This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

RSA SecurID Access O365 WS-Fed Authentication Fails Intermittently

Article Number

000037406

Applies To

RSA Product Set:  SecurID Access
RSA Product/Service: Cloud Authentication Service

Issue

When trying to access Office 365 seeing error:

Sorry but we're having trouble signing you in.
 
AADSTS20012: An error occurred when we tried to process a WS-Federation message.  The message was invalid.

 

Cause

When multiple Identity Routers (IDRs) are configured behind a load balancer, internal IDR traffic can get sent to the load balancer and then on to a different IDR. 

This loss of session persistence can cause authentication failure.

Workaround

Create static DNS entries to map the load balancer hostname to each IDR's proxy IP address:
  1. In the Cloud Admin Console go to Platform > Identity Routers.
  2. For each IDR:
    1. Edit and go to the Settings tab
    2. Create a static DNS entry specifying the IDR's proxy interface IP address and the load balancer's DNS hostname.  Reference Step 13 of Add an Identity Router Using the Cloud Administration Console.
  3. Publish the changes.

Notes

The load balancer DNS hostname should be defined in the Platform > Clusters > Edit > Load Balancer DNS Name field.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 05:25 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.