Active Directory Login Issues

Active Directory Login Issues

This document provides you resolutions or workarounds for common error messages and issues you might encounter when configuring Active Directory (AD) authentication.

Signature Validation Failed   

If you are using AD FS 2.0 as your identity provider, a new certificate may have auto-generated. To resolve such cases, you would need to export that certificate and then import it into ServiceDesk Plus MSP Cloud.
These self-signed certificates generated by AD FS are valid for only one year. As a result, this issue may recur annually, requiring you to export and re-configure the new certification each time in ServiceDesk Plus MSP Cloud.
To overcome this, you can extend the certificate's validity up to 100 years as follows:
  1. Go to the AD FS system.
  2. Open a command prompt in Admin mode.
  3. Run the following commands :
    1. powershell
    2. Add-PSSnapIn microsoft.adfs.powershell
    3. Set-ADFSProperties -CertificateDuration 36500
    4. Set-ADFSProperties -AutoCertificateRollover $true
    5. Update-ADFSCertificate -Urgent
    6. Set-ADFSProperties -AutoCertificateRollover $false
    7. Wait for the above command to complete and then run exit.
After you extend the validity, export the new certificate:
  1. Go to AD FS 2.0 Management from Administrative Tools.
  2. Click Certificates on the left accordion.
  3. Under Token Signing Certificate, select the Primary certificate.
  4. Right-click and select View Certificate.
  5. Go to the Details tab.
  6. Click Copy to File.
  7. Select Base 64 Encoded X.509.
  8. Click Next.
  9. Enter a file name. (e.g., C:\newCertificate.cer)
  10. Click Finish.
The new certificate will now be added in C:\newCertificate.cer
If you are using any other identity provider, download the new certificate in the Base-64 Encoded X509 format with .cer extension from your identity provider.
Now, log in to sdpondemand.manageengine.com using Organization Admin credentials.
To upload the new certificate for default customer,
  1. Go to ESM Directory > SAML Authentication.
  2. Click Edit.
  3. Browse and upload the new certificate.
To upload for other MSP customers,
  1. Go to Customers.
  2. Click the required customer in the list.
  3. Go to the Directory tab on the details page.
  4. Click Configure next to SAML Authentication.
  5. Upload the new certificate and save the form.
 
You should now be able to log in to our service.

Conditions Validation failed   

To address this issue, administrators can configure AD FS to adjust the time skew between AD and ServiceDesk Plus MSP Cloud during authentication. To configure:
  1. Go to the AD FS installation system.
  2. Open a command prompt in Administrator mode.
  3. Type the following commands in the prompt :
    1. powershell
    2. Add-PSSnapin microsoft.adfs.powershell
    3. Set-ADFSRelyingPartyTrust -TargetName <target> -NotBeforeSkew 2, where <target> should be replaced with the identifier configured for SAML Authentication.
    4. exit
Now try the AD authentication, and you should be able to log in to our service.
If the issue persists even after adjusting the time skew, check if System Time in the AD FS is aligned with your local time zone. Even a few minutes difference between the system time and the actual time zone can cause this issue.

Authentication Failed   

Please check the following cases:
 
Case 1  : The federation service name in the AD FS system must match the hostname in the login URL.
For, example, if the login URL configured in ServiceDesk Plus MSP Cloud is https://abc.test.com/adfs/ls, then the federation service name in AD FS must be "abc.test.com".
To change the federation service name,
  1. Go to AD FS 2.0 Management console.
  2. Right-click Service on the left accordion and click Edit Federation Service Properties.
After you update the federation service name, restart AD FS 2.0 Windows Service and try authentication.
If you have AD FS Proxy,
  1. After changing the federation service name, enter the new name in the hosts file within the AD FS proxy system.
  2. In the hosts file, make sure that abc.test.com directs to the AD FS system's IP Address.
  3. Rerun the AD FS proxy configuration wizard and then try authentication one time.
Case 2  : Certificate expiry in AD FS.
Restart the AD FS service from the Windows Services console and check for certificate expiry messages in Event Logs. To check, in the event logs accordion, go to Application & Services Log > AD FS 2.0 > Admin.
If there are error messages related to the Service Communication Certificate expiry, follow the instructions present in the articles below to change the Service communication certificate.
AD FS 3.0 : Refer here
Case 3: Valid Email Address  
Make sure that the Active Directory contains the email address for the user account. Only users with a valid email address will be authenticated.

New Users Must Register Before Using SAML   

Make sure of the following:
  1. The email address of the user must be the same in Active Directory and ServiceDesk Plus MSP Cloud.
  2. The user must be added as a requester or technician in ServiceDesk Plus MSP Cloud and their login must be enabled.
 

