MSIS9459: Unable to use the enrollment certificate ADFS

vferna 1 Reputation point
2020-10-01T21:01:48.213+00:00

Our ADFS 2016 server is getting the below event id 1021

Log Name:
Source: AD FS
Date: 10/1/2020 4:58:01 PM
Event ID: 1021
Task Category: None
Level: Error
Keywords: AD FS
User:
Computer:
Description:
Encountered error during OAuth token request.

Additional Data

Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthJWTBearerException: MSIS9421: Received invalid OAuth JWT Bearer request. The JWT Bearer request to get Primary Refresh Token must contain 'aza' scope.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateJWTBearer()
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore()
at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate()
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ProcessJWTBearerRequest(OAuthJWTBearerRequestContext jwtBearerContext)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
<EventID>1021</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2020-10-01T20:58:01.855144700Z" />
<EventRecordID>587123</EventRecordID>
<Correlation ActivityID="{DDD0A56D-ADD6-4721-8038-C66D5B32BA03}" />
<Execution ProcessID="10492" ThreadID="14856" />
<Channel>AD FS/Admin</Channel>
<Computer></Computer>
<Security UserID="" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<Data>Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthJWTBearerException: MSIS9421: Received invalid OAuth JWT Bearer request. The JWT Bearer request to get Primary Refresh Token must contain 'aza' scope.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateJWTBearer()
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore()
at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate()
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ProcessJWTBearerRequest(OAuthJWTBearerRequestContext jwtBearerContext)

</Data>
</EventData>
</Event>
</UserData>
</Event>

Log Name:
Source: AD FS
Date: 10/1/2020 4:58:02 PM
Event ID: 1021
Task Category: None
Level: Error
Keywords: AD FS
User:
Computer:
Description:
Encountered error during OAuth token request.

Additional Data

Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthLogonCertCreationException: MSIS9459: Unable to use the enrollment certificate. Certificate was null.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthCertificateHandler.BuildUserLogonCertificate(String pkcs10EncodedCsr, IClaimsIdentity identity, DateTime notAfter, CertificateAuthorityConfiguration caConfiguration, String templateName, X509Certificate2& issuedCert)
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.UpdateResponseForWinHelloCertRequest(OAuthJWTBearerRequestContext jwtBearerContext, OAuthAccessTokenResponseMessage responseMessage, SecurityTokenElement signOnTokenElement)
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.HandleJWTBearerAccessTokenRequest(OAuthJWTBearerRequestContext jwtBearerContext, SessionSecurityToken ssoSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ProcessJWTBearerRequest(OAuthJWTBearerRequestContext jwtBearerContext)

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
<EventID>1021</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000001</Keywords>
<TimeCreated SystemTime="2020-10-01T20:58:02.455017400Z" />
<EventRecordID>587124</EventRecordID>
<Correlation ActivityID="{DDD0A56D-ADD6-4721-8038-C66D5B32BA03}" />
<Execution ProcessID="10492" ThreadID="14856" />
<Channel>AD FS/Admin</Channel>
<Computer></Computer>
<Security UserID="" />
</System>
<UserData>
<Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
<EventData>
<Data>Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthLogonCertCreationException: MSIS9459: Unable to use the enrollment certificate. Certificate was null.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthCertificateHandler.BuildUserLogonCertificate(String pkcs10EncodedCsr, IClaimsIdentity identity, DateTime notAfter, CertificateAuthorityConfiguration caConfiguration, String templateName, X509Certificate2& issuedCert)
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.UpdateResponseForWinHelloCertRequest(OAuthJWTBearerRequestContext jwtBearerContext, OAuthAccessTokenResponseMessage responseMessage, SecurityTokenElement signOnTokenElement)
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.HandleJWTBearerAccessTokenRequest(OAuthJWTBearerRequestContext jwtBearerContext, SessionSecurityToken ssoSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ProcessJWTBearerRequest(OAuthJWTBearerRequestContext jwtBearerContext)

</Data>
</EventData>
</Event>
</UserData>
</Event>

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,247 questions
0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.