Close

April 26, 2017

AADSTS50008: Unable to verify token signature

Scenario

So we have recently implemented AAD Connect to syncronise On-Premise AD with Azure AD.  We opted for Federated Login to O365 using on-premise ADFS servers.  We started off with just a single primary domain but later introduced a secondary UPN for a different business unit within the business that have a different primary SMTP address.

I configured the additional domain in Azure AD and verified the domain using TXT records.  I then proceed to AAD Connect server and opened exiting configuration and used the option “Add an additional Azure AD Domain” and followed the wizard prompts proving my Global Administration account and local domain admin account to configure the additional domain on the ADFS servers.  Adding the additional domain completed without any error.

Problem

Once I assigned O365 licenses to the users with the new UPN (Let’s call the UPN “domain2.com” so user accounts were [email protected]) when they logged onto https://portal.office.com and placed in their UPN i.e. [email protected] and typed their password the O365 tenant passed the authentication request back to the ADFS Service URL which is expected, but the users were then presented with the login error screen below.

So i jumped onto my best friend Google and searched the error “AADSTS50008 Unable to verify token signature”

I found a few good articles with some good possibilities.  They basically had the following fixes.

  • Time sync is out between PDC and ADFS server.  Checked that using w32tm /query /status and configured time source was good and in sync.
  • There were suggestions to enable Multi domain federated support in the link HERE which had some good suggestions none of which worked for me.  Most of the commands were applicable to ADFS 2.0 and I had ADFS 3.0.
  • I also searched the Event Logs on the ADFS Server to see if there was something obvious, but there was nothing logged.

 

Solution

I logged a support call with Microsoft and they made the following suggestion.

  1. Logon to ADFS Server and open console.
  2. Select Relying party Trust folder

  3. Select the Microsoft Office 365 Identity Platform, then right mouse click and select “Edit Claim Rules”

  4. There are several claim rules created by the AAD Connect wizard.
  5. Select the “Issue issuerid when it is not a computer account” claim and make sure it’s configured as shown below.  See code below of what was configured prior to me changing and post changes.  Note: make a backup of your config to a txt file before pasting in the changes.  Once changes have been pasted, save and close claim rule and test.

Below is the configuration I had pre/post change.

PREVIOUS (Not working)

c1:[Type == “http://schemas.xmlsoap.org/claims/UPN”]
&& c2:[Type == “http://schemas.microsoft.com/ws/2012/01/accounttype”, Value == “User”]
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid”, Value = regexreplace(c1.Value, “^((.*)([.|@]))?(?<domain>[^.]*[.].*)$”, “http://${domain}/adfs/services/trust/”));

FIXED (the marked text below shows the difference and shown above in screenshot)

c1:[Type == “http://schemas.xmlsoap.org/claims/UPN”]
&& c2:[Type == “http://schemas.microsoft.com/ws/2012/01/accounttype”, Value == “User”]
=> issue(Type = “http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid”, Value = regexreplace(c1.Value, “.+@(?<domain>.+)”, “http://${domain}/adfs/services/trust/”));

 

I hope this helps some of you out there.

One Comment on “AADSTS50008: Unable to verify token signature

Tom R
May 24, 2017 at 8:42 pm

Hi Gareth,
Thank you so much for this post, I have been trying for hours to fix this issue and nothing logged anywhere, just this generic error message. I would never had fix it had you not had exactly the same issue and posted about it.

You are a true star 🙂

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *