I have a Spring SAML Project that has been under development for about a month. I've integrated with ADFS and everything has been working well. I'm getting an intermittent error that is becoming problematic because I have to wait for it to seemingly decide to start working again. It is now showing the error more often than it works. I see this error after performing a login with any number of test AD accounts.
Error ID 111 in the event log
The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue
Additional Data
Exception details:
System.ArgumentOutOfRangeException: Not a valid Win32 FileTime.
Parameter name: fileTime
at System.DateTime.FromFileTimeUtc(Int64 fileTime)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetPasswordExpiryDetails(SafeLsaReturnBufferHandle profileHandle, DateTime& nextPasswordChange, DateTime& lastPasswordChange)....
Error 364 in the ADFS Event Log
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
https://localhost:8443/elsso/saml/metadata/alias/serviceprovider
Exception details:
System.ArgumentOutOfRangeException: Not a valid Win32 FileTime.
Parameter name: fileTime
at System.DateTime.FromFileTimeUtc(Int64 fileTime)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetPasswordExpiryDetails(SafeLsaReturnBufferHandle profileHandle, DateTime& nextPasswordChange, DateTime& lastPasswordChange)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)
at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)....
The configuration of the Service Provider, AD, ADFS, the Certificates, and the SAML assertions are correct. At least they work 90% of the time when I'm not getting this error.
What I've Tried while it's failing that has not helped
- Restarting the ADFS Service and Virtual Server
- Syncing the proxy server times (not sure what this means exactly, found a MS doc that suggested it for error types 111 and 364) In powershell w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /update
- The two StackOverflow articles related to this have showed an error in the assertion metadata, and that SHA-256 is not supported. I've verified my metadata and am using SHA-1.
- I can't find any articles directly related to this issue on any Microsoft support site, however, I'm new to dealing with this sort of issue and may just not know where to look.
As of right now, it's working for a few minutes every few hours then failing the rest of the time.
I'm truly stumped and any suggestions for ways to troubleshoot this will be greatly appreciated.
UPDATE I am not able to login to ADFS natively, which further indicates to me it's not an issue with the service provider, but with ADFS/AD itself.