Directory Programming .NET

Active Directory and ADAM programming support for .NET developers
Welcome to Directory Programming .NET Sign in | Join | Help
in Search
Home Forums Files Roller
Directory Programming .NET » General Discussions » ADFS Discussions » Please interpret this log, experiencing errors!

Please interpret this log, experiencing errors!

Last post 05-27-2009, 5:29 PM by joe. 1 replies.
Sort Posts: Previous Next

  •  05-27-2009, 4:03 PM 6528

    Please interpret this log, experiencing errors!

    Reply Quote
    What does this mean??

    2009-05-27T20:56:37 [INFO] Requesting token for https://singlesignon.keystoneondemand.com/claimapp/ from FS using inbound token.
    2009-05-27T20:56:37 [VERBOSE] Parse: Token NOT found in cache
    2009-05-27T20:56:37 [VERBOSE] SAML: effectivetime = 05/27/2009 20:33:32
    expirationtime = 05/27/2009 21:33:32
    2009-05-27T20:56:37 [WARNING] VerifyCertChain: Cert chain did not verify - error code was 0x80092013
    2009-05-27T20:56:37 [ERROR] KeyInfo processing failed because the trusted certificate does not have a a valid certificate chain. Thumbprint = 6477B2DFFAC8293D848112E6469D98CAFEB5E5BD
    2009-05-27T20:56:37 [WARNING] Failing signature verification because the KeyInfo section failed to produce a key.
    2009-05-27T20:56:37 [WARNING] SAML token signature was not valid: AssertionID = _007ff529-46e3-4f41-84fb-e3ea261a31a9
    2009-05-27T20:56:37 [VERBOSE] Processing FS response: policy version is fd2ef6d9-54a2-4c4a-bdd9-b2918991955d - 317
    2009-05-27T20:56:37 [INFO] Token issuance request to FS failed: ValidationFailure

  •  05-27-2009, 5:29 PM 6531 in reply to 6528

    Re: Please interpret this log, experiencing errors!

    Reply Quote

    I HIGHLY recommend finding err.exe from microsoft.com and getting it.  Putting that error code into it yields the following:

    C:\Users\joseph.e.kaplan>err 0x80092013
    # for hex 0x80092013 / decimal -2146885613 :
      CRYPT_E_REVOCATION_OFFLINE                                    winerror.h
    # The revocation function was unable to check revocation
    # because the revocation server was offline.
    # 1 matches found for "0x80092013"

    Basically, CRL checking did not work on the certificate used to sign the token in question. This is common in cases where the CRL referenced in the certificate (or one of the other certs in the chain) could not be reached from the server doing the verification.

    My experience is that you have to disable revocation checking to make ADFS work reliably because revocation checking itself is hard to make work consistently. The steps to disable differ depending on which version of Windows server you use (it is in the GUI in 2008 but not in 2003 so requires manual trust policy file modification).
View as RSS news feed in XML
© Dunn & Kaplan, 2008