This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 63%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPO%3C/text%3E%3C/svg%3E)
Hi,
Our users are having what seems like an ADFS authentication error code: Reference number: d270fca6-e14e-4af0-80eb-efb29c74e535"
When I explored further it seems it has to do with authentication certificate as I received this message "The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuuerNameRegistery to return a valid name for this user"
How to I reset this ADFS authentication
The server is Windows 2008 R2 standard, which of cause is out of Microsoft support, so this forum is our only support and hope to find a fix!
First of all, the migration path to Windows Server 2012 R2 ADFS (and higher) is quite straight forward and well documented: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/migrate-ad-fs-service-role-to-windows-server-r2 (the document is for 2008R2 to 2012R2 but that's the same drift for 2016 and 2019). The upgrade is actually a parallel run. You export the config from the old farm and import it on the new one. Both can be active at the same time. Of course the user will still use the old one until you update your DNS and load-balancers. And you can test it yourself with modifying the HOSTS file of your machine. In other words, I'd strongly recommend you upgrade. Not only your version is unsupported, but it also has no protection against password attacks putting your environment at risk.
Then, the reference number you quote (assuming it is from the ADFS error page) is an activity ID. It is like a GUID valid only for the specific context of that one user and connection. It is useless to share it with us. But you can look for that GUID in the eventlogs to see what actual message it is connected to.
About your error message. It is possible that either the URI of your relying party has changed. Or if this message is displayed at the application level, that your Token Signing certificate has changed.
Anyhow, if you are still working on this issue let us know.
Thank you.
The issues have been resolved by fixing the certificate!
Thanks again.