AD FS 2.0

Unable to Select SSL Certificate in the AD FS 2.0 Federation Server Configuration Wizard    

This may occur when SSL is not enabled in IIS 7.
Refer the following article on how to generate a self-signed certificate and use it on IIS.
Once the certificate is configured for port 443, exit and rerun the AD FS 2.0 configuration wizard. You should now be able to select the certificate in the configuration wizard.

Integrated/Passthrough Authentication Not Working   

Internet Explorer 
Try the following:
  1. Add the AD FS login URL to Trusted Sites and try the authentication.
  2. Go to Internet Options > Advanced and check if Integrated Windows Authentication is enabled.
  3. Go to the Security tab in Internet Options.
  4. Check the level where AD FS URL is present. For example, Intranet or Trusted sites.
  5. Click Custom level and make sure that Automatic logon with current username and password is selected.
 
Firefox / Chrome 
You may often see the login credentials pop-up in Firefox / Chrome. Try turning off the Extended Protection for Authentication (EPA) in IIS 7.
After you finish the above configuration, try the authentication.

Change AD FS Service Communication Certificate   

If you have purchased a SSL certificate from Certificate Authority, follow the steps available in the below link to update the AD FS 2.0 Service Communications certificate.
 

AD FS 3.0  

Integrated / Passthrough Authentication Not Working   

  1. Go to Active Directory.
  2. Run adsiedit.msc. If the AD objects are not shown, click Action > Connect to connect AD.
  3. Locate the account configured as Log on account for AD FS Service.
  4. Right-click the relevant account and go to Properties.
  5. In the Attributes list, make sure that the servicePrincipalName is set as http/<ADFS_Service_Name>, where <ADFS_Service_Name> should have been replaced with your federation service name.
  6. Restart the AD FS service and then try the authentication.
 
Internet Explorer 
Try the following:
  1. Add the AD FS login URL to Trusted Sites and try the authentication.
  2. Go to Internet Options > Advanced and check if Integrated Windows Authentication is enabled.
  3. Go to the Security tab in Internet Options.
  4. Check the level where AD FS URL is present. For example, Intranet or Trusted sites.
  5. Click Custom level and make sure that Automatic logon with current username and password is selected.
 
Firefox / Chrome / Edge 
You may often see the login credentials pop-up in Firefox / Chrome / Edge. Following articles suggest steps to overcome this.
After you configure the details, try the authentication.

HTTP 400 Bad Request Error   

  1. Go to Active Directory.
  2. Run adsiedit.msc. If the AD objects are not shown, click Action > Connect to connect AD.
  3. Locate the account configured as Log on account in the AD FS.
  4. Right-click the relevant account and go to Properties.
  5. In the Attributes list, make sure that the servicePrincipalName is set as http/<ADFS_Service_Name>, where <ADFS_Service_Name> should have been replaced with your federation service name.
  6. Restart the AD FS service and then try authentication.
 

Change Service Communication Certificate   

Try the following steps:
  1. Import the new certificate, including the private key, into the AD FS' Computer account.
  2. Run MMC and add the Certificates snap-in.
  3. Locate the new certificate, right-click it, and go to All Tasks > Manage Private keys.  
  4. Add the account configured as Log on account in the AD FS.
  5. Go to the AD FS management console and add the new certificate as Service Communications Certificate.
  6. Open a powershell prompt and type Set-AdfsSslCertificate -Thumbprint <the-thumbprint-of-your-certificate>
  7. Restart the AD FS and then try authentication.
 

User Name Change in Active Directory 

Even if you change the user name in AD, AD FS may continue using the old usert details.
Try disabling the local cache in AD FS, restart the AD FS service, and then try the authentication.
More details on disabling cache available here : https://support.microsoft.com/en-us/kb/946358
 
 
 

    • Related Articles

    • AD Integration & Single Sign On Issues

      1. Can we connect more than one ADFS to Service Desk Plus MSP Cloud? In SDP MSP Cloud only one Login URL can be configured for SAML Authentication which means only one AD FS Server URL can be used. If you have multiple domains, you can have the AD FS ...

    • Configure Active Directory

      You can import users from active directory to a centralized ESM directory and keep them periodically synced. Imported users are displayed under ESM Directory > Active Directory Settings. Use Case: An organization which manages its user data in Active ...

    • Azure Active Directory (Azure AD) User Sync

      Integrate Azure Active Directory with ServiceDesk Plus MSP Cloud to sync users periodically across both applications. You can import user data from Azure AD based on specific criteria and map Azure AD fields with ServiceDesk Plus MSP Cloud fields. ...

    • Directory

      The Directory tab in the customer details page allows you to configure Multi-Factor Authentication, service URL custom domain for the customer. Contents: SAML Authentication Multi-Factor Authentication Configure Service URL for Requester Portal Add ...

    • Asset FAQs

      Asset Management License Consumption and Asset States Will an asset be included in license consumption if it is moved to a disposed or expired state? No, Disposed or Expired assets do not consume license. How to create an asset state similar to ...