Message

The AD FS Web Agent for Windows NT token-based applications could not contact the Federation Service during startup. Federation Service URL: {fsUrl} The Web agent will not be able to authenticate users until it can retrieve trust information from the Federation Service. User Action Ensure that the Uniform Resource Locator (URL) for the Federation Service is properly configured and that the Federation Service can be contacted from this Web server. Ensure that this Web server is joined to an Active Directory Domain Services domain. Ensure that the ADFS Web Agent Authentication Service is started.

Fields

Message

The AD FS Web Agent for Windows NT token-based applications successfully retrieved trust information from the Federation Service.

Message

The AD FS Web Agent for Windows NT token-based applications was unable to authenticate a client token. User Action Look for additional events in the application log and the security log that may contain more details. Consider enabling failure auditing on this Web server if auditing is not already enabled.

Message

The AD FS Web Agent for Windows NT token-based applications encountered a serious error. The client was successfully authenticated using the token from the Federation Service; but the Web agent was not able to redirect the client back to the application page that was originally requested. User Action If this error persists; enable the AD FS troubleshooting log.

Message

The AD FS Web Agent for Windows NT token-based applications encountered a serious error. The cookies that were presented by the client could not be validated. This condition occurs when a client presents well-formed cookies that are not valid. If the client is known to be a valid user; this error might be caused by a transient issue. For instance; trust properties (for example; certificates) may have changed recently or revocation status may not be available from the certification authority. User Action Look for additional events in the security log that may contain more details. Consider enabling failure auditing on this Web server if auditing is not already enabled.

Message

The AD FS Web Agent for Windows NT token-based applications encountered a serious error. The Web agent was not able to redirect the unauthenticated client to the Federation Service. User Action If this error persists; enable the AD FS troubleshooting log.

Message

The AD FS Web Agent Internet Server Application Programming Interface (ISAPI) Extension encountered a serious error. The AD FS configuration information could not be retrieved from the Internet Information Services (IIS) configuration. The Web agent will not be able to authenticate users until it can retrieve configuration information from the IIS metabase. This condition can occur if the IIS metabase schema extension fails during AD FS setup.

Message

The AD FS Web Agent Internet Server Application Programming Interface (ISAPI) Extension was unable to obtain a Windows NT token from the authentication service. An anonymous token will be generated for this request. User Action Ensure that this application is configured as a Windows NT token-based application in the Federation Service trust policy. If the user comes from an account partner where Windows Trust may be applicable; ensure that Windows Trust is enabled for the account partner and that the account partner has enabled Windows Trust for this resource partner. If you are using shadow accounts:  - Ensure that a shadow account exists for this user.  - Ensure that user principal name (UPN) claims or e-mail claims are enabled for this application.  - Ensure that UPN claims or e-mail claims are being produced for this user by the account store or the account partner. Additional Data Look for additional events in the security log that may contain more details. Consider enabling failure auditing on this Web server if auditing is not already enabled.

Message

The AD FS Web Agent for Windows NT token-based applications encountered a serious error. The account name for this user could not be retrieved from the Windows NT token. Additional Data The data field contains the Win32 error code.

Message

A failure was encountered while trying to set the user name custom header. User Name: {username} Additional Data The data field contains the Win32 error code.

Fields

Message

The AD FS Web Agent for Windows NT token-based applications encountered a serious error. Memory allocation failed. Until memory can be allocated; users will be unable to access protected resources. User Action Check memory usage on the server.

Message

The AD FS Web Agent for Windows NT token-based applications did not find the Uniform Resource Locator (URL) for the Federation Service in the Internet Information Services (IIS) configuration. The Web agent will not be able to generate Windows NT tokens for users until it can find the Federation Service URL. Claims-aware applications are not affected by this condition. User Action Ensure that the Federation Service URL is configured in the IIS Manager Web Sites property page.

Message

The AD FS Web Agent for Windows NT token-based applications did not find the Uniform Resource Locator (URL) for the application return in the Internet Information Services (IIS) configuration. The Web agent will not be able to generate Windows NT tokens for users until it can find the application return URL. Claims-aware applications are not affected by this condition. User Action Ensure that the return URL is configured in the IIS Manager Virtual Directory property page.

Message

The AD FS Web Agent for Windows NT token-based applications encountered a serious error. Registration for change notification in the Internet Information Services (IIS) configuration failed. This condition prevents the Web agent authentication service from starting. Users will not be able to access protected resources until the authentication service can be restarted. Additional Data The data field contains an HRESULT error code.

Message

The AD FS Web Agent Authentication Service could not start. The authentication service has not been configured to run as a principal that has been granted the 'Generate Security Audits' privilege (SeAuditPrivilege). Users will not be able to access protected resources until the authentication service can be restarted. User Action Either grant the AD FS authentication service principal the 'Generate Security Audits' privilege or configure the authentication service to run as a principal that has already been granted the 'Generate Security Audits' privilege. (For example; configure the authentication service to run as LocalSystem.)

Message

The AD FS Web Agent Authentication Service was not able to start. A failure was encountered when registering as an event source. Users will not be able to access protected resources until the authentication service can be restarted. Additional Data The data field contains a Win32 error code.

Message

The AD FS Web Agent Authentication Service was not able to start. The authentication service has not been configured to run as a principal that has been granted the 'Act as part of the operating system' privilege (SeTcbPrivilege). Users will not be able to access protected resources until the authentication service can be restarted. User Action Either grant the AD FS authentication service principal the 'Act as part of the operating system' privilege or configure the service to run as a principal that has already been granted the 'Act as part of the operating system' privilege. (For example; configure the authentication service to run as LocalSystem.)

Message

The AD FS Web Agent Authentication Service was not able to start. The authentication service has not been configured to run as a principal that has been granted the 'Impersonate a client after authentication' privilege (SeImpersonatePrivilege). Users will not be able to access protected resources until the authentication service can be restarted. User Action Either grant the AD FS authentication service principal the 'Impersonate a client after authentication' privilege or configure the service to run as a principal that has already been granted the 'Impersonate a client after authentication' privilege. (For example; configure the authentication service to run as LocalSystem.) This privilege is granted by default to the SERVICE group; but on a hardened server it may be necessary to grant the privilege explicitly.

Message

The AD FS Web Agent Authentication Service received a remote procedure call (RPC) from a user who is not in the IIS_IUSRS group. This request will be denied. User Action If this error results in failed AD FS authentications; ensure that the failing Internet Information Services (IIS) application pool's identity is a member of the IIS_IUSRS group.

Message

The AD FS Web Agent Authentication Service encountered an invalid configuration value for a parameter in the registry. Registry value: {configurationParameter} The authentication service will default to the minimum allowed value for this parameter until the parameter is changed to a valid value. User Action Increase the parameter value to a value that is within the valid range. Additional Data The data field contains the current (too-small) value of the parameter.

Fields

Message

The AD FS Web Agent for Windows NT token-based applications could not contact the Federation Service during startup. Federation Service URL: could not be obtained The Web agent will not be able to authenticate users until it can retrieve trust information from the Federation Service. User Action Ensure that the Uniform Resource Locator (URL) for the Federation Service is properly configured and that the Federation Service can be contacted from this Web server. Ensure that this Web server is joined to an Active Directory Domain Services domain.

Message

During processing of web.config section '{configurationSection}'; the parameter '{configurationParameter}' was found to have invalid data. The configured data '{configuredValue}' could not be parsed as type '{desiredType}'. Section: {configurationSection} Parameter: {configurationParameter} Data: {configuredValue} Type: {desiredType} The Federation Service or Federation Service Proxy will not be able to start until this configuration parameter is corrected. User Action Correct the specified web.config parameter to conform to the given type.

