Troubleshooting artifact service problems with AD FS 2.0

Updated: May 5, 2010

Applies To: Active Directory Federation Services (AD FS) 2.0

The following table provides troubleshooting guidance for the specific error event messages or other issues that you may encounter if you are having problems with working with the artifact resolution service in Active Directory Federation Services (AD FS) 2.0.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Event or symptom Possible cause Resolution

Event ID 250
Expiration of the artifact failed.

This event can indicate that there is either a problem with the artifact storage service itself, or it is an expired artifact. Some of the possible causes for this event include the following:

  • The artifact database connection string is incorrect and cannot be used to connect to the artifact database server as it is currently configured.

  • Artifact service configuration is an unsupported database configuration: for example, if you are trying to enable the artifact service and are using the Windows Internal Database (WID) within a federation server farm deployment. In a farm deployment, you can use only a remote SQL Server database. Likewise, in a stand-alone federation server deployment, only WID is supported for artifact storage.

  • The artifact failed to be expired. This means that according to its configured artifact database scavenging interval (five minutes), the artifact service failed to remove the artifact from the artifact database.

For more specific information about the cause of this event, see the additional data that is provided in the event.

Review the additional data provided in this event to determine the exact cause, and to decide on appropriate resolution steps. Some of the possible resolutions for this event include the following:

  • Ensure that the artifact storage server is configured correctly. You can review the ArtifactDbConnection property by executing the Get-ADFSProperties cmdlet. If necessary, you can modify it by using the ArtifactDbConnection parameter with the Set-ADFSProperties cmdlet.

  • Verify that you are using the correct supported artifact database platform to provide artifact resolution service for your AD FS 2.0 deployment: either WID for a stand-alone server deployment, or remote SQL Server for a farm deployment.

  • If the artifact database connection string and selected database platform choice are correct, verify network and database connectivity to the artifact storage server.

Event ID 291
The artifact resolution service could not be started.

One possible cause for this event is that the artifact service cannot connect to the artifact database.

For more specific information about the cause of this event, see the additional data that is provided in the event.

Ensure that the artifact connection to the artifact storage server is configured correctly. You can review the ArtifactDbConnection property by executing the Get-ADFSProperties cmdlet. If necessary, you can modify it by using the ArtifactDbConnection parameter with the Set-ADFSProperties cmdlet.

Additional events that are related to problems with the artifact database might also occur together with this event. For more information, see Troubleshooting artifact database errors with AD FS 2.0.

Event ID 292
The artifact resolution service could not verify request signature.

The signing certificate for the relying party trust is not up to date, or the signature algorithm is not matching what is expected.

Ensure that the relying party signing certificate is configured correctly for the relying party trust by using the AD FS 2.0 snap-in. Also, verify that the signature algorithm matches what is expected here. You can view or change the setting on the Advanced tab of the relying party trust properties.

Event ID 293
A Security Assertion Markup Language (SAML) request for the required artifact was rejected.

The artifact resolution service is not turned on, or the artifact service cannot connect to the artifact database.

Use the AD FS 2.0 snap-in to configure or turn on the SAML artifact resolution endpoint. Also, ensure that the artifact connection to the artifact storage server is configured correctly. You can review the ArtifactDbConnection property by executing the Get-ADFSProperties cmdlet. If necessary, you can modify it by using the ArtifactDbConnection parameter with the Set-ADFSProperties cmdlet.

Event ID 294
The SAML artifact resolution request specified an issuer that is not configured for the relying party.

The issuer that is specified in the SAML artifact resolution request is not configured at the relying party. This could be because an identifier is missing from the list of identifiers for the relying party trust.

Ensure that the relying party is configured correctly by using the AD FS 2.0 snap-in. Review the additional details in the event to determine whether the issuer is an identifier that must be specified in the relying party trust properties. If it is missing, add it to the list.