000038440 - O365 WS-Fed authentication fails with RSA SecurID Access

Document created by RSA Customer Support Employee on Feb 21, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038440
Applies ToRSA Product Set: RSA SecurID Access
RSA Product/Service Type: Cloud
IssueWhen trying to authenticate on O365, it works for some users and fails for others intermittently. The error that is shown below displays after an authentication on O365:
Sorry but we're having trouble signing you in.
ADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid.

The authentication on the activity monitor shows that the user was successfully authenticated. Following the successful authentication, there is an entry for the user logout. There is then another authentication request sent, which receives a response that the user is already authenticated.
CauseThis error message is the result of a loss of session persistence to the IDR when a load balancer is configured and multiple IDRs behind it without having the option of session persistence configured on the load balancer.

This error message also appears if you have configured multiple IDRs with the same portal hostname. This causes the load balancer to open a session with the wrong IDR during the authentication process.
ResolutionTo resolve this issue:
  1. Create static DNS entries to map the load balancer hostname to each IDR's proxy IP address. For more information, see 000037406 - RSA SecurID Access O365 WS-Fed Authentication Fails Intermittently.
  2. Ensure that each IDR has its unique portal hostname and correct DNS entries mapping to the proxy interface.
  3. Confirm that the load balancer hostname is different from the IDR hostname.