09-08-2020 05:43 AM
Hi Comunity,
I am trying to establish a SSO Configuration with ADFS on Microsoft Server 2019.
I used this Documantation:
When I click the "Test SSO Connection" Button, i am getting redirected to our ADFS Site as expacted. But wenn I insert my Credentials, I get an Error Invalid Status code in Response.
In the Eventlog on the ADFS Server i do not get any errors or warnings.
In the Claim Issuance Policy of the Rellying Party Trust I have two Rules, like descripted in the Documantation:
1. The Attributes Rule: LDAP Attribute --> uid
2. The Custom Role:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://myfqdn/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://idbroker-.....");
Do anyone know what to do for Troubleshooting?
If you need more Information please let me know.
Thank you an kind regards,
BS
09-08-2020 05:55 AM
Certificate revocation list is provided by IdP. Since you are using SSO with ADFS. This is something that needs to be checked from your ADFS team. In case it is enabled. You will need to turn off using the following command:
09-08-2020 07:10 AM
Hello & thanks for your response,
wich command did you mean?
is it necessary to set the SigningCertificateRevocationCheck and EncryptionCertificateRevocationCheck of the Party trust to none?
02-01-2023 08:37 PM
Hello @IT-Sauer,
Did you get it fixed? As per the problem, the description seems to be an issue with the relying party trust’s encryption certificate invalid and has been revoked. You should see the attempt in the Event Viewer log from your ADFS server.
Something similar like "An error occurred during an attempt to build the certificate chain..." run the following PowerShell commands to disable Relying Party certificates CRL check:
Set-AdfsRelyingPartyTrust -TargetName "Cisco WebEx" -EncryptionCertificateRevocationCheck None
Set-AdfsRelyingPartyTrust -TargetName "Cisco WebEx" -SigningCertificateRevocationCheck none
Just change the TargetName and use your own Relying Party Trust name.
Please rate if it's “Helpful”.
If this answered your question please click “Accept as Solution”.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide