Symptoms
Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 07/28/2011 05:15:28 PM Event ID: 364 Level: Error User: CONTOSO\ADMIN Computer: adfs.contoso.com
Encountered error during federation passive request. Additional Data Exception details: Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason. at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request) at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest) at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest) at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status) --- End of inner exception stack trace --- at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status) System.ServiceModel.FaultException: The creator of this fault did not specify a Reason. at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request) at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest) at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest) at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status) at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status) Log Name: AD FS 2.0/Admin Source: AD FS 2.0 Date: 07/28/2011 05:15:28 PM Event ID: 261 Level: Error User: CONTOSO\ADMIN Computer: adfs.contoso.com The request specified an Assertion Consumer Service URL 'some-URL' that is not configured on the relying party 'URI-for-a-Relying-Party-Trust'. Assertion Consumer Service URL: some-URL Relying party: URI-for-a-Relying-Party-Trust This request failed. User Action Use the AD FS 2.0 Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party. Cause The Relying Party is sending a SAML 2.0 SAMLRequest containing an AuthnRequest which is specifying a AssertionConsumerService URL value. This AssertionConsumerService URL value does not match the AssertionConsumerService URL value configured on the Relying Party Trust in AD FS 2.0. From SAML 2.0 Core specification: AssertionConsumerServiceURL [Optional] Specifies by value the location to which the <Response> message MUST be returned to the requester. The responder MUST ensure by some means that the value specified is in fact associated with the requester. [SAMLMeta] provides one possible mechanism; signing the enclosing <AuthnRequest> message is another. This attribute is mutually exclusive with the AssertionConsumerServiceIndex attribute and is typically accompanied by the ProtocolBinding attribute. AssertionConsumerService is an optional attribute of a AuthnRequest, which means that AD FS 2.0 can respond appropriately without it since AD FS 2.0 knows the AssertionConsumerService URL from the RP Trust configuration. When the RP sends this information in the AuthnRequest, the information is redundant, and the inlcuded value is still required to match the URL value specified on the RP Trust configuration. The sign-in is failing because the RP is choosing to provide this optional information, and the information does not match the value that AD FS 2.0 holds for that RP. Resolution There are two options: 1. Configure the RP so that AssertionConsumerService is not specified in the AuthnRequest 2. Configure the RP to send a AssertionConsumerService value in the AuthnRequest which matches the AssertionConsumerService value on the Endpoints tab of the RP Trust in AD FS 2.0.