Troubleshoot Microsoft AD FS SSO
Who is this article for?
Incydr, no.
CrashPlan for Enterprise, yes.
Code42 for Enterprise, no.
CrashPlan for Small Business, no.
This article applies to on-premises authority servers.
Overview
This article explains how to set up Microsoft Active Directory Federation Services Single Sign-On (Microsoft AD FS SSO) to use the proper authentication method with Code42. Follow this article if SSO authentication for the Code42 app works externally but not internally, or if you see one of the following errors:
- In Code42 logs: "SsoAuth:: Invalid assertion received from IdP, user could not be authenticated."
- In the AD FS event viewer: "MSIS7102: Requested Authentication Method is not supported on the STS"
Affects
Code42 environments that use Microsoft AD FS SSO.
Diagnosing
Step 1: Elevate Code42 logging level
- Sign in to the Code42 console.
- Double-click the Code42 logo in the upper-right corner.
The command-line interface appears. - Enter the following command to increase the logging level:
log com.code42.ssoauth.saml trace
Step 2: Search the logs for error
Code42 logs
- View your Code42 environment's log:
- To view the logs in the console: Go to Settings > Logs.
- To view the log file:
- Select the com_backup42_app.log folder.
- Search for the following message:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"/> The status code of the Response was not Success: "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"
The StatusCode shows status:NoAuthnContext
instead of status:Success
, which means the AD FS is providing an incorrect global authentication policy.
AD FS logs
To verify the error on AD FS:
- Navigate to your AD FS event viewer.
- Search for the following log:
MSIS7102: Requested Authentication Method is not supported on the STS
If you see the above error, continue to the recommended solution to configure AD FS to use the proper authentication method with Code42.
Recommended solution
The recommended solution is to edit the Authentication Policies in AD FS:
- Navigate to Authentication Policies.
- Under Primary Authentication, click Edit next to Global Settings.
- Under Intranet, enable both Forms Authentication and Windows Authentication.
External resources
- Microsoft: Configure Authentication Policies