sachindre abayaweera
Reputation: 29
Message: ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied
There are two Web servers, one SQL server and four ADFS servers in our environment.
SQL Server time: 5.50:48 AM Two web servers time: 5.50:47 AM One ADFS server time: 5.50:47 AM Other three ADFS servers time: 5.50:46 AM
Please find below two errors from error log
Error1:
2015-02-16 00:21:02,781 [62] ERROR Default [(null)] - An application error has occurred for the path, '/'
2015-02-16 00:21:02,797 [62] ERROR xxxx.Portal.Data.ErrorReporting.ErrorReporter [(null)] -
Email Address: No Email Address
Application Name: 'myApplication'
Machine Name: 'WebServer2'
Web request details:
UserAgent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_1_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12B466 Safari/600.1.4
UserIdentifierCookieValue: [email protected]
Referrer: https://sts.company.com/adfs/ls/?wa=wsignin1.0&wtrealm=https://xxxx.com/&wctx=rm=0&id=passive&ru=%252f&wct=2015-02-15T15:13:25Z
ApplicationPath: http://xxxx:8443/
Cookies:
__utma: 244632730.1211980567.1420546841.1423835767.1423940503.28
__utmc: 244632730
__utmv: 244632730.|1=userIdentifier=68EV%2F7agw0ewsPGC4eC5e9o4JGfDVxCQNrb4BPZrQ4pdB%2BC1OabuUdvr8aJhI9yV=1^2=culture=en=1^3=platform=mobile=1
__utmz: 244632730.1423940503.28.13.utmcsr=xxxx.com|utmccn=(referral)|utmcmd=referral|utmcct=/login.jspa
_ga: GA1.2.1211980567.1420546841
s_fid: 3FB00DAEBC126B0D-0A2E60498B449CE3
Error Message:
=================
Exception Level 1
=================
Message: ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
NotOnOrAfter: '2/15/2015 4:13:27 PM'
Current time: '2/16/2015 12:21:02 AM'
Data: System.Collections.ListDictionaryInternal
InnerException:
TargetSite:
System.Collections.ObjectModel.ReadOnlyCollection`1[System.Security.Claims.ClaimsIdentity] ValidateToken(System.IdentityModel.Tokens.SecurityToken)
StackTrace: at System.IdentityModel.Tokens.SamlSecurityTokenHandler.ValidateToken(SecurityToken token)
at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request)
at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
HelpLink:
Source: System.IdentityModel
HResult: -2146233087
Error 2:
2015-02-16 18:49:33,958 [71] ERROR Default [(null)] - An application error has occurred for the path, '/adfs/ls/'
2015-02-16 19:04:06,837 [54] ERROR Default [(null)] - An application error has occurred for the path, '/robots.txt'
2015-02-16 19:06:35,073 [40] ERROR Default [(null)] - An application error has occurred for the path, '/Microsoft-Server-ActiveSync'
2015-02-16 20:17:08,206 [71] ERROR Default [(null)] - An application error has occurred for the path, '/'
2015-02-16 20:17:08,206 [71] ERROR xxxx.Portal.Data.ErrorReporting.ErrorReporter [(null)] -
Email Address: No Email Address
Application Name: 'myApplication'
Machine Name: 'LO3WPMCLDWEB-4'
Web request details:
UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36
UserIdentifierCookieValue: [email protected]
Referrer: https://xxxx.com/
ApplicationPath: http://xxxx.com:8443/
Cookies:
s_lv: 1392756755323
_ga: GA1.2.1507533975.1386273074
culture: fr
isSecurityQuestionsOrMobileRegCompleted: false
__utmt: 1
__utma: 244632730.1507533975.1386273074.1424095469.1424095486.535
__utmb: 244632730.13.9.1424117305533
__utmc: 244632730
__utmz: 244632730.1420813097.491.138.utmcsr=sts.xxxx.com|utmccn=(referral)|utmcmd=referral|utmcct=/adfs/ls/
__utmv: 244632730.|1=userIdentifier=7VQPgIcPH0ILdF%2BhUhB5udT08W6f2eDNGFq4Bs986NbeMnlT1RNBTduLchAQo9evy7TMuNHcJN6k60H7wAVzyRcuBj4wIipxzNlfeV1qBlk=1^2=culture=fr=1^3=platform=premium=1
Error Message:
=================
Exception Level 1
=================
Message: ID4223: The SamlSecurityToken is rejected because the SamlAssertion.NotOnOrAfter condition is not satisfied.
NotOnOrAfter: '2/16/2015 3:04:41 PM'
Current time: '2/16/2015 8:17:08 PM'
Data: System.Collections.ListDictionaryInternal
InnerException:
TargetSite:
System.Collections.ObjectModel.ReadOnlyCollection`1[System.Security.Claims.ClaimsIdentity] ValidateToken(System.IdentityModel.Tokens.SecurityToken)
StackTrace: at System.IdentityModel.Tokens.SamlSecurityTokenHandler.ValidateToken(SecurityToken token)
at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)
at System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)
at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request)
at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
HelpLink:
Source: System.IdentityModel
HResult: -2146233087
Is the above errors occur because ADFS and Web servers times are not sync correctly ? (http://www.sharepointpals.com/post/ID4223-The-SamlSecurityToken-is-rejected-because-the-SamlAssertionNotOnOrAfter-Condition-is-not-satisfied-SharePoint-2013-with-ADFS)
Or do I need to delete session token cookie if sign in error occures ? (How to avoid 'SamlAssertion.NotOnOrAfter condition is not satisfied' errors)
Please provide steps, how to recreate 'NotOnOrAfter' error ?
Upvotes: 0
Views: 4440
Answers (1)
Hans Z.
Reputation: 53888
The SAML token itself apparently was issued some time ago and has exceeded its lifetime now. So either the time on the server that issued the SAML token is off, or you are using a previously obtained SAML assertion that is no longer valid and should get a new one first.
Upvotes: 1
Related Questions
- SAMLException: Response has invalid status code status message is null
- Error when trying out sample saml application
- Failed at binding.ReadSamlResponse(Request.ToGenericHttpRequest(), saml2AuthnResponse)
- InvalidSignatureException: Signature is invalid
- SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed
- In the saml2 request missing parameters SigAlg and Signature
- Null : Object reference during AssertionConsumerService => saml2AuthnResponse.CreateSession
- SAML error "SignatureStatus: NOT_PRESENT"
- SAML 2.0 invalid request SSOCIRCLE
- WIF SAML RequestSecurityToken STS Internal server error