Error messages

Error messages appear in the web browser when something goes wrong with SAML SSO authentication.

Pre HTML5 loading

Error message	Notes
Unable to parse SAML Assertion	There was an error while parsing and validating the SAML Assertion. Further details can be found in HTML5 Logs. Most common causes: SAML Response is not valid for this audience: The most probable cause for this issue is having wrong configuration on the IDP, especially the Entity ID URL. The entity ID URL in the assertion will not match with the Entity ID provided in the SP SAML settings. Expected 1 Assertion or 1 EncryptedAssertion; found 0: The Assertion / EncryptedAssertion tag was not found in the response. The Web Client will be expecting an encrypted assertion while the IDP is sending a non encrypted one. This can either be fixed by changing the IDP settings to send an encrypted assertion or tick the checkbox found in 'RAS Console > Connection > SAML > IDP Settings > Allow unencrypted assertion' SAML Response is not yet valid: This might happen if the time of the server where RAS Gateway is installed is incorrect, for instance 4 seconds behind. In this case the assert will be created before actually trying to parse it. SAML Response is no longer valid: This might happen if the time of the server where RAS Gateway is installed is incorrect. In case it's manually set in the future, assert might be seen as not valid anymore while trying to validate it.

SAML Assertion body is empty	SAML Assertion was not found in the response. Further details can be found in HTML5 Logs
Unable to create SAML logout request	There was an error while creating SAML logout request. Further details can be found in HTML5 Logs.
Unable to create SAML logout response	There was an error while creating logout response. Further details can be found in HTML5 Logs.

Error message

Notes

Unable to parse SAML Assertion

There was an error while parsing and validating the SAML Assertion. Further details can be found in HTML5 Logs.

Most common causes:

SAML Response is not valid for this audience: The most probable cause for this issue is having wrong configuration on the IDP, especially the Entity ID URL. The entity ID URL in the assertion will not match with the Entity ID provided in the SP SAML settings.

Expected 1 Assertion or 1 EncryptedAssertion; found 0: The Assertion / EncryptedAssertion tag was not found in the response. The Web Client will be expecting an encrypted assertion while the IDP is sending a non encrypted one. This can either be fixed by changing the IDP settings to send an encrypted assertion or tick the checkbox found in 'RAS Console > Connection > SAML > IDP Settings > Allow unencrypted assertion'

SAML Response is not yet valid: This might happen if the time of the server where RAS Gateway is installed is incorrect, for instance 4 seconds behind. In this case the assert will be created before actually trying to parse it.

SAML Response is no longer valid: This might happen if the time of the server where RAS Gateway is installed is incorrect. In case it's manually set in the future, assert might be seen as not valid anymore while trying to validate it.

SAML Assertion body is empty

SAML Assertion was not found in the response. Further details can be found in HTML5 Logs

Unable to create SAML logout request

There was an error while creating SAML logout request. Further details can be found in HTML5 Logs.

Unable to create SAML logout response

There was an error while creating logout response. Further details can be found in HTML5 Logs.

Post HTML5 loading

Error code	Error message	Notes
0x00000029	SAML IdP settings not found. IdP Id:'xxx'	Check the Identity Provider settings. Check if the IdP metadata are correctly imported.
0x0000002A	SAML IdP info keys loading failed. IdP Id:'xxx'	Check if the IdP certificate is present in the IdP settings.
0x0000002B	SAML Theme mismatch	Check if the theme is correctly set in the IdP settings.
0x0000002C	Logon using SAML failed. Error: 0x00001	See errors below
0x00000029	No Enrollment Sever available	Check Enrollment server(s) status
0x0000002A	Missing NLA User Configuration	Enter NLA User details
0x00000003	Logon using SAML failed. Error: Failed to match AD User. 0x00000006	Check if the Attributes settings are correct in the IdP properties.
0x00000003	Logon using SAML failed. Error: Failed to validate and decrypt the response. 0x00000009	Check if the IdP certificate is present in the IdP settings.
0x00000003	Logon using SAML failed. Error: Assertion not encrypted. 0x0000001C	Check if the IdP settings for the logon request are correct.
0x00000003	Logon using SAML failed. Error: Failed to decrypt the assertion. 0x0000001D	Check the SP certificate is correctly set in the IdP settings.
0x00000003	Logon using SAML failed. Error: Failed to verify assertion. 0x0000001F	Check if the IdP certificate is present in the IdP settings.

