Skip to content

Common AD FS problems for ProvisioningSystem after installation

Checklist

  • Verify that '.../adfs/services/trust/13/windowsmixed' is enabled in adfs.
  • Check that 'AudienceUri' in processSystemWeb, 'Relaying party identifiers' in adfs and 'ProvisioningServiceRealm' in provisioningSystemService is identical. They need to be exact.
  • Check the account that is executing the provisioning jobs is the same as the one specified under onPremises tab in adminweb

If SPN is not correctly configured

Message: Inventory thread experienced an error. Waiting before retrying.
Exception details: System.ServiceModel.Security.SecurityNegotiationException:
Secure channel cannot be opened because security negotiation with the remote
endpoint has failed. This may be due to absent or incorrectly specified
EndpointIdentity in the EndpointAddress used to create the channel. Please
verify the EndpointIdentity specified or implied by the EndpointAddress
correctly identifies the remote endpoint.  ---> System.ServiceModel.FaultException:
The request for security token has invalid or malformed elements.
   at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
   at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)

If the hostname for ADFS website

If the hostname for ADFS website specified in Provisioning ADFSServer doesn't correspond to the name of the certificate

Source: ProvisioningSystem
Message: Inventory thread experienced an error. Waiting before retrying.
Exception details: System.ServiceModel.Security.SecurityNegotiationException:
Could not establish trust relationship for the SSL/TLS secure channel with
authority 'auth42.dev.zipper.se'. ---> System.Net.WebException: The underlying
connection was closed: Could not establish trust relationship for the SSL/TLS
secure channel. ---> System.Security.Authentication.AuthenticationException: The
remote certificate is invalid according to the validation procedure.
   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)
   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
.
.
.
Category: Provisioning
Priority: -1
EventId: 0
Severity: Error
Title:
Machine: LOCALHOST
Application Domain: Zipper.ZervicePoint.ProvisioningSystem.Service.exe
Process Id: 4304
Process Name: C:\Program Files\Zipper\ZervicePoint\ProvisioningSystem\Zipper.ZervicePoint.ProvisioningSystem.Service.exe
Win32 Thread Id: 2084
Thread Name:
Extended Properties:

If the ADFS-server doesn't respond

Source: ProvisioningSystem
Message: Error getting token from adfs using enpoint https://{0}/adfs/services/trust/13/windowsmixed
and request for url https://zervicepoint.dev.local:9900/ProcessSystem/ProvisioningService.svc

If the wrong identity is specified

If the wrong identity is specified in the worker authentication tab under edit store in AdminWeb

Source: ProvisioningSystem
Message: Could not report provider inventory status:
System.ServiceModel.Security.MessageSecurityException: An unsecured
or incorrectly secured fault was received from the other party. See
the inner FaultException for the fault code and detail. --->
System.ServiceModel.FaultException: An error occurred when verifying security for the message.

Source: Process System Web
Message: Account not authorized for provisioning: System.Security.Claims.ClaimsIdentity

If the audience uri is incorrect

If the audience uri is incorrect in web.config for ProcessSystem.Web

Don't forget to check trailing slashes!!!

Compare the relying party identifier URL(s) with the Audience URL in web.config for Process system web.

Source: ProvisioningSystem
Message: Could not report provider inventory status:
System.ServiceModel.Security.MessageSecurityException: An unsecured or
incorrectly secured fault was received from the other party. See the
inner FaultException for the fault code and detail. --->
System.ServiceModel.FaultException: At least one security token in the message could not be validated.