Fields

Message

During processing of web.config section '{configurationSection}'; the parameter '{configurationParameter}' was found to have invalid data. The private key for the certificate that was identified by the thumbprint '{certificateThumbprint}' could not be accessed. Section: {configurationSection} Parameter: {configurationParameter} Thumbprint: {certificateThumbprint} The Federation Service or Federation Service Proxy will not be able to start until this configuration parameter is corrected. This condition can occur when the certificate that is identified by the thumbprint is found in the Local Computer Personal store but there is a problem accessing the certificate's private key. Common causes for this condition include the following: (1) The certificate was installed from a source that did not include the private key; such as a .cer or .p7b file. (2) The certificate's private key was imported (for example; from a .pfx file) into a user's certificate store instead of the Local Computer Personal store. (3) The certificate was generated as part of a certificate request that did not specify the 'Machine Key' option. (4) The Federation Service identity has not been granted read access to the certificate's private key. User Action If the certificate was imported from a source with no private key; choose a certificate that does have a private key; or import the certificate again from a source that includes the private key (for example; a .pfx file). If the certificate was imported in a user context; import the certificate again directly into the Local Computer Personal store. If the certificate was generated by a certificate request that did not specify the 'Machine Key' option and the key is marked as exportable; export the certificate with a private key from the user store to a .pfx file and import it again directly into the Local Computer Personal store. If the key is not marked as exportable; request a new certificate using the 'Machine Key' option. If the FS Identity has not been granted read access to the certificate's private key; open the AD FS snap-in. In the console tree; right-click Federation Service; and then click Properties. Under Token Signing Certificate; click View.  If the private key has incorrect access control configured; an option to reconfigure the key's access control will appear.

Fields

Message

During processing of web.config section '{configurationSection}'; the parameter '{configurationParameter}' was found to have invalid data. The certificate that was identified by the thumbprint '{certificateThumbprint}' could not be found. Section: {configurationSection} Parameter: {configurationParameter} Thumbprint: {certificateThumbprint} The Federation Service or the Federation Service Proxy will not be able to start until this configuration parameter is corrected. This condition occurs when the thumbprint that is specified does not match the thumbprint of any certificate in the Local Computer Personal store. Common causes for this condition include the following: (1) The web.config was edited by hand and the thumbprint string contains a typographical error. (2) The certificate with the specified thumbprint is from a user store instead of the Local Computer store. User Action If the web.config contains a typographical error; correct the thumbprint string. To correct the thumbprint string; open the Certificates snap-in. On the Details tab in the certificate property page; select the Thumbprint field. The thumbprint in the web.config should match the string - with the spaces removed - that appears in the property page. If a certificate with a matching thumbprint exists in a user store and a .pfx file for the certificate is available; import the .pfx file directly into the Local Computer Personal store. If no .pfx file is available and the key is exportable; you can create a .pfx file by exporting the certificate with private key. If the key is not exportable and no .pfx file is available; request a new certificate and ensure that the request is for a machine certificate instead of a user certificate.

Fields

Message

During processing of web.config section '{configurationSection}'; the required parameter '{configurationParameter}' was not found. Section: {configurationSection} Parameter: {configurationParameter} The Federation Service or the Federation Service Proxy will not be able to start until this configuration parameter is corrected. User Action Add the required parameter.

Fields

Message

The account partner discovery page called the RedirectToAccountFederationPartner application programming interface (API) with a Uniform Resource Identifier (URI) that does not identify any known account partner. URI: {accountPartnerUri} User Action Examine the account partner discovery page for errors.

Fields

Message

The Federation Service Proxy encountered an exception when it called a Federation Service Web method. Federation Server URL: {fsUrl} Web method: {method} Proxy certificate thumbprint: {proxyCertificateThumbprint} This may cause a user request to fail. User Action The exception details may give an indication of the precise problem. Check network connectivity between the Federation Service Proxy and the Federation Service. Ensure that the Federation Service is running. Ensure that the Federation Service Proxy client authentication certificate has been added to the list of proxy authentication certificates in the Federation Service trust policy. Ensure that the Federation Service Proxy client authentication certificate chains to a root that is trusted by the Federation Service. Ensure that the Federation Service Proxy service account; which is set to Network Service by default; can access the private key of the certificate that was identified by the thumbprint '{proxyCertificateThumbprint}'.  Conditions that can prevent the Federation Service Proxy service account from having access to the certificate private key include the following:(1) The certificate was installed from a file that did not include the private key; such as a .cer or .p7b file. (2) The certificate's private key was imported (for example; from a .pfx file) into a user's certificate store instead of the Local Computer Personal certificate store. (3) The certificate was generated as part of a certificate request that did not specify the 'Machine Key' option. (4) The Federation Service Proxy service account has not been granted Read access to the certificate's private key.Ensure that the Federation Service Internet Information Services (IIS) Secure Sockets Layer (SSL) server certificate chains to a root that is trusted by the Federation Service Proxy. Ensure that the Federation Service Uniform Resource Locator (URL) that is configured in the Federation Service Proxy web.config uses the name that is the subject of the Federation Service IIS SSL server certificate. Additional Data Exception information: {exception}

Fields

Message

The Federation Service did not produce an appropriate result. This request will be failed. User Action If this condition persists; enable the AD FS troubleshooting log.

Message

A token request was received for an application with the Uniform Resource Locator (URL)  '{applicationUrl}'; but the request could not be fulfilled because the URL does not identify any known application. URL: {applicationUrl} This request will be failed. User Action If this URL should be handled; verify that it matches the URL for the application in the Federation Service trust policy. Hypertext Transfer Protocol (HTTP) URLs are matched according to a set of rules in the HTTP specification. Host names are case insensitive; but the path portion of the URL is matched in a case-sensitive manner. Additional Data Refer to Request for Comments (RFC) 2616 for HTTP URL matching rules.

Fields

Message

A token request was received for a resource partner with the Uniform Resource Identifier (URI) '{resourcePartnerUri}'; but the request could not be fulfilled because the URI does not identify any known resource partner. URI: {resourcePartnerUri} This request will be failed. User Action If this URI should be handled; verify that it matches the URI for the resource partner in the Federation Service trust policy. URI matching rules differ according to the URI scheme; but in general URIs are case sensitive. Additional Data Refer to Request for Comments (RFC) 2396 for more information about URIs.

Fields

Message

An unexpected exception was encountered when reading the web.config section '{configurationSection}': Section: {configurationSection} Additional Data Exception information: {exception}

Fields

Message

A required configuration section of web.config was missing: '{configurationSection}' Section: {configurationSection} The Federation Service cannot start until this condition is corrected. User Action Add the required web.config section.

Fields

Message

The AD FS Web Agent for claims-aware applications cannot find the return Uniform Resource Locator (URL) that is configured in web.config. The Web agent cannot start until this condition is corrected. User Action Add the return URL to web.config.

Message

The AD FS Web Agent for claims-aware applications cannot find the Federation Service Uniform Resource Locator (URL) that is configured in web.config. The Web agent cannot start until this condition is corrected. User Action Add the Federation Service URL to the web.config.

Message

A malformed protocol request was received by the AD FS Web Agent. The context parameter from the request was not returned in the response. This request will be failed. User Action If you are using non-Microsoft federation software in your environment; verify that it is compatible with Active Directory Federation Services (AD FS).

