HELP FILE

Known issues and additional troubleshooting for Federated Login for Active Directory Federation Services (AD FS)

Known issues and additional troubleshooting for Federated Login for Active Directory Federation Services (AD FS)

    If you have confirmed that your LastPass Business and AD FS configurations are properly set, there are additional steps you can take to troubleshoot based on the issue you are experiencing.

    Blank screen after logging in as a federated user

    Review possible cause(s) and resolutions below.

    Table 1.
    Possible Cause(s) How to Fix
    The AD FS service user does not have CONTROL ACCESS permissions Follow these instructions from Step #3
    In an AD FS farm environment, the AD FS plugin DLLs were not copied to the secondary and subsequent AD FS nodes Follow these instructions from Step #6
    Email address is not set as an AD attribute Set an email address as an AD attribute
    Custom attribute is not configured or present

    Custom attribute is empty

    Review possible cause(s) and resolutions below.

    Table 2.
    Possible Cause(s) How to Fix
    The LastPass AD Connector was not restarted after federated login became enabled in the LastPass Admin Console Restart the LastPass AD Connector service to provision federated users
    There is a custom attribute name mismatch between the LastPass Admin Console and the AD FS plugin Follow these instructions
    Federated login was not enabled in the LastPass Admin Console at the time when provisioning occurred via the LastPass AD Connector
    1. Stop the LastPass AD Connector service.
    2. Log in and access the Admin Console at https://admin.lastpass.com/
    3. Go to Users > Users and delete all the users that were provisioned as federated users.
    4. Go to Users > Federated login
    5. Check the box for the Enable setting.
    6. Restart the LastPass AD Connector service to provision federated users.

    "Contact the LastPass administrator at your organization for help" after logging in as a federated user

    Windows Event Log Errors

    About this task:
    Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0017: Attribute store 'LastPassAttributeStore' is not configured.
    How to fix this:
    Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust ' https://accounts.lastpass.com/ ' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
    How to fix this:
    Microsoft.IdentityServer.Web.InvalidScopeException: Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity DOMAIN\USERNAME for relying party trust ' https://accounts.lastpass.com/ '
    How to fix this:
    • Check the user's Relying Party Trust and Issuance Authorization Rules (Windows Server 2012) or Access Control Policy (Windows Server 2016) on the AD FS server.
      1. Log in to your primary Active Directory Federation Services (AD FS) server
      2. Navigate to your AD FS Management Settings.
      3. Go to Trust Relationships > Relying Party Trust in the left navigation, then follow the next steps based on your AD FS server version:
        • AD FS Server 3.0 – Windows Server 2012 R2
          1. In the "LastPass Trust" section in the right navigation, click Edit Claim Rules....
          2. Select the Issuance Authorization Rules tab and set your desired rule.
        • AD FS Server – 4.0 Windows Server 2016
          1. In the "LastPass Trust" section in the right navigation, click Edit Access Control Policy....
          2. Set your desired policy.

    SAML processing error codes

    About this task: The table below contains the SAML Processing error codes and the possible causes. The possible solutions are listed in Table 4.
    Table 3. SAML Processing error codes
    Status Name Description Possible cause(s)
    5 SecurityTokenNotYetValid The SAML response is not yet valid according to ALP server time. The ADFS server time settings are incorrect.
    6 SecurityTokenExpired The SAML response is expired.
    • The ADFS server time settings are wrong.
    • The client browser cached a SAML response and tries to use it later.
    9 SignatureVerificationKeyMismatch The SAML response is signed with a different certificate than the certificate on the Federated Login page in the LastPass Admin Console.
    • The SAML response is signed with a different Token-signing certificate than the certificate on the Federated Login.
    • You have an ADFS farm environment, and the nodes does not have the same Token-signing certificate configured.
    13 MissingEmailClaim The email assertion is not present in the SAML response or the email address is not valid (for example, missing @).
    • The Relying Party Trust configuration is invalid.
    • The AD user has an invalid email address.
    19 InvalidRequest Invalid SAML request SAML response is only partial or is completely missing.
    21 ReplayedToken The incoming SAML response was already sent to LastPass.  
    22 MissingLastPassSecret LastPassKeyPart or LastPassKeyPartSignature assertion is not present in the SAML response.
    • AD Custom Attribute was not created.
    • Users Custom Attribute is empty.
    • ADFS service account does not have permission to read the Custom Attribute.
    • The Relying Party Trust is invalid or misconfigured
    • The ADFS plugin was removed, not installed or a wrong version was installed.
    23 MissingDirectoryUserName The DirectoryUserName (AD username) assertion is not present in the SAML response. The Relying Party Trust configuration is invalid.
    26 MissingAlpSecret The K2 secret is not present for this user in the ALP database. The LP workers have not yet processed the background job for this user provision.
    Table 4. SAML Processing error codes possible solutions
    Status Name Possible solutions
    5 SecurityTokenNotYetValid Set the server time to the actual time, using the built-in NTP functionality if desired.
    6 SecurityTokenExpired
    • Set the server time to the actual time, using the built-in NTP functionality if desired.
    • Clear browser cache and cookies for the ADFS server host.
    9 SignatureVerificationKeyMismatch
    1. Get the public key of the actual Token-signing certificate of the ADFS server and update the public key on the Federated Login page in the Admin Console.
    2. Update the ADFS nodes to have the same Token-signing certificate, and update the public key on the Federated Login page in the Admin Console.
    13 MissingEmailClaim
      1. Check if Relying Party configuration is valid and fix it if necessary.
      2. Re-install the ADFS plugin.
    2. Check the email address with the Active Directory Users and Computers.
    19 InvalidRequest Check the request sent to https://accounts.lastpass.com/auth/saml2/<IdP-GUID> URL with the browser's developer tools/network traffic. Attach the request body to the ADFS server event log and send it to support.
    21 ReplayedToken Login again using the extension, and check again. If the issue still persist, report it ot the support team.
    22 MissingLastPassSecret
    1. Check if the attribute is present.
    2. Check if the user's Custom Attribute is empty. Refer to AD Connector log if the account was provisioned correctly.
    3. Check if the ADFS service account has the required permission to read the Custom Attribute. Set the permissions correctly.
    4. Check the configuration and reinstall ADFS plugin if necessary.
    5. Re-install the correct version.
    23 MissingDirectoryUserName
    • Check if the RP configuration is valid and fix it if necessary.
    • Re-install the ADFS plugin.
    26 MissingAlpSecret
      1. Wait a few minutes until the background job is processed.
      2. The background job might be stucked. Contact the LastPass support team.

    2. Since a missing part from the secret renders the account unusable, delete the account from the LastPass website, so the AD Connector can try to provision that account again.
    Related Articles