Directory Programming .NET

got this error recently:

The ADFS Web Agent for Windows NT token-based applications encountered a serious error. The cookies that were presented by the client could not be validated.

This condition occurs when a client presents valid cookies that are not valid. If the client is known to be a valid user, this error might be caused by a transient issue. For instance, trust properties (for example, certificates) may have changed recently or revocation status may not be available from the certification authority.

 

not sure what to do with it.  any ideas what it mean?

I've never seen this one.  Jim?  :)

I'm still trying to wrap my head around the concept of valid cookies being invalid :)

That is a fairly generic error message.

Do you get this error every time for all users?  If so, I would guess a PKI problem somewhere.  Is the diagnostic tool passing all tests?

If it is only for a specific user, then I would examine the user properties and compare working/not working.  Maybe it is missing a UPN or some other identity claim?

If this doesn't get it, I would like to see the debug logs from the FS-R and the WS

tried to run the diag tool and get this error:

---------------------------
Error
---------------------------
Unable to create a report for role WebAgentToken: The ADFS Diagnostics Tool did not create a log file
---------------------------
OK  
---------------------------

I'll make sure everything is good with the ADFS web agent

I ran this in a fresh .out file, does it need to have the FS-A or R first?  Ran it on the FS first but still get the error.

the client sees a 403 if I hadn't said that already

this happens for all users so I will look into PKI, although, not sure where to look, it is configured like my other EXCH box is

I'll try to get past the error in the diag tool first.

After rebooting the boxes involved it seemed to work.

What prompted me to reboot was that some of the servers over the time I was out of the office seemed to have gone down.  So after making sure all the servers were back up and in order things started working again.

Just this weekend we had a power outage and the servers were displaying the same behavior.  Clients got 403 messages and the event viewers were saying something to the effect of "valid cookies aren't valid" so I rebooted all servers to make sure things came up in the correct order.  Still didn't work except that the OWA service took a long time to start up, once it was started, the user no longer received a 403 error after they logged in.

Thanks for the help Jim.  I'm not 100% sure this was the cause, but so far as my experiences have been both issues were the same, with same solution.

General reboot order:

1. DCs
2. ADFS servers (FS then FSP)
3. Apps

---------------------------
Error
---------------------------
Unable to create a report for role WebAgentToken: The ADFS Diagnostics Tool did not create a log file
---------------------------
OK  
---------------------------

this error however is still unresolved, not sure why I can't run the diag tool on my OWA server

I had this same problem once. I think I solved this by restarting the ADFS Web Agent Authentication Service.

Also check that the server where the Web agent is running can connect to the FS on port 443.

A long shot and probably not related but worth mentioning anyway.
Check the security permissions on the MachineKeys folder of the FS servers (All Users Profile\Application Data\Microsoft\Crypto\RSA). The user that runs the ADFSAppPool applicationpool must have read permission on the token signing certificate. During one installation this wasn't the case and giving read permissions to the Network Service account on the token signing certificate solved it.