Message

A malformed protocol request was received by the AD FS Web Agent. A sign-in request was received when a response was expected. This request will be failed. This situation can occur if other components mistake this server for the Federation Service. User Action If you are using non-Microsoft federation software in your environment; verify that it is compatible with Active Directory Federation Services (AD FS). Ensure that the Uniform Resource Locator (URL) for this application is not configured as the Federation Service URL at any Web agent; Federation Service Proxy; or resource partner.

Message

A malformed protocol request was received by the AD FS Web Agent. A '{messageType}' message was received; but that message type is not handled at the Web agent. Message type: {messageType} This request will be failed. This situation can occur if other components mistake this server for the Federation Service. User Action If you are using non-Microsoft federation software in your environment; verify that it is compatible with Active Directory Federation Services (AD FS). Ensure that the Uniform Resource Locator (URL) for this application is not configured as the Federation Service URL at any Web agent; Federation Service Proxy; or resource partner.

Fields

Message

A malformed protocol request was received by the AD FS Web Agent. More data than expected was received in the message. Expected data length: {expectedLength} Received data length: {actualLength} This request will be failed. This situation can occur because of data corruption; data tampering; malfunctioning software; or interoperability failure. User Action If you are using non-Microsoft federation software in your environment; verify that it is compatible with Active Directory Federation Services (AD FS). If this condition persists; enable the AD FS troubleshooting log.

Fields

Message

The AD FS Web Agent was unable to update trust information from the Federation Service. A serious error has occurred. Federation Service URL: {fsUrl} If this failure occurs during startup; no users will be authenticated until the Federation Service can be contacted. If the Federation Service cannot be contacted; the Web agent will continue to authenticate users with the existing trust information; and it will attempt this operation again at a later time. This condition occurs when an unexpected exception is thrown from the GetFsTrustInformation Web method call to the Federation Service. Additional Data Exception information: {exception}

Fields

Message

The AD FS Web Agent was unable to update trust information from the Federation Service. A Hypertext Transfer Protocol (HTTP) or networking error has occurred. Federation Service URL: {fsUrl} WebExceptionStatus value: {WebExceptionStatus} WebException message: {exceptionMessage} If this failure occurs during startup; no users will be authenticated until the Federation Service can be contacted. If the Federation Service cannot be contacted; the Web agent will continue to be authenticated users with the existing trust information; and it will attempt this operation again at a later time. User Action Verify that the Federation Service Uniform Resource Locator (URL) is properly configured; the Federation Service is started; and the Federation Service can be contacted from this computer.

Fields

Message

The AD FS Web Agent for claims-aware applications successfully retrieved trust information from the Federation Service. GUID: {policyGuid} Version: {policyVersion} Federation Service Uniform Resource Locator (URL): {fsUrl} Federation Service Uniform Resource Identifier (URI): {fsIssuerUri} Federation Service Endpoint URL: {fsEndpointUrl} Federation Service Domain Account: {fsDomainAccount}

Fields

Message

The AD FS Web Agent for Windows NT token-based applications successfully retrieved trust information from the Federation Service. GUID: {policyGuid} Version: {policyVersion} Federation Service Uniform Resource Locator (URL): {fsUrl} Federation Service Uniform Resource Identifier (URI): {fsIssuerUri} Federation Service Endpoint URL: {fsEndpointUrl} Federation Service Domain Account: {fsDomainAccount}

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy field '{trustPolicyField}' was set to an unacceptable value. The field must not be negative. Field: {trustPolicyField} Value: {configuredValue} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action Correct the '{trustPolicyField}' field by configuring it with a nonnegative value.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy field '{trustPolicyField}' was set to an unacceptable value. The field must contain a valid Uniform Resource Identifier (URI). Field: {trustPolicyField} Value: {configuredValue} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action Correct the '{trustPolicyField}' field by configuring it with a valid URI value. Additional Data UriFormatException message: {exceptionMessage}

Fields

Message

The Federation Service encountered an error while loading the trust policy. The required trust policy field '{trustPolicyField}' was not present. Field: {trustPolicyField} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action Configure the '{trustPolicyField}' field with a valid value.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy contains a universally unique identifier (UUID) reference to an organization claim that does not exist. Referencing type: {referencingType} UUID: {orgClaimUuid} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. The UUID must be corrected to reference an existing organization claim.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy defines an Active Directory Domain Services group population that does not specify any Active Directory Domain Services principals. Organization Group Claim: {orgGroupClaim} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. The ADGroupGeneration object must specify one or more security IDs (SIDs) that specify Active Directory Domain Services users or groups to be included in the organization group.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy defines a claim whose format is not valid. Claim type: {claimType} Claim value: {claimValue} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Correct the claim so that it has the proper format.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy defines a custom claim whose name is unspecified. If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur if the trust policy file has been modified without use of the AD FS administrative tools. Correct the custom claim to to specify a name.

Message

The Federation Service encountered an error while loading the trust policy. A collection in the trust policy contains duplicate items. Collection type: {collectionType} Duplicate property name: {propertyName} Duplicate property value: {propertyValue} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the duplicate item from the collection.

Fields

Message

The Federation Service encountered an error while loading the trust policy. A custom claim collection in the trust policy contains a duplicate item. Collection type: CustomClaimCollection Custom claim name: {customClaimName} Custom claim value: {customClaimValue} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the duplicate item from the collection.

Fields

Message

The Federation Service encountered an error while loading the trust policy. An exception was thrown during loading of a custom module assembly. Assembly path: {assemblyPath} If this error occurs startup of the during Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. This error may be generated by a non-Microsoft module that is not part of AD FS. User Action Ensure that the assembly path is correct and that the assembly file has appropriate permissions. Additional Data Exception information: {exception}

Fields

Message

The Federation Service encountered an error while loading the trust policy. An exception was thrown during instantiation of a custom module class from a custom module assembly. Assembly path: {assemblyPath} Class name: {className} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. This error may be generated by a non-Microsoft module that is not part of AD FS. User Action Verify that the appropriate assembly and class are configured. Contact the module vendor for further troubleshooting steps. Additional Data Exception information: {exception}

Fields

Message

The Federation Service encountered an error while loading the trust policy. The specified class could not be instantiated from the custom module assembly. Assembly path: {assemblyPath} Class name: {className} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. This error may be generated by a non-Microsoft module that is not part of AD FS. User Action Verify that the appropriate assembly and class are configured. Contact the module vendor for further troubleshooting steps.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The specified class was found in the custom module assembly; but the class does not implement the required AD FS interface. Assembly path: {assemblyPath} Class name: {className} Interface name: {interfaceName} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. This error may be generated by a non-Microsoft module that is not part of AD FS. User Action Verify that the appropriate assembly and class are configured. Contact the module vendor for further troubleshooting steps.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy file path is not valid. Path: {trustPolicyPath} The Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. User Action Correct the configuration to specify a fully qualified file path to an existing trust policy file. This configuration can be corrected in the web.config file or by using the AD FS administration console.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The Active Directory Domain Services account store is configured improperly. The '{trustPolicyField}' field; which is configured on the Active Directory Domain Services store; is supported only on Active Directory Lightweight Directory Services (AD LDS) stores. Field: {trustPolicyField} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the specified field from the trust policy file.

Fields

Message

The Federation Service encountered an error while loading the trust policy. An Active Directory Lightweight Directory Services (AD LDS) account store is configured improperly. A required configuration field '{trustPolicyField}' is missing for the AD LDS store. Field: {trustPolicyField} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Add the missing field to the trust policy file.

Fields

Message

The Federation Service encountered an error while loading the trust policy. An account partner is misconfigured. The AllowedTrustedWindowsDomains field is configured for an account partner for which Windows trust is not enabled. Field: AllowedTrustedWindowsDomains If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Either enable Windows trust on the account partner or remove the AllowedTrustedWindowsDomains field.

Message

The Federation Service encountered an error while loading the trust policy. A collection contains a duplicate item. Collection: {collectionType} Duplicate key: {key} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Either enable Windows trust on the account partner or remove the AllowedTrustedWindowsDomains field.

Fields

Message

The Federation Service encountered an error while loading the trust policy. A configured e-mail suffix contains the @ sign. If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the @ sign from the configured e-mail suffix.

Message

The Federation Service encountered an error while loading the trust policy. An application is configured with an e-mail or user principal name (UPN) suffix transformation. If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the suffix transformation from the application.

Message

The Federation Service encountered an error while loading the trust policy. An account partner with Windows trust enabled has been configured with a group-to-UPN transformation. If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the group-to-UPN transformation from this account partner.

Message

The Federation Service encountered an error while loading the trust policy. An account partner that does not have Windows trust enabled is configured to allow all user principal name (UPN) suffixes. If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Account partners that do not have Windows trust enabled must provide an explicit list of UPN suffixes for validation. Add at least one UPN suffix for this account partner.

Message

The Federation Service encountered an error while loading the trust policy. An account partner that does not have Windows trust enabled is configured to allow all e-mail suffixes. If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Account partners that do not have Windows trust enabled must provide an explicit list of e-mail suffixes for validation. Add at least one e-mail suffix for this account partner.

Message

The Federation Service encountered an error while loading the trust policy. The trust policy field '{trustPolicyField}' is empty. Field: {trustPolicyField} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Add data to the '{trustPolicyField}' field.

Fields

Message

The Federation Service encountered an error while loading the trust policy. Multiple Active Directory Domain Services account stores are configured. If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Reduce the number of Active Directory Domain Services account stores in the trust policy to one.

Message

The Federation Service encountered an error while loading the trust policy. A partner is configured with more than one group-to-UPN transformations that use the same group. If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. No two group-to-UPN transformations on one partner may use the same group.

Message

The Federation Service encountered an error while loading the trust policy. The Active Directory Domain Services account store has been configured to fetch user principal name (UPN) from a custom Lightweight Directory Access Protocol (LDAP) attribute. If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the custom LDAP attribute for UPN from the Active Directory Domain Services account store configuration.

Message

The Federation Service encountered an error while loading the trust policy. An application or resource partner is configured to use Kerberos-based token verification; but the Service Principal Name (SPN) for the application is not valid. SPN: {servicePrincipalName} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Correct the SPN to a valid value.

Fields

Message

The Federation Service encountered an error while loading the trust policy. An Active Directory Lightweight Directory Services (AD LDS) account store is configured with a Lightweight Directory Access Protocol (LDAP) port number that is not valid. Port number: {configuredValue} If this error occurs during startup of the Federation Service; the Federation Service will be not able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. The LDAP port must be a valid TCP socket port number. Change the configured value to fall between 1 and {maximumValue}.

Fields

Message

The Federation Service encountered an error while loading the trust policy. An Active Directory Lightweight Directory Services (AD LDS) account store was configured with an identity claim extraction. AD LDS store: {adamStoreDisplayName} If this error occurs during startup of the Federation Service; the Federation Service will not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Configure at least one identity claim extraction for this account store: user principal name (UPN); e-mail; or common name.

Fields

Message

The Federation Service encountered an error while loading the trust policy. A resource partner has no identity claim transformation. Resource partner: {resourcePartnerDisplayName} If this error occurs during startup of the Federation Service; the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Configure an identity claim transformation for this partner.

Fields

Message

The Federation Service encountered an error while loading the trust policy. An account partner has no identity claim transformation. Account partner: {accountPartnerDisplayName} If this error occurs during startup of the Federation Service; the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Configure an identity claim transformation for this partner.

Fields

Message

The Federation Service encountered an error while loading the trust policy. An application has no identity claim enabled. Application: {applicationDisplayName} If this error occurs during startup of the Federation Service; the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Enable an identity claim for this application.

Fields

Message

The Federation Service encountered an error while loading the trust policy. A Uniform Resource Locator (URL) in the trust policy is not valid. URL: {configuredValue} If this error occurs during startup of the Federation Service; the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Enter a valid URL.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy specifies a trust policy update period that is less than its allowed minimum. Configured value: {configuredValue} Minimum value: {minimumValue} If this error occurs during startup of the Federation Service; the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Increase the trust policy update period above the minimum.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy specifies a Windows trust cache update period that is less than its allowed minimum. Configured value: {configuredValue} Minimum value: {minimumValue} If this error occurs during startup of the Federation Service; the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Increase the Windows trust cache update period above the minimum.

Fields

Message

The Federation Service encountered an error while loading the trust policy. An unexpected exception was encountered. If this error occurs during startup of the Federation Service; the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last policy that was loaded successfully; and it will attempt to load the policy again in {retryPeriod} minutes.Retry period: {retryPeriod} User Action If this error persists; enable the AD FS troubleshooting log. Additional Data Exception information: {exception}

Fields

Message

The Federation Service encountered an error while attempting to update the Windows trust cache. The Federation Service will continue to use previously cached Windows trust data until the update completes successfully. The next attempt at a cache update will occur in {retryPeriod} minutes.Retry period: {retryPeriod} User ActionIf this error persists; verify that your Windows trust relationships are functional. Additional Data Domain last processed: {domainLastProcessed} Native error code: {winerror}

Fields

Message

The Federation Service encountered an error while attempting to update the Windows trust cache. The Federation Service never successfully built the Windows trust cache. Therefore; tokens that are issued by account partners that use a Windows trust will be rejected until the update completes successfully. The next attempt at a cache update will occur in {retryPeriod} minutes.Retry period: {retryPeriod} User ActionIf this error persists; verify that your Windows trust relationships are functional. Additional Data Domain last processed: {domainLastProcessed} Native error code: {winerror}

Fields

Message

A sign-in request was received; but no account stores or account partners are configured in the Federation Service trust policy. Until at least one account store or account partner is configured in the trust policy; no sign-in requests can be processed. User Action Ensure that the Federation Service trust policy defines at least one account store or account partner. This error may occur in the Federation Service Proxy when data replication from the Federation Service is delayed. To refresh the trust policy immediately; restart Internet Information Services (IIS) in the Federation Service Proxy.

Message

The Federation Service failed a privileged Web method call because Secure Sockets Layer (SSL) client authentication information was not available. This event can occur if the client does not provide a client certificate or if Internet Information Services (IIS) rejects the client's certificate because it does not chain to a trusted root certification authority in the Federation Service. User Action If this is a valid call from the Federation Service Proxy; ensure that the root of the Federation Service Proxy client certificate is trusted by the Federation Service.

Message

The Federation Service failed a privileged Web method call because the caller's client authentication certificate was not valid. Certificate thumbprint: {certificateThumbprint} User Action If this certificate thumbprint corresponds to a valid Federation Service Proxy; ensure that the certificate is valid (for example; is not expired) and that it chains to a trusted root in the Federation Service.

Fields

Message

The Federation Service failed a privileged Web method call because the caller's client authentication certificate is not configured as a Federation Service Proxy certificate. Certificate thumbprint: {certificateThumbprint} User Action Ensure that the trust policy is properly configured with all valid Federation Service Proxy certificates.

