000030067 - AD FS 1.0 Agent: After a failed authentication attempt, the user is not prompted to try to authenticate again

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030067
Applies ToRSA Product Set: RSA AD FS Agent 
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 1.0
Platform: Windows 2008 R2
 
IssueA SAML 2 based application uses the RSA AD FS agent "Auth Adaptor" to authenticate tokens to SecurID.
Authentications work properly, unless the the authentication fails on the first attempt. 
The issue is that after a failed attempt, the user should be prompted to try again, but does not get prompted.
With the same setup, using the RSA test IDP url / test application,  works fine:
https://adfs.fqdn.here.com/adfs/ls/idpinitiatedsignon.htm
So the problem is specific to the calling application.

 
Cause
This is the end of the SecurIDAuthProvider(Microsoft Identity Server ServiceHost).log
showing the intentional auth failure:
.
.
 
2015-04-15 14:35:51.122 1820.31 [V] [AuthSession.Close] Return
2015-04-15 14:35:51.122 1820.31 [V] [AuthSession.Dispose] Return
2015-04-15 14:35:51.122 1820.31 [V] [AuthContext.Dispose] Return
2015-04-15 14:35:51.123 1820.31 [V] [NonStickyAuthSessionAdapter.SaveAndReleaseAuthContext] Return
2015-04-15 14:35:51.123 1820.31 [V] [AuthSessionAdapter.TryEndAuthentication] Return
2015-04-15 14:35:51.123 1820.31 [E] [SecurIDAuthAdapter.TryEndAuthentication] ExternalAuthenticationException occurred: ActivityId = 00000000-0000-0000-5c00-0080000000e2, ContextID = 15d190ea-b21b-4d46-81af-2b9a695d57bd
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationException: Authentication failed.
   at RSA.Authentication.FederationServices.AuthSessionAdapter.TryEndAuthentication(IAuthenticationContext context, IProofData proofData, Claim[]& outgoingClaims)
   at RSA.Authentication.FederationServices.SecurIDAuthAdapter.TryEndAuthentication(IAuthenticationContext context, IProofData proofData, HttpListenerRequest request, Claim[]& outgoingClaims)
2015-04-15 14:35:51.123 1820.31 [V] [SecurIDAuthAdapter.TryEndAuthentication] Return
 
***********************
 
The logs end on the line above. Below shows what SHOULD happen when ADFS calls back on the RSA adapter through the GetError API. 
Note that in this log, the RSA auth adapter config is set for NON-STICKY sessions. 
That is, in "<PROGRAMFILES>\RSA\RSA Authentication Agent\AD FS AdapterSecurID\AuthProviderConfig.xml": <AreAuthSessionsSticky>false</AreAuthSessionsSticky>
However, the call sequence will be the same for STICKY session configuration, except that the [NonStickyAuthSessionAdapter.* ] traces will come from [StickyAuthSessionAdapter.*]
 