Error code

Error message

Notes

0x00000029

SAML IdP settings not found. IdP Id:'xxx'

Check the Identity Provider settings. Check if the IdP metadata are correctly imported.

0x0000002A

SAML IdP info keys loading failed. IdP Id:'xxx'

Check if the IdP certificate is present in the IdP settings.

0x0000002B

SAML Theme mismatch

Check if the theme is correctly set in the IdP settings.

0x0000002C

Logon using SAML failed. Error: 0x00001

See errors below

0x00000029

No Enrollment Sever available

Check Enrollment server(s) status

0x0000002A

Missing NLA User Configuration

Enter NLA User details

0x00000003

Logon using SAML failed. Error: Failed to match AD User. 0x00000006

Check if the Attributes settings are correct in the IdP properties.

0x00000003

Logon using SAML failed. Error: Failed to validate and decrypt the response. 0x00000009

Check if the IdP certificate is present in the IdP settings.

0x00000003

Logon using SAML failed. Error: Assertion not encrypted. 0x0000001C

Check if the IdP settings for the logon request are correct.

0x00000003

Logon using SAML failed. Error: Failed to decrypt the assertion. 0x0000001D

Check the SP certificate is correctly set in the IdP settings.

0x00000003

Logon using SAML failed. Error: Failed to verify assertion. 0x0000001F

Check if the IdP certificate is present in the IdP settings.

Once an application or desktop is launched

Error message	Description and reference
Invalid username or password	The user certificate is valid, but the domain controller did not accept it. Check the Kerberos logs on the domain controller.
The system could not log you on. Your credentials could not be verified.	Check connectivity with the domain controller and check that the appropriate certificates installed.
The request is not supported	The "Domain Controller" and "Domain Controller Authentication" certificates on Domain Controller require enrolling, even if they are already available.
The system could not log you on. The smartcard certificate used for authentication was not trusted.	The intermediate and root certificates are not installed on the machine where the error is shown. The CA root certificate and any intermediate certificates must be added to the "Trusted root certificates"in the local computer account.
You cannot logon because smart card logon is not supported for your account.	The user account has not been fully configured for smart card logon.
No valid smart card certificate could be found.	Check the configuration of the PrlsSmartcardCertificate. The extensions might not be set correctly, or the RSA key is less than 2048 bits.
Bad Request	Check the configuration of the PrlsSmartcardCertificate. The extensions might not be set correctly, or the RSA key is less than 2048 bits.

Error message

Description and reference

Invalid username or password

The user certificate is valid, but the domain controller did not accept it. Check the Kerberos logs on the domain controller.

The system could not log you on. Your credentials could not be verified.

Check connectivity with the domain controller and check that the appropriate certificates installed.

The request is not supported

The "Domain Controller" and "Domain Controller Authentication" certificates on Domain Controller require enrolling, even if they are already available.

The system could not log you on. The smartcard certificate used for authentication was not trusted.

The intermediate and root certificates are not installed on the machine where the error is shown. The CA root certificate and any intermediate certificates must be added to the "Trusted root certificates"in the local computer account.

You cannot logon because smart card logon is not supported for your account.

The user account has not been fully configured for smart card logon.

No valid smart card certificate could be found.

Check the configuration of the PrlsSmartcardCertificate. The extensions might not be set correctly, or the RSA key is less than 2048 bits.

Bad Request

Check the configuration of the PrlsSmartcardCertificate. The extensions might not be set correctly, or the RSA key is less than 2048 bits.

PreviousTest the SAML SSO deployment NextParallels Web Client and User Portal