Fields

Message

The AD FS troubleshooting log is using more than the maximum allowed number of files; but it is not able to delete the oldest files. Directory: {directory} Files used: {numberOfFilesUsed} Maximum files: {maximumNumber} Log files will continue to be written; but they will exceed the maximum number of files. This event will recur every {retryPeriod} minutes until the condition is corrected.Retry period: {retryPeriod} User Action Check the permissions on the log file directory. If the directory permissions are correct; determine whether the failing file is opened by another program or whether file-specific permissions are preventing its deletion. Additional Data This error occurred as a result of a failed deletion operation on a specific file. File to be deleted: {fileForDeletion} File deletion error: {exceptionMessage}

Fields

Message

The AD FS troubleshooting log detected that the current file has reached the maximum size; but a new file cannot be created to continue the log. Directory: {directory} File name: {fileName} File size: {maximumSize} Maximum file size: {fileSize} Troubleshooting information will continue to be written to the current log file; which will exceed the maximum log file size. This event will recur every {retryPeriod} minutes until the condition is corrected.Retry period: {retryPeriod} User Action Check the permissions on the log file directory. Additional Data This error occurred as a result of a failed attempt to create a new file. File to be created: {fileForCreation} File creation error: {exceptionMessage}

Fields

Message

The AD FS troubleshooting log is not able to create a log file. Directory: {directory} File to be created: {fileForCreation} File creation error: {exceptionMessage} Troubleshooting information will be lost until this condition is corrected. This event will recur every {retryPeriod} minutes until the condition is corrected.Retry period: {retryPeriod} User Action Check the permissions on the log file directory.

Fields

Message

The AD FS troubleshooting log detected that the maximum file size cannot be enforced given the current traffic level and troubleshooting verbosity. Directory: {directory} MaxFileSize: {maximumSize} The file names that are assigned to the log files have a resolution of one second. The number of bytes that is being written to the file in a second is greater than the value of MaxFileSize. This condition can have performance implications. This event will recur every {retryPeriod} minutes until the condition is corrected.Retry period: {retryPeriod} User Action Decrease troubleshooting verbosity or increase the value of MaxFileSize.

Fields

Message

The AD FS role or membership provider was not able to retrieve configuration information from the Federation Service. Federation Server URL: {fsUrl} Provider: {provider} The current administrative action will fail. User Action This error generally indicates a protocol or networking failure. Check the following: (1) the Federation Service Uniform Resource Locator (URL) is properly configured; (2) the Federation Service is started; (3) the Federation Service is reachable from this computer; (4) the Federation Service Secure Sockets Layer (SSL) certificate chains to a root that is trusted by this computer. Additional Data An exception was returned from a Federation Service Web method. Web Method: {webMethod} Exception information: {exception}

Fields

Message

The AD FS membership provider was not able to be initialized. The Federation Service Uniform Resource Locator (URL) is not configured. The AD FS membership provider will not function until this condition is resolved. User Action Configure the Federation Service URL in the Web.config file.

Message

The AD FS role provider was not able to be initialized. The Federation Service Uniform Resource Locator (URL) is not configured. The AD FS membership provider will not function until this condition is resolved. User Action Configure the Federation Service URL in the Web.config file.

Message

The Federation Service Proxy successfully updated its configuration information from the Federation Service. Old policy GUID: {oldPolicyGuid} Old policy version: {oldPolicyVersion} New policy GUID: {newPolicyGuid} New policy version: {newPolicyVersion}

Fields

Message

The AD FS auditing subsystem could not register itself with the system. The auditing privilege is not held. The AD FS component will not be able to start unless it is granted the auditing privilege. User Action AD FS components that write audits must be configured to run as LocalSystem; NetworkService; or a domain principal that has explicitly been granted the 'Generate Security Audits' privilege (SeAuditPrivilege). If the failing component is the Federation Service; configure the application pool (AD FS AppPool) to run as an appropriate principal. If the failing component is the AD FS Web Agent Authentication Service; configure the Windows NT service to run as an appropriate principal. If the failing component is the AD FS Web Agent for claims-aware applications; configure the application pool for the protected application to run as an appropriate principal.

Message

The AD FS auditing subsystem could not register itself with the system. An unexpected error occurred. Additional Data The data field contains a Win32 error code.

Message

The AD FS auditing subsystem failed to write an audit event. An unexpected error ocurred. Additional Data The data field contains a Win32 error code.

Message

The Federation Service rejected a token request because it appeared to duplicate a successful request that was granted to the same client browser session within the last {duplicationPeriod} seconds. Target: {targetUri} Duplication period (seconds): {duplicationPeriod} This failure generally indicates that the target is not receiving cookies that it writes. If this condition is caused by a server-side configuration error; it may indicate that all requests to the target are failing. User Action Ensure that the client browser is configured to accept cookies from the target site. Ensure that the cookie path and cookie domain are correctly configured at the target Federation Service or web agent. %Ensure that the return URL that is specified in the Web Agent matches the application URL that is specified in the Federation Service.

Fields

Message

The Federation Service encountered an unexpected error while loading the trust policy: {exceptionMessage}. Because the Federation Service is not able to start; all requests will fail until the configuration is corrected.

Fields

Message

The Federation Service was not able to communicate with the AD FS Authentication Package. Until this situation is resolved; the Federation Service will not be able to authenticate Active Directory Domain Services users by using Transport Layer Security / Secure Sockets Layer (TLS/SSL) client certificates. User Action Check for the presence of the authentication package binary (ifsap.dll) in %%systemroot%%\system32. If it is not present; reinstall AD FS. Check for the value 'ifsap' in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa value 'Security Packages'. If this value is absent; add it to the list; and then restart the computer. Additional Data The data field contains the NTSTATUS error code from LsaLookupAuthenticationPackage.

Message

The Federation Service encountered an error while loading the trust policy. The trust policy specifies a token cache entry lifetime that is less than its allowed minimum. Configured value: {configuredValue} Minimum value: {minimumValue} If this error occurs during startup of the Federation Service; the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Increase the token cache entry lifetime above the minimum.

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy specifies a token cache scavenge period that is less than its allowed minimum. Configured value: {configuredValue} Minimum value: {minimumValue} If this error occurs during startup of the Federation Service; the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last policy that was successfully loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Increase the token cache scavenge period above the minimum.

Fields

Message

The AD FS Web Agent for claims-aware applications encountered an error while loading its configuration from the Web.config file. The value of a configuration parameter {configurationParameter} is less than the allowed minimum of {minimumValue}. Parameter: {configurationParameter} Minimum value: {minimumValue} The minimum value has been assigned to this parameter.

Fields

Message

The AD FS Web Agent was unable to update trust information from the Federation Service. The Federation Service Secure Sockets Layer (SSL) server certificate could not be validated. Federation Service URL: {fsUrl} User Action Verify that the Federation Service SSL server certificate chains to a root certificate that is in the Local Computer Trusted Root Certification Authorities certificate store on the web server. Verify that the SSL certificate is neither expired nor revoked. Verify that the SSL certificate subject matches the host name portion of the Federation Service Uniform Resource Locator (URL).

Fields

Message

The Federation Service Proxy was not able to update trust information from the Federation Service. The Federation Service's Secure Sockets Layer (SSL) server certificate could not be validated. Federation Service URL: {fsUrl} User Action Verify that the Federation Service's SSL server certificate chains to a root certificate that is in the Local Computer Trusted Root Certification Authorities certificate store in the Federation Service Proxy. Verify that the SSL server certificate is neither expired nor revoked. Verify that the SSL server certificate subject matches the host name portion of the Federation Service Uniform Resource Locator (URL).