***********************************************
 
2015-04-15 14:35:51.124 1820.31 [V] [SecurIDAuthAdapter.OnError] Enter
2015-04-15 14:35:51.124 1820.31 [I] [SecurIDAuthAdapter.OnError] Initial state: ActivityId = 00000000-0000-0000-5c00-0080000000e2, ContextID = 15d190ea-b21b-4d46-81af-2b9a695d57bd
2015-04-15 14:35:51.125 1820.31 [V] [AuthSessionAdapter.OnError] Enter
2015-04-15 14:35:51.125 1820.31 [V] [NonStickyAuthSessionAdapter.GetAuthContext] Enter
2015-04-15 14:35:51.125 1820.31 [V] [AuthSession..ctor] Enter
2015-04-15 14:35:51.125 1820.31 [V] [AuthSession.Open] Enter
2015-04-15 14:35:51.126 1820.31 [V] [AuthAPIServiceChannel..ctor] Enter
2015-04-15 14:35:51.126 1820.31 [V] [AuthAPIServiceChannel..ctor] Return
2015-04-15 14:35:51.126 1820.31 [V] [AuthAPIServiceChannel.SD_InitEx] Enter
2015-04-15 14:35:51.126 1820.31 [V] [AuthAPIServiceChannel.SD_InitEx] Enter
2015-04-15 14:35:51.132 1820.31 [V] [AuthAPIServiceChannel.SD_InitEx] Return
2015-04-15 14:35:51.132 1820.31 [V] [AuthAPIServiceChannel.SD_InitEx] Return
2015-04-15 14:35:51.132 1820.31 [I] [AuthSession.Open] SD_InitEx returned 0
2015-04-15 14:35:51.132 1820.31 [V] [AuthAPIServiceChannel.Dispose] Enter
2015-04-15 14:35:51.133 1820.31 [V] [AuthAPIServiceChannel.Dispose] Return
2015-04-15 14:35:51.133 1820.31 [V] [AuthSession.Open] Return
2015-04-15 14:35:51.133 1820.31 [V] [AuthSession..ctor] Return
2015-04-15 14:35:51.133 1820.31 [V] [AuthContext..ctor] Enter
2015-04-15 14:35:51.134 1820.31 [V] [AuthContext..ctor] Return
2015-04-15 14:35:51.134 1820.31 [V] [NonStickyAuthSessionAdapter.GetAuthContext] Return
2015-04-15 14:35:51.134 1820.31 [I] [AuthSessionAdapter.OnError] Initial state: ActivityId = 00000000-0000-0000-5c00-0080000000e2, ContextId = 15d190ea-b21b-4d46-81af-2b9a695d57bd, authState = NotAuthenticated
2015-04-15 14:35:51.134 1820.31 [V] [SecurIDAuthAdapterPresentation..ctor] Enter
2015-04-15 14:35:51.134 1820.31 [V] [SecurIDAuthAdapterPresentation..ctor] Return
2015-04-15 14:35:51.135 1820.31 [V] [NonStickyAuthSessionAdapter.SaveAndReleaseAuthContext] Enter
2015-04-15 14:35:51.135 1820.31 [V] [AuthContext.Dispose] Enter
2015-04-15 14:35:51.135 1820.31 [V] [AuthSession.Dispose] Enter
2015-04-15 14:35:51.135 1820.31 [V] [AuthSession.Close] Enter
2015-04-15 14:35:51.136 1820.31 [V] [AuthAPIServiceChannel..ctor] Enter
2015-04-15 14:35:51.136 1820.31 [V] [AuthAPIServiceChannel..ctor] Return
2015-04-15 14:35:51.136 1820.31 [V] [AuthAPIServiceChannel.SD_Close] Enter
2015-04-15 14:35:51.138 1820.31 [V] [AuthAPIServiceChannel.SD_Close] Return
2015-04-15 14:35:51.139 1820.31 [I] [AuthSession.Close] SD_Close returned 0
2015-04-15 14:35:51.139 1820.31 [V] [AuthAPIServiceChannel.Dispose] Enter
2015-04-15 14:35:51.139 1820.31 [V] [AuthAPIServiceChannel.Dispose] Return
2015-04-15 14:35:51.139 1820.31 [V] [AuthSession.Close] Return
2015-04-15 14:35:51.140 1820.31 [V] [AuthSession.Dispose] Return
2015-04-15 14:35:51.140 1820.31 [V] [AuthContext.Dispose] Return
2015-04-15 14:35:51.140 1820.31 [V] [NonStickyAuthSessionAdapter.SaveAndReleaseAuthContext] Return
2015-04-15 14:35:51.140 1820.31 [V] [AuthSessionAdapter.OnError] Return
2015-04-15 14:35:51.141 1820.31 [V] [SecurIDAuthAdapter.OnError] Return
2015-04-15 14:35:51.141 1820.31 [V] [SecurIDAuthAdapterMetadata..ctor] Enter
2015-04-15 14:35:51.141 1820.31 [V] [SecurIDAuthAdapterMetadata.InitializeFriendlyNamesAndDescriptions] Enter
2015-04-15 14:35:51.141 1820.31 [V] [SecurIDAuthAdapterMetadata.InitializeFriendlyNamesAndDescriptions] Return
2015-04-15 14:35:51.142 1820.31 [V] [SecurIDAuthAdapterMetadata..ctor] Return
2015-04-15 14:35:51.147 1820.31 [V] [SecurIDAuthAdapterPresentation.GetFormHtml] Enter
2015-04-15 14:35:51.147 1820.31 [V] [FormManager.GetFormHtml] Enter
2015-04-15 14:35:51.147 1820.31 [V] [FormManager.GetPasscodePageHtml] Enter
2015-04-15 14:35:51.148 1820.31 [V] [FormManager.SetCommonLabels] Enter
2015-04-15 14:35:51.148 1820.31 [V] [FormManager.SetCommonLabels] Return
2015-04-15 14:35:51.148 1820.31 [V] [FormManager.GetPasscodePageHtml] Return
2015-04-15 14:35:51.149 1820.31 [V] [FormManager.GetFormHtml] Return
2015-04-15 14:35:51.149 1820.31 [V] [SecurIDAuthAdapterPresentation.GetFormHtml] Return
2015-04-15 14:35:51.149 1820.31 [V] [SecurIDAuthAdapterPresentation.GetPageTitle] Enter
2015-04-15 14:35:51.149 1820.31 [V] [SecurIDAuthAdapterPresentation.GetPageTitle] Return
2015-04-15 14:36:13.714 1820.31 [V] [SecurIDAuthAdapterMetadata..ctor] Enter
2015-04-15 14:36:13.715 1820.31 [V] [SecurIDAuthAdapterMetadata.InitializeFriendlyNamesAndDescriptions] Enter
2015-04-15 14:36:13.715 1820.31 [V] [SecurIDAuthAdapterMetadata.InitializeFriendlyNamesAndDescriptions] Return
2015-04-15 14:36:13.715 1820.31 [V] [SecurIDAuthAdapterMetadata..ctor] Return
2015-04-15 14:36:13.721 1820.31 [V] [SecurIDAuthAdapter.TryEndAuthentication] Enter
2015-04-15 14:36:13.721 1820.31 [I] [SecurIDAuthAdapter.TryEndAuthentication] Initial state: ActivityId = 00000000-0000-0000-5c00-0080000000e2, ContextID = 15d190ea-b21b-4d46-81af-2b9a695d57bd
2015-04-15 14:36:13.721 1820.31 [V] [AuthSessionAdapter.TryEndAuthentication] Enter
2015-04-15 14:36:13.721 1820.31 [V] [NonStickyAuthSessionAdapter.GetAuthContext] Enter
2015-04-15 14:36:13.721 1820.31 [V] [AuthSession..ctor] Enter
2015-04-15 14:36:13.722 1820.31 [V] [AuthSession.Open] Enter
2015-04-15 14:36:13.722 1820.31 [V] [AuthAPIServiceChannel..ctor] Enter
2015-04-15 14:36:13.722 1820.31 [V] [AuthAPIServiceChannel..ctor] Return
2015-04-15 14:36:13.722 1820.31 [V] [AuthAPIServiceChannel.SD_InitEx] Enter
2015-04-15 14:36:13.723 1820.31 [V] [AuthAPIServiceChannel.SD_InitEx] Enter
2015-04-15 14:36:13.730 1820.31 [V] [AuthAPIServiceChannel.SD_InitEx] Return
2015-04-15 14:36:13.730 1820.31 [V] [AuthAPIServiceChannel.SD_InitEx] Return
2015-04-15 14:36:13.730 1820.31 [I] [AuthSession.Open] SD_InitEx returned 0
2015-04-15 14:36:13.731 1820.31 [V] [AuthAPIServiceChannel.Dispose] Enter
2015-04-15 14:36:13.731 1820.31 [V] [AuthAPIServiceChannel.Dispose] Return
2015-04-15 14:36:13.731 1820.31 [V] [AuthSession.Open] Return
2015-04-15 14:36:13.731 1820.31 [V] [AuthSession..ctor] Return
2015-04-15 14:36:13.732 1820.31 [V] [AuthContext..ctor] Enter
2015-04-15 14:36:13.732 1820.31 [V] [AuthContext..ctor] Return
2015-04-15 14:36:13.732 1820.31 [V] [NonStickyAuthSessionAdapter.GetAuthContext] Return
2015-04-15 14:36:13.732 1820.31 [I] [AuthSessionAdapter.TryEndAuthentication] Initial state: ActivityId = 00000000-0000-0000-5c00-0080000000e2, ContextID = 15d190ea-b21b-4d46-81af-2b9a695d57bd, AuthState = NotAuthenticated
