Recently I was investigating a problem at a customer project where the client was trying to authenticate to ADFS using kerberos, but the authentication always failed with an ADFS error “Message security verification failed.”. The ADFS eventlog did not show any errors. After enabling WCF and WIF tracing in the ADFS service configuration file, I finally got the actual error why these authentication requests were failing:
System.ServiceModel.Security.MessageSecurityException: Message security verification failed.
System.IdentityModel.Tokens.SecurityTokenException: The AcceptSecurityContext failed.
System.ComponentModel.Win32Exception: The logon attempt failed.
It took me a while to figure this out, but this error was caused by a non-registered Service Principal Name (SPN) of the Federation Service in Active Directory. The ADFS server was configured to use a SQL server farm for the configuration database. In this case the SPN must be registered for the ADFS service account. The SPN has the following format: host/{Federation Service Name}.
The setspn.exe tool, which is standard available in Windows 7 and Windows 2008R2, can be used to register/unregister SPNs.
Use the following command to validate whether the SPN is registered with the ADFS service account:
setspn -l DOMAIN\{ADFS service account}
Use the following command to register the SPN with the ADFS service account:
setspn -a host/{Federation Service Name} DOMAIN\{ADFS service account}