Skip to main content
Browse Documentation

Troubleshoot AD FS login problems

Created by j.moore, last modified by r.turner on 22 Jul 2020

If you are having AD FS login problems then here are some things you might want to check are configured correctly and a debug step you could try.


  1. In the Management Console navigate to Global Settings.
  2. Look up the ContensisGuiURL setting and check if the Setting Value has https:// defined at the start of it (non-https will not work).

AD FS server configuration

Has the AD FS server been configured correctly Check this common cause of login problems very carefully - are all the necessary trusts and claims for Contensis present and configured correctly?

CMS settings

  1. In the Management Console navigate to Global Settings:
    The ADFS_Enabled global setting should be set to 1.
    The ADFS_MetadataEndpoint global setting should have the link to the metadata endpoint on your AD FS server. This will be in the following format:

  2. Double check that you can access this from the CMS server. To do this you can logon to the server and run the following command in PowerShell:
Invoke-WebRequest - UseBasicParsing

If the metadata endpoint is configured correctly you should get a StatusCode of 200 and the Content will start with <EntityDescriptor....

Machine.config machinekey validation

  1. Open the machine.config file on your CMS server. It can be found in c:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config
  2. Search for the following <machineKey>, you will see something like:
<machineKey validationKey="E1D4A7ACE716CC17B9BE3F1794AB117E7CB771B878253727" decryptionKey="E8969B07BF46F3FF659E008495F1EA5163EBDC0E50B6024E" validation="SHA1"/>

Make sure that the validation property is set to SHA1 and not anything else. If it is set to something else, change it and then restart IIS.

Debug using verbose logging

Follow the steps below to setup tracing on IdentityServer and then attempt to login using ADFS or logout. Any issues should be seen in the logs. 

Set up tracing on IdentityServer

      <trace autoflush="true"
          <add name="myListener"
               initializeData="%some directory%/Trace.log" />
          <remove name="Default" />
  1. Add the xml above to the web.config file for the CMS instance, change the Contensis_DebugInfoLevel to Debug in the web.config.
  2. Ensure that the CMS has access to the directory specified in the initializeData setting.
  3. Save web.config.
Necessary Cookies
These cookies are necessary for this website to function correctly. They are set when you perform certain actions on the site, such as creating an account, logging in, changing your privacy preferences or submitting a form. You can block these cookies in your browser, but this will stop parts of the site from working properly.
Functional Cookies
These cookies allow the website to provide extra functionality and more personalised experiences. They may be set by us or by third party providers whose services we have added to our pages. If you choose not to allow these cookies, these services may not work correctly.
Analytical Cookies
These cookies record anonymous data on how visitors use our website to help us monitor how well our website works. This data includes how many people have looked at specific pages, how long visitors stay on the site, and what devices they use. We use this data to identify changes that we could make to improve your experience and make our website more efficient.
Marketing Cookies
We set some cookies so you are shown more relevant marketing content. These include cookies from third-party advertising networks to show you different adverts on their services if you have previously visited our site. If you choose not to allow these cookies, you may experience less relevant advertising on other sites.