Fields

Message

The AD FS troubleshooting log was not able to start. An exception has been thrown; and the application pool that hosts the BoundedSizeLogFileTraceListener will not be able to start. Additional Data Exception message: {exception}

Fields

Message

A malformed protocol request was received by the AD FS Web Agent. The response contained no Security Assertion Markup Language (SAML) token. This request will fail. This situation can occur because of data corruption; data tampering; malfunctioning software; or interoperability failure. User Action If you are using non-Microsoft federation software in your environment; verify that the federation software is compatible with AD FS. If this condition persists; consider enabling the AD FS troubleshooting log.

Message

Cookies that are needed to complete a passive client request were not present in the request. When cookies that hold the state for passive client requests cannot be found; requests that are made by the passive client will be received by the Federation Service (or Federation Service Proxy); but they will not be processed. User Action Reconfigure the cookie path. The current cookie path is set to '{configuredCookiePath}'; and the request-Uniform Resource Identifier (URI) is set to '{requestUri}'. Unless other client-side configuration or user action causes the cookie to be rejected; client browsers should send the cookie if the cookie path matches the prefix for the request-URI.Cookie path: {configuredCookiePath} Request-URI: {requestUri} Modify the Domain Name System (DNS) name for this site so that it is Request for Comments (RFC)-compliant. Compliant DNS host names contain only letters (A through Z); numerals (0 through 9); minus sign (-); and period (.) characters. Reconfigure the client browser to not reject cookies from this site. Undo any action that might have been taken by a user to reject or delete the cookies that are needed by this transaction. Additional Data For more information about the cookie and request-URI paths; review the following RFCs: RFC 2616 - This RFC describes the appropriate way to compare Hypertext Transfer Protocol (HTTP) URIs; and it mandates case-sensitive comparisons for the request-URI path. RFC 2109 - This RFC describes how the cookie path must match a prefix of the request-URI. It is important to note that some browsers treat '/path' or '/path1/samp' as a prefix match of '/path1/sample' while others do not allow matches that consume only parts of the individual words. These strict implementations accept only a subset of those matches that are allowed by the first implementation; for example; '/path1' or '/path1/sample'.

Fields

Message

The Simple Object Access Protocol (SOAP) client object for communicating with the Federation Service could not be created because of an invalid operation. FS URL: {fsUrl} Client certificate thumbprint: {certificateThumbprint} This condition can occur when the path that is specified by the TEMP environment variable is not writable by the application pool identity. The TEMP path is used by the .NET Framework to create a temporary assembly that is used for SOAP communication. User Action Grant the application pool identity access to the path that is specified in the TEMP environment variable. Additional Data Exception information:{exception}

Fields

Message

The Simple Object Access Protocol (SOAP) client object for communicating with the Federation Service could not be created because of an unknown exception. FS URL: {fsUrl} Client certificate thumbprint: {certificateThumbprint} Additional Data Exception information:{exception}

Fields

Message

The AD FS Web Agent was unable to update trust information from the Federation Service. The Federation Service returned an error. Federation Service URL: {fsUrl} User Action Ensure that the Federation service is properly configured and started. Additional Data SoapException error message: {soapExceptionMessage}

Fields

Message

The following custom transform module has been specified in policy: Assembly: {assemblyPath} Class Type: {className} This module will be accessed through an in-process call.

Fields

Message

The following claim transform module has been specified in policy: Assembly: {assemblyPath} Class Type: {className} This module will be accessed through Microsoft .NET Remoting: Url: {remotingUrl} Remote config file: {remotingConfigFile}

Fields

Message

The remote configuration file for a claim transform module has changed. Because Microsoft .NET Remoting was already configured; these changes cannot be applied. The previous remoting configuration will remain in effect. User Action To use the new remoting configuration; restart Internet Information Services (IIS).

Message

An exception occurred during an attempt to configure Microsoft .NET Remoting for a claim transform module. Assembly: {assemblyPath} Class Type: {className} Remote config file: {remotingConfigFile} This error may be caused by a non-Microsoft module that is not part of AD FS. Additional Data Exception information: {exception}

Fields

Message

An exception occurred during an attempt to connect to a remote custom transform module. Url: {remotingUrl} Assembly: {assemblyPath} Class: {className} Remote config file: {remotingConfigFile} This error may be caused by a non-Microsoft module that is not part of AD FS. Additional Data Exception information: {exception}

Fields

Message

The LSAuthenticationObject method LogonClient was called with the anonymous WindowsIdentity. This condition occurs when LogonClient(WindowsIdentity) is called in a context where anonymous access has been enabled in Internet Information Services (IIS). User Action Ensure that only integrated authentication is enabled for the ls/auth/integrated directory. Ensure that LogonClient(WindowsIdentity) is called only from the authentication Web form in the ls/auth/integrated directory.

Message

The ClientCredentialInfo static method CreateCertificateCredential was called in a context where no client certificate was available. User Action Ensure that only anonymous access is enabled for the ls/auth/sslclient directory and that 'Require client certificates' is selected in the Secure Communications dialog box. Ensure that CreateCertificateCredential is called only from the authentication Web form in the ls/auth/sslclient directory.

Message

The LSAuthenticationObject method LogonClient was called; but the Federation Service trust policy does not define any account stores. User Action If the Federation Service is intended to authenticate users; configure at least one account store. Otherwise; consider replacing clientlogon.aspx with a static page that indicates that logon is not supported.

Message

The LSAuthenticationObject method LogonClient was called with a WindowsIdentity; but the Federation Service has no Active Directory account store configured. User Action If this Federation Service is intended to service integrated authentication logons to Active Directory Domain Services; configure the Active Directory Domain Services account store. If this Federation Service is not intended to service integrated authentication logons to Active Directory Domain Services; consider replacing ls/auth/integrated/clientlogon.aspx with a static page that indicates that integrated authentication is not supported.

Message

The LSAuthenticationObject method LogonClient was called with certificate credentials; but only Active Directory Lightweight Directory Services (AD LDS) account stores are configured at the Federation Service. AD LDS account stores do not support certificate credentials. User Action If this Federation Service is intended to service certificate authentication logons; configure the Active Directory Domain Services account store. If this Federation Service is not intended to service certificate authentication logons; consider replacing ls/auth/sslclient/clientlogon.aspx with a static page that indicates that certificate authentication is not supported.

Message

The Federation Service has detected a discrepancy between its signing and verification methods. If this condition is caused by a change in trust policy; the Federation Service will continue to use the old trust policy until the condition is resolved. If this condition occurs at startup; the Federation Service will not be able to service requests until the condition is resolved. Signing certificate thumbprint: {signingCertificateThumbprint} The signing method identifies a Subject Key Identifier (SKI) which is not recognized by the verification method. SKI: {subjectKeyIdentifier} User Action If a signing method is to be identified by the SKI; the verification method must contain the signing certificate. Add the signing certificate to the verification certificate list.

Fields

Message

The Federation Service has detected a discrepancy between its signing methods and its verification methods. If this condition is caused by a change in trust policy; the Federation Service will continue to use the old trust policy until the condition is resolved. If this condition occurs at startup; the Federation Service will not be able to service requests until the condition is resolved. Signing certificate thumbprint: {signingCertificateThumbprint} The certificate chain for the token-signing certificate cannot be verified. Native Error Code: {winerror} User Action Make sure that the token-signing certificate matches one of the verification certificates in the trust policy. The native error code comes from CertGetCertificateChain or CertVerifyCertificateChainPolicy. Check the documentation to troubleshoot the error code; and take action accordingly. For example; if the error code is CERT_E_EXPIRED; the token-signing certificate has expired and must be replaced or renewed. If the error code is CRYPT_E_REVOCATION_OFFLINE; make sure that the revocation checking service is online; or disable revocation checking using the Active Directory Federation Services snap-in when necessary (Trust Policy Properties -> Verification Certificates -> Revocation Settings: choose None).

