Management

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 787 other subscribers

Social

  • LinkedIn
  • RSS Feed for Posts
  • Twitter
  • StumbleUpon

[Solved] ADFS 3.0 > Unable to logon > “AADSTS50008: SAML token is invalid”

This week I had a problem with a ADFS server.

No user was able to logon, already connected users, were able to continue working, but no new connections were allowed.

In this post I explain which steps I took, to localize the problem.

 

Step 1:

First I tried testing the ADFS connection :

https://FQDN.domain.nl/adfs/ls/IdpInitiatedSignon.aspx

Logon and logoff are successful.

 

ADFS-Token-1

Logging in to Office 365 still doesn’t work.

 

ADFS-Token-2

The correct error is :

“AADSTS50008: SAML token is invalid”

 

Step 2:

Second I restarted the ADFS services on the ADFS server.

Users where still unable to logon.

 

Step 3:

Third  I tried to update the Federated domain, through Azure Powershell:

Users where still unable to logon.

 

Step 4:

Finally, I found the problem:

(see the screen at the bottom)

 

Most of the time this is a time sync issue.

When receiving this error, wait a little while and press F5 to refresh the site.

When the page is shown with no error, you know for sure this is a time sync error.

 

Start Powershell or DOS as an administrator:

Change the Time sync servers on the domain controller.

 

Resync the server with the new settings.

 

Check the status.

 

When the Source is pointing to the VM, you need to change the VM settings.

 

ADFS-Token-3

In Hyper-V (or VMWare) Deselect the Time-sync for the Domain controller

 

Check the synchronization again

 

The time sync now is :

This is the correct server

 

Use Resync to sync the time with the pool.ntp.org servers

(Sometimes the servers sync automatically, so the resync states there is no need to resync)

Your now able to login to ADFS

 

Special thanks to Eric Snijders for support !

 

ADFS-Token-4

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.