O365 WS-Fed authentication fails with RSA SecurID Access

4 years ago

Originally Published: 2020-02-05

Article Number

000043753

Applies To

RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Cloud

Issue

When trying to authenticate on O365, it works for some users and fails for others intermittently. The error that is shown below displays after an authentication on O365:

Sorry but we're having trouble signing you in.
ADSTS20012: An error occurred when we tried to process a WS-Federation message. The message was invalid.

The authentication on the activity monitor shows that the user was successfully authenticated. Following the successful authentication, there is an entry for the user logout. There is then another authentication request sent, which receives a response that the user is already authenticated.

Cause

This error message is the result of a loss of session persistence to the IDR when a load balancer is configured and multiple IDRs behind it without having the option of session persistence configured on the load balancer.

This error message also appears if you have configured multiple IDRs with the same portal hostname. This causes the load balancer to open a session with the wrong IDR during the authentication process.

Resolution

To resolve this issue:

Create static DNS entries to map the load balancer hostname to each IDR's proxy IP address. For more information, see 000037406 - RSA SecurID Access O365 WS-Fed Authentication Fails Intermittently.
Ensure that each IDR has its unique portal hostname and correct DNS entries mapping to the proxy interface.
Confirm that the load balancer hostname is different from the IDR hostname.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles