Users are unable to log-in SSO and received the error below ‘Your request could not be processed‘ or ‘Invalid user name or password, please try again‘:
This issue occurs in two cases:
- Account is not available in the Application or Wrong user information has been supplied while sign-in.
- ADFS SSO server and Application have different Token Certificates.
- Check whether user has an account to sign-in to SSO and also verify whether user has used the valid account details while sign-in to SSO.
- You have to verify whether Token-Decrypting and Token-Signing certificates have been updated automatically?
To check AD FS Token certificates status, please use the path below:
Goto Server Manager -> Tools -> AD FS Management ->Service -> Certificates
If you observed, Token-decrypting & Token-signing certificates have new certificate and new certificates have been marked as primary then use the following steps:
Work Around – Set the old Token Certificate As Primary:
To verify whether certificate rollover is in automatic, please use the PowerShell command below:
Get-ADFSProperties | select AutoCertificateRollover
If AutoCertificateRollover is True then automatic rollover will happen to Token Certificates as per the defined number of days in CertificateDuration. The option Set as Primary will be in grey out and you will not be able to roll back to the old certificates. You have to use the PowerShell command below to disable AutocertificateRollover and then set the old Token Certificates as primary in ADFS Management Console:
You have to update the newly rolled over Token Certificates in ADFS SSO server to Application to accept the log-in connection.
To generate new self-signed certificates immediately, please use the PowerShell Command below:
Here Token Certificate has the duration of 365 days to automatically renew the available Token Certificates (It has Default Setting). PowerShell Command below will helpful to change the Certificate Rollover duration:
Set-ADFSProperties –CertificateDuration <Enter Number of Days>
To monitor if any auto renewed certificate has been added or any auto renewed certificate has marked as primary, you have to create a Task scheduler for the following EventId to Send an Email to alert you:
|Token-signing||MSIS10005: Certificate rollover service has added certificate with thumbprint ‘**********************’ to ‘Signing’ certificate collection.|
|Token-decrypting||MSIS10004: Certificate rollover service has added certificate with thumbprint ‘**********************’ to ‘Signing’ certificate collection.|
|Token-signing||MSIS10004: Certificate rollover service has set certificate with thumbprint ‘**********************’ as primary ‘Signing’ certificate.|
|Token-decrypting||MSIS10005: Certificate rollover service has set certificate with thumbprint ‘**********************’ as primary ‘Signing’ certificate.|
|Related to Any certificate||Restarting Issuance ServiceHost. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart.|