Active Directory Login Issues

Following are few error messages / issues that you might face when trying to configure Active Directory authentication. Click on the link and see the steps needed to resolve the problem :

1. Signature Validation Failed
2. Conditions Validation Failed
3. Authentication Failed
4. New Users must register before using SAML
5. AD FS 2.0
   1. Not able to select SSL certificate in the AD FS 2.0 federation server configuration wizard
   2. Integrated / Passthrough Authentication not working
   3. Change AD FS service communications certificate
6. AD FS 3.0
   1. Integrated / Passthrough Authentication not working
   2. HTTP 400 Bad Request Error when the browser tries to go to AD FS Login page
   3. Change AD FS certificate
7. User name change in Active Directory : AD FS still uses old user details

Signature Validation failed

If you are using AD FS 2.0 as your identity provider, there might be a new certificate which would have got auto-generated. You need to export that certificate and then import it into ServiceDesk Plus On-Demand in order to resolve this. Please note that, the self-signed certificate auto-generated by AD FS is valid only for one year. So, every year you might face this problem and need to export the new certificate and configure it in ServiceDesk Plus On-Demand.

To overcome this, you can increase the certificate validity to 100 years so that you don't need to worry about performing this step every year.  The below steps will generate a new token signing certificate that will be valid for 100 years.

Please follow these steps :

1. Go to AD FS system
2. Open a command prompt in Admin mode
3. Run the following commands :
   1. powershell
   2. Add-PSSnapIn microsoft.adfs.powershell
   3. Set-ADFSProperties -CertificateDuration 36500
   4. Set-ADFSProperties -AutoCertificateRollover $true
   5. Update-ADFSCertificate -Urgent
   6. Set-ADFSProperties -AutoCertificateRollover $false
   7. Wait for the above command to complete and then exit

Export the new certificate

• Go to AD FS 2.0 Management from Administrative Tools
• Click Certificates in the Left side tree
• Under Token Signing Certificate select the "Primary" certificate
• Right click and go to View Certificate
• Go to "Details" tab
• Click "Copy to File"
• Select "Base 64 Encoded X.509"
• Go to Next. Give a file name. (e.g., C:newCertificate.cer)
• Finish the wizard. New certificate will now be at C:newCertificate.cer
   

If you are using any other Identity Provider, download the new certificate (in Base-64 Encoded X509 format with .cer extension) from your identity provider.

Now, Log-In to sdpondemand.manageengine.com using Organization Admin credentials

• Go to ESM Directory --> SAML Authentication
• Click Edit
• Browse and give the new Certificate
• Now you should be able to login to our service.

Conditions Validation failed

Please try the following steps:

1. Go to AD FS installation system
2. Open a command prompt in Administrator mode
3. Type the following commands in the prompt :
   1. powershell
   2. Add-PSSnapin microsoft.adfs.powershell
   3. Set-ADFSRelyingPartyTrust -TargetName "zoho.com" -NotBeforeSkew 2
   4. exit

The above commands will configure AD FS to adjust the time stamp it generates during authentication. Now try AD Authentication and you should be able to login to our service.

If you still face the issue even after setting the above Skew, please make sure the System Time in AD FS machine is correct according to your local time zone. Even a few minutes difference in system time when compared to the actual time might cause this.

Authentication Failed

Please check the following cases :

Case 1

The Federation Service Name in AD FS system must match the Hostname in the Login URL.

For, example, if the Login URL you have configured in SDP On-Demand is https://abc.test.com/adfs/ls, then the Federation Service name in AD FS must be "abc.test.com". Make sure the Federation Service name in AD FS matches this. 

To change the Federation Service name,

• Go to AD FS 2.0 Management console.
• Right click on “Service” in the left-side tree and click on “Edit Federation Service Properties”. 

After changing the federation service name, restart AD FS 2.0 Windows Service and try authentication one time.

If you have AD FS Proxy :

After changing Federation Service name, put an entry in "hosts" file in AD FS proxy system. In the hosts file, make sure abc.test.com points to the AD FS system's IP Address. Re-run the AD FS proxy configuration wizard and then try Authentication one time.

Case 2

While configuring the AD FS, you must give the verified Primary domain name that you see in the SDP On-Demand's Admin ---> Organization Details ---> Domain details page.

You can go to the AD FS management console, go to Relying party trusts, right-click on "zoho.com" and go to Properties. In the "End points" tab, please check the URLs and verify that they end with your verified primary domain.

For example, if your verified primary domain is example.com, then the URL must be : https://accounts.zoho.com/samlresponse/example.com

If you still face issues during Login, please go to Event Viewer in AD FS system and see if there are Error events. Please send us those details and we will get back to you as soon as possible.

Case 3

Certificate expiry in AD FS.

Restart the AD FS service from Windows Services console and check for certificate expiry messages in the Event Logs. (In the event logs tree, navigate to Application & Services Log ---> AD FS 2.0 ---> Admin). If there are error messages related to Service communication certificate expiry, follow the instructions present in the below Microsoft articles to change the Service communication certificate.

AD FS 2.0 : https://support.microsoft.com/en-us/kb/2921805

AD FS 3.0 : Refer here

Case 4

Make sure the Active Directory contains the EMail address for the User account. Only if the "mail" attribute has value, the users will be authenticated.

