AD FS 3.0 Event ID 364 while creating MFA (and SSO)
Solution 1
The Microsoft TechNet reference for ADFS 2.0 states the following for Event 364:
This event can be caused by anything that is incorrect in the passive request. It can occur during single sign-on (SSO) or logout for both SAML and WS-Federation scenarios.
I realize you're using a newer version of ADFS but I couldn't find an updated reference in the 2012 R2 documentation. However, the description isn't all that helpful anyway.
References from some other sources usually point to certificate issues (revocation checking, missing certificate in chain) or a time skew.
http://www.gfi.com/blog/how-to-resolve-adfs-issues-with-event-id-364/
I know you said the certificates were installed correctly but you may want to double check that you can complete the revocation check and the chain validates. The easiest way to do this would be to open the certificate on the server from the Certificates snap-in and make sure there are no errors are warnings on the General and Certification Path tabs.
I've had time skew issues bite me in other authentication scenarios so definitely make sure all of your clocks match up as well.
Another thread I ran into mentioned an issue with SPNs. I know when I setup an ADFS 2012 R2 environment I ran into a problem with the SPN registration because my server's FQDN was the same as my intended Federation Service name (adfs.domain.com) so it was unable to register the SPN for ADFS. I fixed this by changing the hostname to something else and manually registering the SPNs. Unfortunately, I don't remember if this issue caused an event 364 though.
One thing I am curious about that you didn't mention if you had tried is whether or not you tested authentication to ADFS without the MFA extension. The extension name showing up in the exception stack seems to indicate it is part of the issue but that test could help you rule out issues with other aspects of your ADFS deployment.
Finally, if none of the above seems to help I would recheck the extension documentation to make sure that you didn't miss any steps in the setup. Hope that helps!
Solution 2
I faced this issue in Windows Server 2016 and it turned out to be fairly basic in my setup. The issue is that the page was not enabled. When I attempted to signon, I received an the error 364.
The link to the answer for my issue is, https://blogs.technet.microsoft.com/rmilne/2017/06/20/how-to-enable-idpinitiatedsignon-page-in-ad-fs-2016/
Set-AdfsProperties –EnableIdpInitiatedSignonPage $True
Related videos on Youtube
08 : 32
08 : 36
20 : 44
03 : 22
22 : 41
01 : 27 : 01
12 : 07
djl
Updated on September 18, 2022Comments
-
djl almost 2 years
I have an clean installation of AD FS 3.0 installed on windows server 2012. I am trying to create MFA on my internal network using this Codeplex.
AD FS Management > Authentication Policies
- Multi-factor locations: Intranet
- Selected Multi factor Authentication Extension (name from codeplex)
When I go to my adfs site (https://adfs.xx.com/adfs/ls/IdpInitiatedSignon.aspx) and login with valid credentials, I get the following error:
On site
- Activity ID: 00000000-0000-0000-3d00-0080000000e9
- Error time: Mon, 01 Feb 2016 09:04:18 GMT
- Cookie: enabled
- User agent string: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.97 Safari/537.36
On server (Event viewer > Appl. and Serv. Logs > AD FS > Admin)
Level: Error, Source: AD FS, Event ID: 364, Task Category: None
.
Encountered error during federation passive request.
Additional Data
Protocol Name: Saml
Relying Party: http://adfs.xx.com/adfs/services/trust
Exception details: System.FormatException: Input string was not in a correct format. at System.Text.StringBuilder.AppendFormat(IFormatProvider provider, String format, Object[] args) at System.String.Format(IFormatProvider provider, String format, Object[] args) at Neos.IdentityServer.MultiFactor.AuthenticationProvider.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.IsAvailableForUser(Claim identityClaim, IAuthenticationContext authContext) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData) at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context) at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
I have tried to fix the problem by checking the SSL certificates; they are all correct installed. There are no ping errors. I've also checked the code from the project and there are also no faults to see.
Does anyone know about this error or give me an push into the right direction? Any help much appreciated!
[Update 1]
The loglevel is level 2; an basic error.
[Update 2]
See the Codeplex Issues.
[Update 3]
New version available with fixed bugs. The errormessages are fixed.
-
learley over 8 yearsWere you able to test your ADFS configuration without the MFA extension? If not, you may want to run the uninstall steps provided in the documentation (adfsmfa.codeplex.com/documentation) and then attempt to authenticate to the ADFS site. This could at least help us determine if it is an issue specific to the extension or something else in your environment.
-
djl over 8 yearsAdfs works fine without this extention. I have also installed another extension and that was working fine as 2nd factor.
