ADFS - SAML service provider login page loop: 0xC00002FD An error occurred during Logon

prashanth v 1 Reputation point
2022-02-24T10:40:03.98+00:00

I setup the ADFS on windows server 2016 and added the relying party trust. There seem to be similar docs but I followed this https://help.talentlms.com/hc/en-us/articles/360014573874-How-to-configure-SSO-with-Microsoft-Active-Directory-Federation-Services-2-0-ADFS-2-0-Identity-Provider

I tried to login through the service provider and it directs to SSO page in AD FS but once I enter the correct credentials I see the same AD FS login page again - no errors. And, if i enter wrong credentials it displays the right error.

Upon some digging in Event Viewer on AD FS side I was able to see some Audit Failures under Security event viewer. It says the following error. I already chose SHA1 encryption for the relying party trust but still stuck with the below error.

Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain:

Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xC00002FD
Sub Status: 0x0

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,942 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,203 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2022-02-28T14:29:22.46+00:00

    Adding the Active Directory tag as this is not an AD FS centric issue.

    The error message format you have here looks like the content of an event id 4625 (please confirm). That's not an AD FS thing, that's Windows failing to authenticate the user. The error 0xC00002FD seem to map STATUS_KDC_UNKNOWN_ETYPE. Which looks like the issue is with a Kerberos authentication encryption type. Nothing to do with the AD FS relying party trust signature configuration.

    As this point, there's not much we can investigate on the AD FS servers. You will need to look at the Kerberos oeverall configuration of your environment. It looks like a Kerberos Encryption Type issue.

    Some element you can add to help us out...

    1. Give us the actual event id.
    2. Is the AD FS service account a gMSA account or a regular account?
    3. What is the version of your Active Directory domain controllers?
    4. Have you tried to test with a newly freshly created user on another machine? Maybe you have some restrictions on the Kerberos encryption type you can use with your account/machine.