Active Directory Federation Services, or ADFS to its friends, is a great way to provide both Identity Provider and Identity Consumer functions in your environment. With it, companies can provide single sign-on capabilities to their users and their customers using claims-based access control to implement federated identity. It is based on the emerging, industry-supported Web Services Architecture, which is defined in WS-* specifications.
One common error that comes up when using ADFS is logged by Windows as an Event ID 364-Encounterd error during federation passive request. There are three common causes for this particular error. If you encounter this error, see if one of these solutions fixes things for you.
Time skew
Cause
ADFS proxies are typically not domain-joined, are located in the DMZ, and are frequently deployed as virtual machines. All of that means that the ADFS proxies may have unreliable or drifting clocks and since they cannot synchronize to a domain controller, their clocks will fall out of sync with the ADFS servers, resulting in failed authentication and Event ID 364.
Symptoms
ADFS proxies system time is more than five minutes off from domain time. Authentication requests through the ADFS proxies fail, with Event ID 364 logged. Authentication requests through the ADFS servers succeed.
Resolution
Configure the ADFS proxies to use a reliable time source. One way is to sync them with pool.ntp.org, if they are able to get out to the Internet using SNTP. Open an administrative cmd prompt and run this command.
w32tm /config /manualpeerlist:pool.ntp.org /syncfromflags:manual /update
If you have an internal time source such as a router or domain controller that the ADFS proxies can access, you should use that instead.
If your ADFS proxies are virtual machines, they will sync their “hardware clock” from the VM host. Make sure it is synching to a reliable time source too.
Certificate Revocation Check Failing
Cause
ADFS proxies need to validate the SSL certificate installed on the ADFS servers that is being used to secure the connection between them.
Symptoms
If an ADFS proxy cannot validate the certificate when it attempts to establish an HTTPS session with the ADFS server, authentication requests will fail and the ADFS proxy will log an Event 364. Authentication requests to the ADFS servers will succeed.
Resolution
Ensure that the ADFS proxies have proper DNS resolution and access to the Internet either directly, or through web proxies, so that they can query CRL and/or OCSP endpoints for public Certificate Authorities. Web proxies do not require authentication.
Certificate Chain Fails
Cause
ADFS proxies need to validate the SSL certificate installed on the ADFS servers that are being used to secure the connection between them. They must trust the complete chain up to the root. If an ADFS proxy has not been fully patched, it may not have the complete list of trusted third party CAs installed in its certificate store.
Symptoms
If an ADFS proxy does not trust the certificate when it attempts to establish an HTTPS session with the ADFS server, authentication requests will fail and the ADFS proxy will log an Event 364. Authentication requests to the ADFS Servers will succeed.
Resolution
Ensure that the ADFS proxies trust the certificate chain up to the root. The certificate, any intermediate issuing certificate authorities, and the root certificate authority must be trusted by the application pool service account.
That accounts for the most common causes and resolutions for ADFS Event ID 364. If you have encountered this error and found another cause, please leave a comment below and let us know what you found to be cause and resolution.