Cannot login to SharePoint site with ADFS AUTH- Error: Specified argument was out of the range of valid values.


I came across a scenario where ADFS site login was failing for SharePoint 2013 site, for one of my premier customers.

Here are details of the issue and it’s resolution:

 

Symptom

You have ADFS 3.0 integrated to use with SharePoint server 2013 running on Windows server 2012 R2.
When you try to browse to the Site https://SharePointSiteURL and provide ADFS Credentials, It gives an error message and you can't login to site.

Resultant URL:
https://SharePointSiteURL/_trust/default.aspx

Error on Page:

Server Error in '/' Application.

Specified argument was out of the range of valid values.
Parameter name: validFrom
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
Parameter name: validFrom

Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:
[ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
Parameter name: validFrom]
Microsoft.IdentityModel.Tokens.SessionSecurityToken..ctor(IClaimsPrincipal claimsPrincipal, UniqueId contextId, String context, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, SymmetricSecurityKey key) +994
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.CreateSessionSecurityToken(IClaimsPrincipal principal, String context, String endpointId, DateTime validFrom, DateTime validTo) +463
Microsoft.IdentityModel.Web.SessionAuthenticationModule.CreateSessionSecurityToken(IClaimsPrincipal principal, String context, DateTime validFrom, DateTime validTo, Boolean isPersistent) +171
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +768
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +522
Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +204
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +176
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +169

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34009
Cause

Time mismatch on SharePoint and ADFS server. In our case, SharePoint servers were 1 hour ahead of ADFS servers.

Resolution

We checked multiple settings on SharePoint and ADFS servers and later found that Time mismatch on SharePoint vs ADFS server was the problem.

From ULS logs:
----------------------------------------------------------------------------------------------------------------
w3wp.exe (UI1PAFE901X:0x357C)        0x1AA4        SharePoint Foundation        Claims Authentication        adlld        VerboseEx        SPAudienceValidator: Audience validation succeeded. AudienceUri: 'urn:produs-ibm-bhi-ecom:all_endpoints'.        8344289d-ceaf-40ff-79fe-c144124f1ecd
w3wp.exe (UI1PAFE901X:0x357C)        0x1AA4        SharePoint Foundation        Claims Authentication        af3yt        VerboseEx        SPSaml11SecurityTokenHandler: Audience validation succeeded for request 'https://SharePointSiteURL/_trust/default.aspx'.        8344289d-ceaf-40ff-79fe-c144124f1ecd

w3wp.exe (UI1PAFE901X:0x357C)        0x1AA4        SharePoint Foundation        Topology        aik7s        Verbose        The certificate with thumbprint 'F7F8F9438C53350802A0282C37E03E1BB97434D4' could not be validated against the machine store.  The certificate will be validated against the SharePoint trusted root authority list.        8344289d-ceaf-40ff-79fe-c144124f1ecd

w3wp.exe (UI1PAFE901X:0x357C)        0x1AA4        SharePoint Foundation        General        8nca        Medium        Application error when access /_trust/default.aspx, Error=Specified argument was out of the range of valid values.  Parameter name: validFrom   at Microsoft.IdentityModel.Tokens.SessionSecurityToken..ctor(IClaimsPrincipal claimsPrincipal, UniqueId contextId, String context, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, SymmetricSecurityKey key)     at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.CreateSessionSecurityToken(IClaimsPrincipal principal, String context, String endpointId, DateTime validFrom, DateTime validTo)     at Microsoft.IdentityModel.Web.SessionAuthenticationModule.CreateSessionSecurityToken(IClaimsPrincipal principal, String context, DateTime validFrom, DateTime validTo, Boolean isPersistent)     at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)     at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)     at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)     at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)        8344289d-ceaf-40ff-79fe-c144124f1ecd
w3wp.exe (UI1PAFE901X:0x357C)        0x1AA4        SharePoint Foundation        Monitoring        b4ly        Medium        Leaving Monitored Scope (Request (POST:https://SharePointSiteURL/_trust/default.aspx)). Execution Time=11.5031379686524        8344289d-ceaf-40ff-79fe-c144124f1ecd
----------------------------------------------------------------------------------------------------------------

· Upon checking further, we found that:
On ADFS server: Time was 2:16 am.
On SharePoint server: Time was 3:16 am.

Clearly, There was Time Synchronization issue and SharePoint server was 1 hour ahead of ADFS server.

· We changed the Server time on ADFS server and made it same as SharePoint.
· Then we were successfully able to login to the Site.


Comments (0)

Skip to main content