Fields

Message

The Federation Service has detected a discrepancy between its signing and verification methods. If this condition is caused by a change in trust policy; the Federation Service will continue to use the old trust policy until the condition is resolved. If this condition occurs at startup; the Federation Service will not be able to service requests until the condition is resolved. Signing certificate thumbprint: {signingCertificateThumbprint} Neither the signing certificate nor any certificate in its chain was found in the verification certificates collection. User Action Add the signing certificate or a certification authority from its chain to the collection of verification certificates.

Fields

Message

A client is attempting to continue a pending sign-in request; but the target of the continuing request differs from the target of the pending request. Each browser session may only maintain one pending request at a time. Continuing request target: {expectedTarget} Pending request target: {receivedTarget} This situation may occur if two Microsoft Office applications attempt to perform AD FS authentication simultaneously because session cookies are shared across all Office applications. User Action There is typically no action to be taken at the server to correct this situation. A user will see a failure in one of the Office applications. Reopening the failing Office file after the second file finishes loading resolves this issue.

Fields

Message

A portion of a multipart response was received out of sequence. Response index: {responseIndex} Expected index: {expectedIndex} This situation is an unrecoverable protocol error. The authentication has failed; and the client request will be denied.

Fields

Message

A portion of a multipart response was received; but the part contains too much data. Characters received: {expectedSize} Characters expected: {actualSize} This situation is an unrecoverable protocol error. The authentication has failed; and the client request will be denied.

Fields

Message

One of the session cookies that stores state for pending sign-in requests contains incorrectly formatted data. Cookie: {cookieName} Formatting error: {formatExceptionMessage} This cookie is written by AD FS for AD FS use. This error indicates that the cookie has been tampered with. The authentication has failed; and the client request will be denied.

Fields

Message

The pending sign-in request state specifies an unknown account partner. Partner URI: {accountPartnerUri} This condition can occur if an account partner is deleted during a multipart sign-in request.

Fields

Message

A request was received that identified itself as a WS-Federation Passive Requestor Profile (WS-F PRP) sign-in message; but the message does not fit the profile of any supported message. This situation can be due to rogue clients; interoperability failure with non-Microsoft; single-sign-on software; or message tampering. User Action If you are using non-Microsoft federation software in your environment; verify that the federation software is compatible with AD FS.

Message

A sign-in message was received that contains incorrectly formatted data. Format error: {formatExceptionMessage} This situation can be due to rogue clients; interoperability failure with non-Microsoft; single-sign-on software; or message tampering. User Action If you are using non-Microsoft federation software in your environment; verify that the federation software is compatible with AD FS.

Fields

Message

A request was received that is the continuation of a multipart sign-in request; but more data has been requested than exists. Requested data index: {requestedIndex} Actual data size: {actualSize} This situation is an unrecoverable protocol error. The authentication has failed; and the client request will be denied.

Fields

Message

The AD FS Web Agent was unable to update trust information from the Federation Service. An InvalidOperationException occurred. Federation Service URL: {fsUrl} User Action Ensure that the Federation Service is properly configured and started. Additional Data InvalidOperationException error message: {invalidOperationExceptionMessage}

Fields

Message

The Federation Service encountered an error while loading the trust policy. The trust policy contains an application that has been configured with custom namespaces. Application URL: {applicationUrl} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Remove the Namespaces object from the TrustingApplication object in question.

Fields

Message

The Federation Service encountered an error while parsing a security token. The token contained an unrecognized claim namespace. Token issuer: {tokenIssuer} Claim namespace: {claimNamespace} This request will be denied. This error might occur as a result of incompatibilities between AD FS and third-party software. User Action If this error occurs on the Federation Service and the token issuer is an account partner; it may indicate that custom namespaces should be configured for the partner. If this error occurs on the AD FS Web Agent; it may indicate that the token issuer is not properly configured. Contact the token issuer's administrator.

Fields

Message

The Federation Service has encountered an error while loading the trust policy. A resource partner with Windows trust enabled also has enhanced identity privacy enabled. Resource partner URI: {resourcePartnerUri} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Disable enhanced identity privacy or Windows trust from the resource partner in question.

Fields

Message

The Federation Service has encountered an error while loading the trust policy. An application has enhanced identity privacy enabled. Application URL: {applicationUrl} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Disable enhanced identity privacy from the application in question.

Fields

Message

The Federation Service has encountered an error while loading the trust policy. The trust policy contains a privacy key that is not the expected length. Expected length: {expectedLength} Actual length: {actualLength} If this error occurs during startup of the Federation Service; the Federation Service will be not be able to start; and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running; the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Configure a privacy key of the expected length.

Fields

Message

The cookies that were presented by the client could not be decoded. This may cause a user request to fail. User Action The exception details may give an indication of the precise problem. Additional Data HRESULT error code: {hresult} Exception information: {exception}

Fields

Message

A client request to the Federation Service failed because the syntax of a Lightweight Directory Access Protocol (LDAP) attribute is different from the standard syntaxes that are defined in RFC 2252. This event can occur if the directory schema has been extended to new syntaxes. User Action If this is a valid attribute with a new syntax; extract this claim from a custom transform module instead. Additional Data LDAP Server: {ldapServer} LDAP attribute name: {attributeName} LDAP attribute type: {attributeType}

Fields

Message

The group policy setting 'DisallowFederationService' is configured for this machine. The Federation Service will fail all requests until this condition is corrected.User ActionDisable or do not configure the DisallowFederationService group policy setting for Active Directory Federation Services.

Message

The Federation Service has encountered an error while reading group policy settings. This may indicate an attempt by the local administrator to bypass group policy. The Federation Service will fail all requests until this condition is corrected.User ActionEnsure that the Access Control List for the registry path HKLM\Software\Policies\Microsoft\Windows\ADFS grants read access to the Federation Service principal.Additional DataException information:{exception}

Fields

Message

The Federation Service has detected that Secure Sockets Layer (SSL) is not enabled for communication between this federation server and the server hosting the Active Directory Lightweight Directory Services (AD LDS) account store; identified by URI: {trustPolicyField};  that you specified in the trust policy. Although communications between a federation server and an AD LDS server will be successful when a secure channel has not been established; we recommend that you configure the properties of your AD LDS account store using SSL unless this communication has already been secured by other means; such as Internet Protocol security (IPsec).User Action Ensure that communication between this federation server and the AD LDS server is secure. You can use the Active Directory Federation Services snap-in to edit the properties of your AD LDS account stores and configure them to use a secure channel. To enable this configuration; select the Enable Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols check box in the properties for each AD LDS account store in the trust policy.

