Known issues and additional troubleshooting for Federated Login for Active Directory Federation Services (AD FS)
If you have confirmed that your LastPass Business and AD FS configurations are properly set, there are additional steps you can take to troubleshoot based on the issue you are experiencing.
Blank screen after logging in as a federated user
Review possible cause(s) and resolutions below.
Possible Cause(s) | How to Fix |
---|---|
The AD FS service user does not have CONTROL ACCESS permissions | Follow these instructions from Step #3 |
In an AD FS farm environment, the AD FS plugin DLLs were not copied to the secondary and subsequent AD FS nodes | Follow these instructions from Step #6 |
Email address is not set as an AD attribute | Set an email address as an AD attribute |
Custom attribute is not configured or present |
Custom attribute is empty
Review possible cause(s) and resolutions below.
Possible Cause(s) | How to Fix |
---|---|
The LastPass AD Connector was not restarted after federated login became enabled in the LastPass Admin Console | Restart the LastPass AD Connector service to provision federated users |
There is a custom attribute name mismatch between the LastPass Admin Console and the AD FS plugin | Follow these instructions |
Federated login was not enabled in the LastPass Admin Console at the time when provisioning occurred via the LastPass AD Connector |
|
"Contact the LastPass administrator at your organization for help" after logging in as a federated user
About this task:
How to fix this: Disable multifactor authentication options and policies at the LastPass level.
Windows Event Log Errors
About this task:
- Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0017: Attribute store 'LastPassAttributeStore' is not configured.
-
How to fix this:
- Restart the AD FS Windows service on the AD FS server to load the LastPass AD FS plugin properly.
- For an AD FS server farm environment, check the AD FS server farm configuration from Step #7.
- Microsoft.IdentityServer.Web.InvalidScopeException: MSIS7007: The requested relying party trust ' https://accounts.lastpass.com/ ' is unspecified or unsupported. If a relying party trust was specified, it is possible that you do not have permission to access the trust relying party. Contact your administrator for details.
-
How to fix this:
- Check that the AD FS plugin has been installed from Step #4 and configured correctly from Step #5.
- For an AD FS server farm environment, check the AD FS server farm configuration from Step #7.
- Microsoft.IdentityServer.Web.InvalidScopeException: Microsoft.IdentityServer.Service.IssuancePipeline.CallerAuthorizationException: MSIS5007: The caller authorization failed for caller identity DOMAIN\USERNAME for relying party trust ' https://accounts.lastpass.com/ '
-
How to fix this:
- Check the user's Relying Party Trust and Issuance Authorization Rules (Windows Server 2012) or Access Control Policy (Windows Server 2016) on the AD FS server.
- Log in to your primary Active Directory Federation Services (AD FS) server
- Navigate to your AD FS Management Settings.
- Go to
- AD FS Server 3.0 – Windows Server 2012 R2
- In the "LastPass Trust" section in the right navigation, click Edit Claim Rules....
- Select the Issuance Authorization Rules tab and set your desired rule.
- AD FS Server – 4.0 Windows Server 2016
- In the "LastPass Trust" section in the right navigation, click Edit Access Control Policy....
- Set your desired policy.
in the left navigation, then follow the next steps based on your AD FS server version:
- AD FS Server 3.0 – Windows Server 2012 R2
- Check the user's Relying Party Trust and Issuance Authorization Rules (Windows Server 2012) or Access Control Policy (Windows Server 2016) on the AD FS server.
SAML processing error codes
About this task: The table below contains the SAML Processing error codes and the possible causes. The possible solutions are listed in
Table 4.
Status | Name | Description | Possible cause(s) |
---|---|---|---|
5 | SecurityTokenNotYetValid | The SAML response is not yet valid according to ALP server time. | The ADFS server time settings are incorrect. |
6 | SecurityTokenExpired | The SAML response is expired. |
|
9 | SignatureVerificationKeyMismatch | The SAML response is signed with a different certificate than the certificate on the Federated Login page in the LastPass Admin Console. |
|
13 | MissingEmailClaim | The email assertion is not present in the SAML response or the email address is not valid (for example, missing @). |
|
19 | InvalidRequest | Invalid SAML request | SAML response is only partial or is completely missing. |
21 | ReplayedToken | The incoming SAML response was already sent to LastPass. | |
22 | MissingLastPassSecret | LastPassKeyPart or LastPassKeyPartSignature assertion is not present in the SAML response. |
|
23 | MissingDirectoryUserName | The DirectoryUserName (AD username) assertion is not present in the SAML response. | The Relying Party Trust configuration is invalid. |
26 | MissingAlpSecret | The K2 secret is not present for this user in the ALP database. | The LP workers have not yet processed the background job for this user provision. |
Status | Name | Possible solutions |
---|---|---|
5 | SecurityTokenNotYetValid | Set the server time to the actual time, using the built-in NTP functionality if desired. |
6 | SecurityTokenExpired |
|
9 | SignatureVerificationKeyMismatch |
|
13 | MissingEmailClaim |
|
19 | InvalidRequest | Check the request sent to https://accounts.lastpass.com/auth/saml2/<IdP-GUID> URL with the browser's developer tools/network traffic. Attach the request body to the ADFS server event log and send it to support. |
21 | ReplayedToken | Login again using the extension, and check again. If the issue still persist, report it ot the support team. |
22 | MissingLastPassSecret |
|
23 | MissingDirectoryUserName |
|
26 | MissingAlpSecret |
|