New Users must register before using SAML

Please make sure

a) the EMail address of the user who tries to login is same in Active Directory as well as in SDP On-Demand.
b) the user is present as a Requester or Technician in SDP On-Demand and his Login is enabled

AD FS 2.0 : Not able to select SSL Certificate in the AD FS 2.0 federation server configuration wizard

This can come in case SSL is not enabled in IIS 7.

Please refer the following article on how to generate a self-signed certificate and use it on IIS. Once the certificate is configured for port 443, please exit and re-run the AD FS 2.0 configuration wizard. This time you must be able to select the certificate in the configuration wizard.

https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html

AD FS 2.0 : Integrated / Passthrough Authentication not working

Internet Explorer

Please try the following

1. Add the AD FS Login URL to Trusted Sites (e.g., "https://adfs.example.com" must be in trusted sites list) and try authentication
2. Go to "Internet Options" ---> Advanced tab and see if "Enable Integrated Windows Authentication" is selected
3. Go to "Security" tab in Internet Options. Check the level where AD FS URL is present, e.g., "Intranet" or "Trusted sites". Click on "Custom level" and make sure "Automatic logon with current username and password" is selected.

Firefox / Chrome

You might repeatedly get the Login credentials box in Firefox / Chrome. Please try turning off Extended Protection for Authentication (EPA) in IIS 7.
Please refer the following article for the exact steps : http://social.technet.microsoft.com/wiki/contents/articles/1426.ad-fs-2-0-continuously-prompted-for-credentials-while-using-fiddler-web-debugger.aspx

Try authentication one time after setting this.

AD FS 2.0 : Change AD FS service communication certificate

If you have purchased a SSL certificate from a Certificate Authority, please follow the steps available in the below link to update the AD FS 2.0 Service Communications certificate.

https://support.microsoft.com/en-in/help/2921805/how-to-change-the-ad-fs-2-0-service-communications-certificate-after-i

AD FS 3.0 : Integrated / Passthrough Authentication not working

1. Go to the machine where Active Directory is present
2. Run "adsiedit.msc". (If the AD objects are not shown, click on Action --> Connect and connect to AD)
3. Locate the Account which is configured as "Log on" account for AD FS Service
4. Right click on it and go to Properties
5. In the Attributes list, make sure the "servicePrincipalName" attribute has the value http/ADFS_Service_Name. For example, if your Federation Service name is adfs.example.com, then add the value "http/adfs.example.com" to the "servicePrincipalName" attribute
6. Restart AD FS service and then try authentication

Internet Explorer

Please try the following

1. Add the AD FS Login URL to Trusted Sites (e.g., "https://adfs.example.com" must be in trusted sites list) and try authentication
2. Go to "Internet Options" ---> Advanced tab and see if "Enable Integrated Windows Authentication" is selected
3. Go to "Security" tab in Internet Options. Check the level where AD FS URL is present, e.g., "Intranet" or "Trusted sites". Click on "Custom level" and make sure "Automatic logon with current username and password" is selected.

Firefox / Chrome / Edge

You might repeatedly get the Login credentials box in Firefox / Chrome / Edge. Following articles suggests few steps to overcome this.

• http://jackstromberg.com/2014/03/adfs-v3-on-server-2012-r2-allow-chrome-to-automatically-sign-in-internally/
• https://social.msdn.microsoft.com/Forums/en-US/3834f6b8-7078-4169-81e0-8f4fbdc08490/ad-fs-30-firefox-and-chrome-no-integrated-windows-authentification?forum=Geneva
• http://www.vspbreda.nl/nl/ms-office/office-365/solved-adfs-enable-single-sign-on-sso-for-edge-and-chrome-browser/

Try authentication one time after setting this.

AD FS 3.0 - HTTP 400 Bad Request Error

1. Go to the machine where Active Directory is present
2. Run "adsiedit.msc". (If the AD objects are not shown, click on Action --> Connect and connect to AD)
3. Locate the Account which is configured as "Log on" account for AD FS Service
4. Right click on it and go to Properties
5. In the Attributes list, make sure the "servicePrincipalName" attribute has the value http/ADFS_Service_Name. For example, if your Federation Service name is adfs.example.com, then add the value "http/adfs.example.com" to the "servicePrincipalName" attribute
6. Restart AD FS service and then try authentication

Please refer here for more details : https://samlman.wordpress.com/2015/03/02/400-bad-request-error-with-adfs/ 

Try authentication one time after setting this.

AD FS 3.0 - Change Service communication certificate

1. Import your new certificate (with private key) in the AD FS machine under Computer account
2. Run mmc and add Certificates snap-in
3. Locate the new certificate and go to All Tasks -->"Manage Private keys".  Add the account which is configured as Log on account in AD FS service
4. Go to AD FS management and set the Service Communications Certificate
5. Open a powershell prompt and type : Set-AdfsSslCertificate -Thumbprint the-thumbprint-of-your-certificate
6. Restart AD FS service and then try authentication once

The detailed steps are available here : http://www.blackmanticore.com/332874ac9a2f5e7bc6c05d6aef42fd3f

User name change in Active Directory : AD FS still uses old user details

Try authentication one time after restarting the AD FS service.