Error messages
Error messages
Error messages appear in the web browser when something goes wrong with SAML SSO authentication.
Pre HTML5 loading
Error message | Notes |
---|---|
Unable to parse SAML Assertion | There was an error while parsing and validating the SAML Assertion. Further details can be found in HTML5 Logs. Most common causes: SAML Response is not valid for this audience: The most probable cause for this issue is having wrong configuration on the IDP, especially the Entity ID URL. The entity ID URL in the assertion will not match with the Entity ID provided in the SP SAML settings. Expected 1 Assertion or 1 EncryptedAssertion; found 0: The Assertion / EncryptedAssertion tag was not found in the response. The Web Client will be expecting an encrypted assertion while the IDP is sending a non encrypted one. This can either be fixed by changing the IDP settings to send an encrypted assertion or tick the checkbox found in 'RAS Console > Connection > SAML > IDP Settings > Allow unencrypted assertion' SAML Response is not yet valid: This might happen if the time of the server where RAS Gateway is installed is incorrect, for instance 4 seconds behind. In this case the assert will be created before actually trying to parse it. SAML Response is no longer valid: This might happen if the time of the server where RAS Gateway is installed is incorrect. In case it's manually set in the future, assert might be seen as not valid anymore while trying to validate it. |
SAML Assertion body is empty | SAML Assertion was not found in the response. Further details can be found in HTML5 Logs |
Unable to create SAML logout request | There was an error while creating SAML logout request. Further details can be found in HTML5 Logs. |
Unable to create SAML logout response | There was an error while creating logout response. Further details can be found in HTML5 Logs. |
Post HTML5 loading
Error code | Error message | Notes |
---|---|---|
0x00000029 | SAML IdP settings not found. IdP Id:'xxx' | Check the Identity Provider settings. Check if the IdP metadata are correctly imported. |
0x0000002A | SAML IdP info keys loading failed. IdP Id:'xxx' | Check if the IdP certificate is present in the IdP settings. |
0x0000002B | SAML Theme mismatch | Check if the theme is correctly set in the IdP settings. |
0x0000002C | Logon using SAML failed. Error: 0x00001 | See errors below |
0x00000029 | No Enrollment Sever available | Check Enrollment server(s) status |
0x0000002A | Missing NLA User Configuration | Enter NLA User details |
0x00000003 | Logon using SAML failed. Error: Failed to match AD User. 0x00000006 | Check if the Attributes settings are correct in the IdP properties. |
0x00000003 | Logon using SAML failed. Error: Failed to validate and decrypt the response. 0x00000009 | Check if the IdP certificate is present in the IdP settings. |
0x00000003 | Logon using SAML failed. Error: Assertion not encrypted. 0x0000001C | Check if the IdP settings for the logon request are correct. |
0x00000003 | Logon using SAML failed. Error: Failed to decrypt the assertion. 0x0000001D | Check the SP certificate is correctly set in the IdP settings. |
0x00000003 | Logon using SAML failed. Error: Failed to verify assertion. 0x0000001F | Check if the IdP certificate is present in the IdP settings. |
Once an application or desktop is launched
Error message | Description and reference |
---|---|
Invalid username or password | The user certificate is valid, but the domain controller did not accept it. Check the Kerberos logs on the domain controller. |
The system could not log you on. Your credentials could not be verified. | Check connectivity with the domain controller and check that the appropriate certificates installed. |
The request is not supported | The "Domain Controller" and "Domain Controller Authentication" certificates on Domain Controller require enrolling, even if they are already available. |
The system could not log you on. The smartcard certificate used for authentication was not trusted. | The intermediate and root certificates are not installed on the machine where the error is shown. The CA root certificate and any intermediate certificates must be added to the "Trusted root certificates"in the local computer account. |
You cannot logon because smart card logon is not supported for your account. | The user account has not been fully configured for smart card logon. |
No valid smart card certificate could be found. | Check the configuration of the PrlsSmartcardCertificate. The extensions might not be set correctly, or the RSA key is less than 2048 bits. |
Bad Request | Check the configuration of the PrlsSmartcardCertificate. The extensions might not be set correctly, or the RSA key is less than 2048 bits. |