ADFS error duing SAML Service Provider Login

active-directory adfs windows-server-2012-r2 single-sign-on saml

Based on suggestions from a Windows Admin, I did the following which resolved the issue.

  1. Ensured W32Time service was using NTP (it wasn't)
  2. Ensure all updates were installed (they were)
  3. Ensure all services were running under a service account, not an domain controller account (they weren't)
  4. After making sure ADFS was running under the service account, recreate the Service Provider

At this point, the error was only occurring for a subset of AD users. On those users, I reset their passwords, which then resolved the issue.

Although I am not entirely sure why this started happening or how these steps fixed it, my theory is that not using one service account to manage all of it led to files being written that couldn't be read in by processes running under a different account.

Hope this helps someone.

Update:

Another possible cause of the error is if you change the UPN in Active Directory to a string containing a space, this error shows up.

2nd Update:

Using a invalid domain can also cause this error.

Related

Is there such a thing as a countable set with an uncountable subset?
How to find the nearest multiple of 16 to my given number n
In high school statistics, why does it seem like equations come out of the sky
Prove that $\int_{0}^{\infty}{1\over x^4+x^2+1}dx=\int_{0}^{\infty}{1\over x^8+x^4+1}dx$
What is an intuition behind total differential in two variables function?
Integral of a function's derivative does not equal the original function?
How to prove that the product of eight consecutive numbers can't be a number raised to exponent 4?
Is the axiom of choice necessary here?
A goat is tied to the corner of a shed
Can the fundamental group detect all ways to not have a section?
Why can't Cantor sets cover $\mathbb{ R}$?
Is every positive nonprime number at equal distance between two prime numbers?