, DateTime& nextPasswordChange, DateTime& lastPasswordChange)....
Error 364 in the ADFS Event Log
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
https://localhost:8443/elsso/saml/metadata/alias/serviceprovider
Exception details:
System.ArgumentOutOfRangeException: Not a valid Win32 FileTime.
Parameter name: fileTime
at System.DateTime.FromFileTimeUtc(Int64 fileTime)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetPasswordExpiryDetails(SafeLsaReturnBufferHandle profileHandle, DateTime& nextPasswordChange, DateTime& lastPasswordChange)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)....
The configuration of the Service Provider, AD, ADFS, the Certificates, and the SAML assertions are correct. At least they work 90% of the time when I'm not getting this error.
What I've Tried while it's failing that has not helped
- Restarting the ADFS Service and Virtual Server
- Syncing the proxy server times (not sure what this means exactly, found a MS doc that suggested it for error types 111 and 364) In powershell
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /update - The two StackOverflow articles related to this have showed an error in the assertion metadata, and that SHA-256 is not supported. I've verified my metadata and am using SHA-1.
- I can't find any articles directly related to this issue on any Microsoft support site, however, I'm new to dealing with this sort of issue and may just not know where to look.
As of right now, it's working for a few minutes every few hours then failing the rest of the time.
I'm truly stumped and any suggestions for ways to troubleshoot this will be greatly appreciated.
UPDATE I am not able to login to ADFS natively, which further indicates to me it's not an issue with the service provider, but with ADFS/AD itself.
Best Answer
Based on suggestions from a Windows Admin, I did the following which resolved the issue.
At this point, the error was only occurring for a subset of AD users. On those users, I reset their passwords, which then resolved the issue.
Although I am not entirely sure why this started happening or how these steps fixed it, my theory is that not using one service account to manage all of it led to files being written that couldn't be read in by processes running under a different account.
Hope this helps someone.
Update:
Another possible cause of the error is if you change the UPN in Active Directory to a string containing a space, this error shows up.
2nd Update:
Using a invalid domain can also cause this error.