Tag: Office 365

RSA SecurID Access SAML Configuration for Microsoft Office 365 issue – “AADSTS50008: Unable to verify token signature. The signing key identifier does not match any valid registered keys”

There recently have been couple cases when the customers who has configured the Azure AD federation with RSA SecureID by following these instructions https://community.rsa.com/docs/DOC-1019 were randomly experiencing the error during users sign in: “AADSTS50008: Unable to verify token signature. The signing key identifier does not match any valid registered keys”.

aadsts50008

The issue temporary goes away when the domain is converted to managed and back to federated.
Looking at the mentioned RSA instructions, noticed that the RSA recommends to set up Issuer Entity ID for the SAML response as “urn:uri:o365”.
Since multiple customers most likely are selecting the same Issuer ID (most likely by copying the example), the confusion takes place on Azure AD side what tenant the SAML response is intended to and the token signing certificate validation fails.
The recommended fix is to change the Issued Entity ID on RSA and AAD side to “urn:uri:your_domain” (ex: urn:uri:contoso) to make it unique.

Advertisements

ADFS – MSIS7012 and MSIS8006 errors

Issue symptom

Some of the federated users are not able to sign in Office 365 portal. In ADFS Admin logs see EventID 111 and 364 with following error message:

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. —> Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‘XXX’ returned empty attribute values.

There might be two possible root causes of the issue (those I know about so far 😊 ).

1.      On premises Active Directory User object or OU the user object is located at has ACL preventing ADFS service account reading the User objects attributes (most likely the List Object permissions are missing).

2.      There is an issue with Domain Controllers replication.

For the first one, understand the scope of the effected users, try moving user object to not effected OU and see if the sign in is successful. Compare OU ACLs for working and not working OUs and add missing permissions.

For the second one, start with this article – How To Diagnose Active Directory Replication Failures- https://support.microsoft.com/en-us/help/2498185/how-to-diagnose-active-directory-replication-failures