Cannot login to SharePoint site with ADFS AUTH- Error: Specified argument was out of the range of valid values.
I came across a scenario where ADFS site login was failing for SharePoint 2013 site, for one of my premier customers.
Here are details of the issue and it’s resolution:
Symptom
You have ADFS 3.0 integrated to use with SharePoint server 2013 running on Windows server 2012 R2.
When you try to browse to the Site https://SharePointSiteURL and provide ADFS Credentials, It gives an error message and you can't login to site.
Resultant URL:
https://SharePointSiteURL/_trust/default.aspx
Error on Page:
Server Error in '/' Application.
Specified argument was out of the range of valid values.
Parameter name: validFrom
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
Parameter name: validFrom
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[ArgumentOutOfRangeException: Specified argument was out of the range of valid values.
Parameter name: validFrom]
Microsoft.IdentityModel.Tokens.SessionSecurityToken..ctor(IClaimsPrincipal claimsPrincipal, UniqueId contextId, String context, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, SymmetricSecurityKey key) +994
Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.CreateSessionSecurityToken(IClaimsPrincipal principal, String context, String endpointId, DateTime validFrom, DateTime validTo) +463
Microsoft.IdentityModel.Web.SessionAuthenticationModule.CreateSessionSecurityToken(IClaimsPrincipal principal, String context, DateTime validFrom, DateTime validTo, Boolean isPersistent) +171
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) +768
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +522
Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +204
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +176
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +169
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.34009
Cause
Time mismatch on SharePoint and ADFS server. In our case, SharePoint servers were 1 hour ahead of ADFS servers.
Resolution
We checked multiple settings on SharePoint and ADFS servers and later found that Time mismatch on SharePoint vs ADFS server was the problem.
From ULS logs:
----------------------------------------------------------------------------------------------------------------
w3wp.exe (UI1PAFE901X:0x357C) 0x1AA4 SharePoint Foundation Claims Authentication adlld VerboseEx SPAudienceValidator: Audience validation succeeded. AudienceUri: 'urn:produs-ibm-bhi-ecom:all_endpoints'. 8344289d-ceaf-40ff-79fe-c144124f1ecd
w3wp.exe (UI1PAFE901X:0x357C) 0x1AA4 SharePoint Foundation Claims Authentication af3yt VerboseEx SPSaml11SecurityTokenHandler: Audience validation succeeded for request 'https://SharePointSiteURL/_trust/default.aspx'. 8344289d-ceaf-40ff-79fe-c144124f1ecd
w3wp.exe (UI1PAFE901X:0x357C) 0x1AA4 SharePoint Foundation Topology aik7s Verbose The certificate with thumbprint 'F7F8F9438C53350802A0282C37E03E1BB97434D4' could not be validated against the machine store. The certificate will be validated against the SharePoint trusted root authority list. 8344289d-ceaf-40ff-79fe-c144124f1ecd
w3wp.exe (UI1PAFE901X:0x357C) 0x1AA4 SharePoint Foundation General 8nca Medium Application error when access /_trust/default.aspx, Error=Specified argument was out of the range of valid values. Parameter name: validFrom at Microsoft.IdentityModel.Tokens.SessionSecurityToken..ctor(IClaimsPrincipal claimsPrincipal, UniqueId contextId, String context, String endpointId, Nullable`1 validFrom, Nullable`1 validTo, SymmetricSecurityKey key) at Microsoft.IdentityModel.Tokens.SessionSecurityTokenHandler.CreateSessionSecurityToken(IClaimsPrincipal principal, String context, String endpointId, DateTime validFrom, DateTime validTo) at Microsoft.IdentityModel.Web.SessionAuthenticationModule.CreateSessionSecurityToken(IClaimsPrincipal principal, String context, DateTime validFrom, DateTime validTo, Boolean isPersistent) at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request) at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 8344289d-ceaf-40ff-79fe-c144124f1ecd
w3wp.exe (UI1PAFE901X:0x357C) 0x1AA4 SharePoint Foundation Monitoring b4ly Medium Leaving Monitored Scope (Request (POST:https://SharePointSiteURL/_trust/default.aspx)). Execution Time=11.5031379686524 8344289d-ceaf-40ff-79fe-c144124f1ecd
----------------------------------------------------------------------------------------------------------------
· Upon checking further, we found that:
On ADFS server: Time was 2:16 am.
On SharePoint server: Time was 3:16 am.
Clearly, There was Time Synchronization issue and SharePoint server was 1 hour ahead of ADFS server.
· We changed the Server time on ADFS server and made it same as SharePoint.
· Then we were successfully able to login to the Site.