ADFS Event ID 111

Event ID 111 is a useful one to recognize when you’re scrolling through the logs of your ADFS server.  It will look something like this:

Log Name:      Application
Source:        GenevaServer
Date:          8/5/2009 3:27:35 PM
Event ID:      111
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      RED-ADFS-05.redmond.corp.microsoft.com
Description:
The Federation Service encountered a serious error while processing the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue

Additional Data
Exception details:
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4063: LogonUser failed for the ’1234@windows.microsoft.com’ user. Ensure that the user has a valid Windows account. —> System.ComponentModel.Win32Exception: Logon failure: unknown user name or bad password
   — End of inner exception stack trace —
   at Microsoft.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityServer.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)

System.ComponentModel.Win32Exception: Logon failure: unknown user name or bad password
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="GenevaServer" />
    <EventID Qualifiers="0">111</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0×80000000000000</Keywords>
    <TimeCreated SystemTime="2009-08-05T22:27:35.000Z" />
    <EventRecordID>601453</EventRecordID>
    <Channel>Application</Channel>
    <Computer>RED-ADFS-05.redmond.corp.microsoft.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</Data>
    <Data>System.IdentityModel.Tokens.SecurityTokenValidationException: ID4063: LogonUser failed for the ’1234@windows.microsoft.com’ user. Ensure that the user has a valid Windows account. —&gt; System.ComponentModel.Win32Exception: Logon failure: unknown user name or bad password
   — End of inner exception stack trace —
   at Microsoft.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)
   at Microsoft.IdentityServer.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext serializationContext, AsyncCallback asyncCallback, Object asyncState)
   at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String trustNamespace, AsyncCallback callback, Object state)

System.ComponentModel.Win32Exception: Logon failure: unknown user name or bad password</Data>
  </EventData>
</Event>

What makes it interesting, is that this is the same as the server saying, “Oh Snap! Something just happened and I don’t know what that was!”

In this case, you can look at the event data in a little more detail, and pretty clearly see what happened.  But you do need to check these out. 

When we first upgraded our production ADFS servers to the Beta 2 release, we found that nearly all of our claims processing rules were sending multiple identity claims to the relying parties.  We were throwing Event 111 on nearly every authentication, and had to go in and correct the claims rules for each one to get the errors to go away.

About these ads