locked
ADFS 3.0 and workplace join issue RRS feed

  • Question

  • Hi,

    I've got working ADFS 3.0 server which I already configured to support O365 and CRM 2013 server. All is working fine and without any problems. We recently decided to add workplace join feature to our domain. After configuring and ADFS server and WAP I can join to workplace, all certificates are issued (I can see certificate issued by MS-Organization-Access in my personal store) and a new device is visible in Active Directory. Device registration log on ADFS server confirms successful enrollment:

    Successfully enrolled device for user marcin@contoso.com.

    As soon as I'm trying to open CRM or login to O365 I'm receiving an error on ADFS login page:

    An error occurred
    The device authentication failed.
    Error details
    • Activity ID: 00000000-0000-0000-ae01-0080000000c9
    • Relying party: Microsoft Office 365 Identity Platform
    • Error time: Tue, 24 Jun 2014 16:04:45 GMT
    • Cookie: enabled
    • User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C; .NET CLR 3.5.30729; .NET CLR 2.0.50727; .NET CLR 3.0.30729)

    Admin log on ADFS server is registering error 364:

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:
    wsfed

    Relying Party:
    urn:federation:MicrosoftOnline

    Exception details:
    Microsoft.IdentityServer.AuthenticationFailedException: MSIS5000: Authentication of the device certificate failed. ---> Microsoft.IdentityServer.Service.SecurityTokenService.DeviceAuthenticationException: MSIS5000: Authentication of the device certificate failed.
       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.AuthenticateDevice(RequestSecurityToken request, IClaimsPrincipal principal, Boolean isSSORequest)
       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)

    Can somebody help me resolving problem?

    Regards,

    Marcin

    Tuesday, June 24, 2014 5:30 PM

All replies

  • Hi Marcin,

    i get exactly the same problem beetwenn a federation between Azure and Office 365.

    There is exactly 2 hours less on the line "Error time: .... GMT" and the real time of my Windows Azure servers.

    Did you find the reason ?

    Regards,

    Jerome

    Friday, August 1, 2014 3:21 PM
  • I got the same issue today? Is there any resolution for this?
    Tuesday, August 5, 2014 6:33 AM
  • Is there someone who has found a solution for this issue? We have the same problem. Joining the device to the workplace works perfectly, but when trying to login into Office365 we get the same error using Internet Explorer. Using Firefox, we can login into Office365 without problems.
    Friday, August 8, 2014 8:19 AM
  • Hi,

    Please check the following in your AD FS Manager:

    If this Setting is not present, use the following cmdlet in the Microsoft Azure PowerShell Module:

    Update-MsolFederatedDomain -DomainName domain.com

    And try again.

    Dominik

    Saturday, August 16, 2014 11:13 PM
  • We are experiencing the same issue.

    Also, login using Firefox Works fine, just as it does for Nikita.

    Dominik's suggestion did not do the trick.

    Odd enough, this thread on the issue is just about all I can find.... So, for the time being I have deactivated Device Authentication.


    Dani

    Monday, September 1, 2014 11:27 AM
  • @Marcin and others

    Did you by any chance have the Web Application Proxy or Proxies join the on-prem Active Directory Domain for the purpose of allowing integrated authentication?


    Dani

    Monday, September 1, 2014 12:08 PM
  • Hello Dani,

    In ADFS 3.0 you do not need to have a proxy anymore like IIS. So we do not have any web application proxy.

    Friday, October 10, 2014 12:48 PM
  • Exactly the same problem for me.

    I have 2 ADFS servers in the farm, primary on site and secondary offsite, DNS running load balancing between the two for high availability.

    Curiously, when I shut down the primary and it fails over to the secondary, it's absolutely fine.

    No proxies, no weird config. even removed Device Registration service to see if that made a difference (no change).

    No Microsoft help on this??

    Thanks

    Mike

    Friday, October 10, 2014 3:57 PM
  • Hi Nikita,

    I'm not sure where you got that information from concerning the need not to have a proxy. Just because AD FS has moved to kernel-mode from IIS, doesn't mean that it shouldn't be protected by a component such as the WAP.


    http://blog.auth360.net

    Friday, October 10, 2014 6:11 PM
  • Hmm.. IE doesn't work but Firefox does.. have you tried turning off extended protection checking (restart services)?  Maybe that's not supported on the O365 side with IE?

    Set-ADFSProperties –ExtendedProtectionTokenCheck None


    http://blog.auth360.net

    Friday, October 10, 2014 6:18 PM
  • Set-ADFSProperties –ExtendedProtectionTokenCheck None

    This cmdlet did the trick for me! Thanks Mylo!!!


    WORK

    Thursday, May 21, 2015 7:21 AM