3.7 Troubleshooting
This section contains troubleshooting information and frequently asked questions related to working with the MyID AD FS Adapter OAuth.
-
I tried to log on, but I see "Incorrect user ID or password"
The user or email address is incorrect. Correct it and try again.
-
I tried to log on, but I cannot see the FIDO option
Check the ADFS Manager has selected the Intercede FIDO ADFS adapter as the Primary authentication method for Intranet.
-
I tried to log on, but I see "Your security cannot be used with this site"
Try a different authenticator (security key). Some authenticators do not support user verification; that is, they do not have a PIN or fingerprint sensor.
-
I tried to log on, but I see "Error OA10010: Error authenticating FIDO in browser. The operation either timed out or was not allowed."
This may be caused by the following situations:
-
You exceeded the timeout (by default 90 seconds) before completing the authentication.
If necessary, you can change the timeout by adding the Fido:Config:Timeout option to the appsettings.Production.json file for the web.oauth2.ext web service.
-
You canceled the authentication operation.
-
-
I tried to log on, but I see "400: An unexpected error occurred. Please contact your administrator."
Check that the Fido:Config:Origin option in the appsettings.Production.json file is set correctly; see section 3.4.2, Updating the web.oauth2.ext configuration file for details.
-
I tried to log on, but I see "Error OA10010: Error authenticating FIDO in browser. The relying party ID is not a registrable domain suffix of, nor equal to the current domain."
Check that the Fido:Config:ServerDomain option in the appsettings.json or appsettings.Production.json file is set correctly; see the Configuring the server settings section in the FIDO Authenticator Integration Guide for details.
Ensure the domain name has not changed since the credential was issued – FIDO credentials can be used only for the domain on which they were registered.
If web.oauth2.ext (which is authenticating the user) is on a different server from web.oauth2 (which registered the FIDO credential), ensure there is a load balancer or reverse proxy in front of both of these servers, so that the client computer sees the same domain in the URL for both of these machines.
-
I tried to log on, but I see "HTTP Error 500.30 - ANCM In-Process Start Failure"
Check that your appsettings.Production.json file is valid.
Note especially that copying code samples from a browser may include hard spaces, which cause the JSON file to be invalid.
To assist in tracking down the problem, you can use the Windows Event Viewer. Check the Windows Logs > Application section for errors; you may find an error from the .NET Runtime source that contains information similar to:
Exception Info: System.FormatException: Could not parse the JSON file.
---> System.Text.Json.JsonReaderException: '"' is invalid after a value. Expected either ',', '}', or ']'. LineNumber: 13 | BytePositionInLine: 6.
which could be caused by a missing comma at the end of a line.
An error similar to:
Exception Info: System.FormatException: Could not parse the JSON file.
---> System.Text.Json.JsonReaderException: '0xC2' is an invalid start of a property name. Expected a '"'. LineNumber: 7 | BytePositionInLine: 0.
is caused by a hard (non-breaking) space copied from a web browser, which is not supported in JSON.
Note: Some JSON files used by MyID contain comment lines beginning with double slashes // – these comments are not supported by the JSON format, so the JSON files will fail validation if you attempt to use external JSON validation tools. However, these comments are supported in the JSON implementation provided by asp.net.core, and so are valid in the context of MyID.
You can also check that the Fido:Config:MDSAccessKeyClear option in the appsettings.Production.json file is set correctly. If the MDSAccessKey contains an encrypted value, MDSAccessKeyClear must be false.
-
I tried to log on, but I see "This page isn’t working <my domain> is currently unable to handle this request. HTTP ERROR 500"
Check that the MyID:Database:ConnectionStringCore and MyID:Database:ConnectionStringAuth options in the appsettings.json or appsettings.Production.json file are set correctly.
See section 2.2, Configuring the standalone authentication service for details.
-
I tried to log on, but I see "Unknown error".
-
Check that the myid.adfs client in the appsettings.Production.json file has a valid value for ClientSecrets. This must be a Base64-encoded SHA-256 hash of the client secret.
See section 3.4, Configuring the standalone authentication service for AD FS.
-
Check that the Fido2AdfsAdapter.json file on the AD FS server has a valid value for client_secret. This must be the shared secret that was used to generate the Base64-encoded SHA-256 hash that you used on the web.oauth2.ext server; note that you are strongly recommended to use an encrypted secret in this file.
See section 3.6, Managing the AD FS Adapter OAuth and section 3.6.2, Encrypting the client secret for details.
-
-
I tried to log on, but I see "Sorry, there was an error : invalid_scope"
Ensure that the appsettings.json file for the web.oauth2.ext service has the following:
-
In the myid.adfs client section, AllowedScopes of openid and email.
-
An IdentityResource named email.
-
-
I tried to log on, but I see "Sorry, there was an error : invalid_request"
Ensure that the appsettings.Production.json file for the web.oauth2.ext service has in the myid.adfs client section a valid value for the RedirectUris.
This must be in the format:
https://<auth service domain>/AdfsAuth/home/AdfsAuth
See section 3.4.2, Updating the web.oauth2.ext configuration file for details.
-
I tried to log on, but I see "Invalid login request There are no login schemes configured for this client."
Ensure that the appsettings.Production.json file for the web.oauth2.ext service has in the myid.adfs client section, at least one of the following Properties set to true:
-
EnableFido2LoginBasicAssurance
-
EnableFido2LoginHighAssurance
See section 3.4.2, Updating the web.oauth2.ext configuration file for details.
-
-
I tried to log on, but I see "Error code OA10018: You do not have any FIDO tokens registered."
Check the Properties for the myid.adfs client section in the appsettings.Production.json file for the web.oauth2.ext service. This error can occur when EnableFido2LoginBasicAssurance is set to true, EnableFido2LoginHighAssurance is set to false, and while there may be authenticators registered with high assurance, there are no authenticators that were registered with basic assurance.
-
I tried to log on, but the screen stops responding with a message saying "Please wait a moment..."
If this occurs, check the following:
-
On the ADFS Auth web server, check that the AllowedOrigins option in the appsettings.Production.json file for the ADFS Auth web service is set correctly. It must be set to the URL of the AD FS server.
For example:
"AllowedOrigins": [ "https://adfs.example.com" ]
See section 3.3.2, Configuring the ADFS Auth web service for details.
-
On the AD FS server, check that the FidoAdfsAdapter.json file has a valid redirect_server URL setting.
For example:
https://myserver.example.com/AdfsAuth
See section 3.6.1, Configuration file for details.
-
-
I tried to log on, but I see "Server Error, 404 – File or directory not found"
On the AD FS server, check that the FidoAdfsAdapter.json file has a valid server URL setting.
For example:
https://myserver.example.com/web.oauth2.ext
See section 3.6.1, Configuration file for details.
-
When the browser redirects to web.oauth2.ext, it says there are no logon mechanisms enabled
Ensure that the appsettings.Production.json file for the web.oauth2.ext service has, in the myid.adfs client section, at least one of the following Properties set to true:
-
EnableFido2LoginBasicAssurance
-
EnableFido2LoginHighAssurance
See section 3.4.2, Updating the web.oauth2.ext configuration file for details.
-
-
What are FIDO basic and high assurance?
FIDO authenticators may provide single-factor, two-factor, or multi-factor authentication.; you can configure MyID to treat FIDO basic assurance authenticators and high assurance authenticators with different levels of trust; for example, you can enable logon to MyID for high assurance authenticators, but disable logon for basic assurance authenticators.
For more information about basic and high assurance FIDO authenticators, see the Supported authenticators section in the FIDO Authenticator Integration Guide.