Fields

Message

The last remaining valid verification certificate for account partner {accountPartnerDisplayName}; or a certificate in its trust chain; is due to expire within {interval} days.Account partner name: {accountPartnerDisplayName}When this certificate expires input from the account partner will not be verifiable. User ActionContact the account partner administrator as soon as possible and replace or renew the certificate.Additional DataSubject: {subject}Issuer: {issuer}Thumbprint: {thumbprint}

Fields

Message

The last valid verification certificate for account partner {accountPartnerDisplayName}; or a certificate in its trust chain; has expired.Account partner name: {accountPartnerDisplayName}Input from this account partner cannot be verifed.User ActionContact the account partner administrator as soon as possible and obtain a valid certificate.Additional DataSubject: {subject}Issuer: {issuer}Thumbprint: {thumbprint}

Fields

Message

An unexpected error occured while checking the account partner verfication certificates for expiration. Exception information: {exception} User ActionCheck all acount partner verification certificates for problems. If the problem persists; contact Microsoft technical support.

Fields

Message

The Federation Service was unable to read configuration information from the domain controller. User Action Ensure that the Federation Server is joined to an Active Directory Domain Services (AD DS) domain.Ensure that the domain controller is available and can be accessed by the Federation Service.

Message

ADFS began checking the account partner verfication certificates for expiration.

Message

ADFS finished checking the account partner verfication certificates for expiration.

Message

A malformed protocol request was received by the AD FS Web Agent. The context parameter from the request ({FinalUrl}) did not match the configured cookie domain and cookie path for this application. This request will be failed.

Fields

Message

An error occurred during calling of the custom transform module; which is an extensibility point for third-party code. Assembly path: {assemblyPath} User Action Consider reviewing the code in the custom transform module for possible defects. Additional Data Exception information: {exception}

Fields

Message

An error occurred during creation of an instance of the custom transform module; which is an extensibility point for third-party code. Assembly path: {assemblyPath} User Action Review the custom module settings in the trust policy file; and consider reviewing the code in the custom transform module constructor for possible defects. Additional Data Exception information: {exception}

Fields

Message

An error occurred during calling of the custom transform module; which is an extensibility point for third-party code. The error may have occurred in the Microsoft .NET Remoting infrastructure or in the third-party code. Assembly path: {assemblyPath} User Action Review the custom module settings in the trust policy file and the client and server remote configuration settings; and ensure that appropriate listeners are operating correctly. In addition; consider reviewing the code in the custom transform module for possible defects. Additional Data Exception information: {exception}

Fields

Message

An error occurred during creation of an instance of the custom transform module; which is an extensibility point for third-party code. Assembly path: {assemblyPath} User Action Review the custom module settings in the trust policy file and the client and server remote configuration settings; and ensure that appropriate listeners are operating correctly. In addition; consider reviewing the code in the custom transform module constructor for possible defects. Additional Data Exception information: {exception}

Fields

Message

Transaction ID: {transactionId} Summary {summaryMessageId} Proxy certificate thumbprint: {proxyCertificateThumbprint} Target URI: {targetUri} Exception information: {exception} Output Resource Token {outTokenMessageId} Token ID: {outTokenTokenId} Identity: {outTokenIdClaim} Output Logon Accelerator Token {outCookieMessageId} Token ID: {transactionId}0 Identity: {transactionId}1 Input Logon Accelerator Token {transactionId}2 Token ID: {transactionId}3 Identity: {transactionId}4 Input Federation Token {transactionId}5 Token ID: {transactionId}6 Identity: {transactionId}7 Input Credentials {transactionId}8 Credential type: {transactionId}9 Credential hint: {summaryMessageId}0 Account store URI: {summaryMessageId}1 Error code: {summaryMessageId}2 Error string: {summaryMessageId}3

Fields

Message

Transaction ID: {transactionId} This event contains details of the errors encountered while processing the input logon accelerator token that was received as part of the referenced transaction. {messageId} Token ID: {tokenId} Issuer: {issuer} Identity: {idClaim} Audience: {audience} Key identifier: {keyIdentifier} Validation time: {validationTime1} {validationTime2} Effective time: {transactionId}0 {transactionId}1 Expiration time: {transactionId}2 {transactionId}3 Error code: {transactionId}4

Fields

Message

Transaction ID: {transactionId} This event contains details of the errors encountered while processing the input federation token that was received as part of the referenced transaction. {messageId} Token ID: {tokenId} Issuer: {issuer} Identity: {idClaim} Audience: {audience} Key identifier: {keyIdentifier} Validation time: {validationTime1} {validationTime2} Effective time: {transactionId}0 {transactionId}1 Expiration time: {transactionId}2 {transactionId}3 Error code: {transactionId}4

Fields

Message

Transaction ID: {transactionId} This event contains the details of the output resource token that was issued as part of the referenced transaction. Token ID: {tokenId} Issuer: {issuer} Audience: {audience} Effective time: {effectiveTime1} {effectiveTime2} Expiration time: {expirationTime1} {expirationTime2} Claim source: {claimSource} Authentication methods: Method		Time {transactionId}0 UPN: {transactionId}1 E-mail: {transactionId}2 Common name: {transactionId}3 Groups: ({transactionId}4 sensitive values omitted) {transactionId}5 Custom claims: Name		Value {transactionId}6 SIDs: {transactionId}7

Fields

Message

Transaction ID: {transactionId} This event contains the details of the output logon accelerator token that was issued as part of the referenced transaction. Token ID: {tokenId} Issuer: {issuer} Audience: {audience} Effective time: {effectiveTime1} {effectiveTime2} Expiration time: {expirationTime1} {expirationTime2} Claim source: {claimSource} Authentication methods: Method		Time {transactionId}0 UPN: {transactionId}1 E-mail: {transactionId}2 Common name: {transactionId}3 Groups: ({transactionId}4 sensitive values omitted) {transactionId}5 Custom claims: Name		Value {transactionId}6 SIDs: {transactionId}7

Fields

Message

Transaction ID: {transactionId} This event contains the details of the input logon accelerator token that was received as part of the referenced transaction. Token ID: {tokenId} Issuer: {issuer} Audience: {audience} Effective time: {effectiveTime1} {effectiveTime2} Expiration time: {expirationTime1} {expirationTime2} Claim source: {claimSource} Authentication methods: Method		Time {transactionId}0 UPN: {transactionId}1 E-mail: {transactionId}2 Common name: {transactionId}3 Groups: ({transactionId}4 sensitive values omitted) {transactionId}5 Custom claims: Name		Value {transactionId}6 SIDs: {transactionId}7

Fields

Message

Transaction ID: {transactionId} This event contains the details of the input federation token that was received as part of the referenced transaction. Token ID: {tokenId} Issuer: {issuer} Audience: {audience} Effective time: {effectiveTime1} {effectiveTime2} Expiration time: {expirationTime1} {expirationTime2} Claim source: {claimSource} Authentication methods: Method		Time {transactionId}0 UPN: {transactionId}1 E-mail: {transactionId}2 Common name: {transactionId}3 Groups: ({transactionId}4 sensitive values omitted) {transactionId}5 Custom claims: Name		Value {transactionId}6 SIDs: {transactionId}7

Fields

Message

Transaction ID: {transactionId} This event contains the list of claims that were retrieved using the input credentials that were received as part of the referenced transaction. UPN: {userPrincipalName} E-mail: {email} Common name: {commonName} Groups: ({sensitiveGroupsOmitted} sensitive values omitted) {groups} Custom claims: Name		Value {customClaims} SIDs: {sidPresence}

Fields

Message

{messageId} Key identifier: {keyIdentifier} Error code: {errorCode} Token ID: {tokenId} Identity: {idClaim} Issuer: {issuer} Audience: {audience} Effective time: {effectiveTime1} {effectiveTime2} Expiration time: {messageId}0 {messageId}1 Claim source: {messageId}2 Authentication methods: Method		Time {messageId}3 UPN: {messageId}4 E-mail: {messageId}5 Common name: {messageId}6

Fields