2015-04-15 14:36:13.733 1820.31 [V] [AuthSessionAdapter.PerformAuthentication] Enter
2015-04-15 14:36:13.733 1820.31 [V] [AuthSessionAdapter.SubmitPasscode] Enter
2015-04-15 14:36:13.733 1820.31 [V] [ProofData..ctor] Enter
2015-04-15 14:36:13.733 1820.31 [V] [ProofData..ctor] Return
2015-04-15 14:36:13.733 1820.31 [V] [ProofData.GetPasscode] Enter
2015-04-15 14:36:13.734 1820.31 [V] [ProofData.GetPasscode] Return
2015-04-15 14:36:13.734 1820.31 [V] [AuthSession.SubmitPasscode] Enter
2015-04-15 14:36:13.734 1820.31 [V] [AuthAPIServiceChannel..ctor] Enter
2015-04-15 14:36:13.734 1820.31 [V] [AuthAPIServiceChannel..ctor] Return
2015-04-15 14:36:13.735 1820.31 [V] [AuthAPIServiceChannel.SD_Lock] Enter
2015-04-15 14:36:13.738 1820.31 [V] [AuthAPIServiceChannel.SD_Lock] Return
2015-04-15 14:36:13.738 1820.31 [I] [AuthSession.SubmitPasscode] SD_Lock returned 0
2015-04-15 14:36:13.739 1820.31 [V] [AuthAPIServiceChannel.SD_Check] Enter
2015-04-15 14:36:15.746 1820.31 [V] [AuthAPIServiceChannel.SD_Check] Return
2015-04-15 14:36:15.746 1820.31 [I] [AuthSession.SubmitPasscode] SD_Check returned 0
2015-04-15 14:36:15.747 1820.31 [I] [AuthSession.SubmitPasscode] New AuthState = Authenticated
2015-04-15 14:36:15.747 1820.31 [V] [AuthAPIServiceChannel.Dispose] Enter
2015-04-15 14:36:15.748 1820.31 [V] [AuthAPIServiceChannel.Dispose] Return
2015-04-15 14:36:15.748 1820.31 [V] [AuthSession.SubmitPasscode] Return
2015-04-15 14:36:15.748 1820.31 [I] [AuthSessionAdapter.SubmitPasscode] New AuthState = Authenticated
2015-04-15 14:36:15.749 1820.31 [V] [AuthSessionAdapter.SubmitPasscode] Return
2015-04-15 14:36:15.749 1820.31 [V] [AuthSessionAdapter.PerformAuthentication] Return
2015-04-15 14:36:15.749 1820.31 [V] [NonStickyAuthSessionAdapter.SaveAndReleaseAuthContext] Enter
2015-04-15 14:36:15.749 1820.31 [V] [AuthContext.Dispose] Enter
2015-04-15 14:36:15.749 1820.31 [V] [AuthSession.Dispose] Enter
2015-04-15 14:36:15.750 1820.31 [V] [AuthSession.Close] Enter
2015-04-15 14:36:15.750 1820.31 [V] [AuthAPIServiceChannel..ctor] Enter
2015-04-15 14:36:15.750 1820.31 [V] [AuthAPIServiceChannel..ctor] Return
2015-04-15 14:36:15.750 1820.31 [V] [AuthAPIServiceChannel.SD_Close] Enter
2015-04-15 14:36:15.753 1820.31 [V] [AuthAPIServiceChannel.SD_Close] Return
2015-04-15 14:36:15.753 1820.31 [I] [AuthSession.Close] SD_Close returned 0
2015-04-15 14:36:15.754 1820.31 [V] [AuthAPIServiceChannel.Dispose] Enter
2015-04-15 14:36:15.754 1820.31 [V] [AuthAPIServiceChannel.Dispose] Return
2015-04-15 14:36:15.754 1820.31 [V] [AuthSession.Close] Return
2015-04-15 14:36:15.755 1820.31 [V] [AuthSession.Dispose] Return
2015-04-15 14:36:15.755 1820.31 [V] [AuthContext.Dispose] Return
2015-04-15 14:36:15.755 1820.31 [V] [NonStickyAuthSessionAdapter.SaveAndReleaseAuthContext] Return
2015-04-15 14:36:15.755 1820.31 [V] [AuthSessionAdapter.TryEndAuthentication] Return
2015-04-15 14:36:15.755 1820.31 [I] [SecurIDAuthAdapter.TryEndAuthentication] Authentication succeeded.
2015-04-15 14:36:15.756 1820.31 [V] [SecurIDAuthAdapter.TryEndAuthentication] Return
 
 
Resolution
The calling application is misconfigured and is not calling back the RSA auth adaptor.
Investigating may need to include Microsoft Support.

 

Attachments

    Outcomes