ADFS logons fail with "An error occurred" on the client

Issue

When logging onto an application using ADFS via a Modern Authentication application or a web browser the user may be presented with a generic "An error occurred" message, yet attempts from other browsers work successfully.

This may occur on servers that are no using a US system local and the client it detecting the local from the server. If a client uses a US local then the error does not occur.

Sample client side error:

ADFS_Client_Error.png

 

Technical detail

In this case the ADFS service is attempting to use the EN-GB system local however the ADFS MFA form is only set to use the EN-US system local.

In Windows Event Viewer, under "AD FS, Admin" Error ID 364 shows the problem in more detail:

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.Web.WebConfigurationException: No style sheet is configured in the active theme for default locale [en-GB/2057].
at Microsoft.IdentityServer.Web.UI.ThemeAuthoringEngine.PrepareTheme()
at Microsoft.IdentityServer.Web.UI.PageBase.get_ThemeAuthoringEngine()
at Microsoft.IdentityServer.Web.Authentication.External.AdapterPresentationManager.get_ResponseCulture()
at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Resolution

To resolve the problem we need to configure the ADFS Service account to use the EN-US system local as follows:

  1. Find the service account that is used by the "Active Directory Federation Services" Windows Service.
  2. Locate the SID of the account, e.g. Use AD Users and Computers/ADSI Edit and locate the objectSid property value.
  3. Run regedit.exe and open the "HKEY_USERS\{Service Account SID}" key and copy the SID path to the clipboard
  4. Download the international.reg.txt file from this KB (link at the bottom of the page), edit it in notepad and update the place holder SID (S-1-5-21-XXXXXXx-XXXXXXX-XXXXXXX) with the actual SID in the clipboard.
  5. Save the file and rename it to remove the .txt extension.
  6. Run the international.reg file to import it into the registry.
  7. Restart the "Active Directory Federation Services" Windows Service.
  8. Test the client connection again.

 

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.