Troubleshooting certificate problems with AD FS 2.0

Updated: February 16, 2012

Applies To: Active Directory Federation Services (AD FS) 2.0

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems working with certificates that are used by the Active Directory Federation Services (AD FS) 2.0 service.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Event or symptom Possible cause Resolution

Event ID 249
A certificate could not be found in the certificate store. In certificate rollover scenarios, this can potentially cause a failure when the Federation Service is signing or decrypting using this certificate.

The specified certificate either does not exist in the local certificate store, or the AD FS 2.0 service account does not have permissions to access the certificate.

Ensure that the certificate (identified by its thumbprint in the event text) has been added to the LocalMachine\My store folder on the federation server computer. Also, verify that the AD FS 2.0 service account has access to the private key for this certificate. For more information, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 315
An error occurred during an attempt to build the certificate chain for the claims provider trust signing certificate.

The following are possible causes for this event:

  • The certificate has been revoked.

  • The certificate chain could not be verified as specified by the revocation settings of the signing certificate for this claims provider trust.

  • The certificate is not within its validity period.

Note
You can use Windows PowerShell cmdlets for AD FS 2.0 to configure the revocation settings for the claims provider trust's signing certificate. For the specific setting, use the SigningCertificateRevocationCheck parameter of the Set-ADFSClaimsProviderTrust cmdlet.

The following are possible resolutions to this event:

  • Ensure that the claims provider trust's signing certificate is valid and has not been revoked.

  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.

  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 316
An error occurred during an attempt to build the certificate chain for the relying party trust signing certificate.

The following are possible causes for this event:

  • The certificate has been revoked.

  • The certificate chain could not be verified as specified by the revocation settings of the signing certificate for this relying party trust.

  • The certificate is not within its validity period.

Note

You can use Windows PowerShell cmdlets for AD FS 2.0 to configure the revocation settings for the relying party trust's signing certificate. For the specific setting, use the SigningCertificateRevocationCheck parameter of the Set-ADFSRelyingPartyTrust cmdlet.

The following are possible resolutions to this event:

  • Ensure that the relying party trust's signing certificate is valid and has not been revoked.

  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.

  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 317
An error occurred during an attempt to build the certificate chain for the relying party trust encryption certificate.

The following are possible causes for this event:

  • The certificate has been revoked.

  • The certificate chain could not be verified as specified by the revocation settings of the encryption certificate for this relying party trust.

  • The certificate is not within its validity period.

Note

You can use Windows PowerShell cmdlets for AD FS 2.0 to configure the revocation settings for the relying party trust's encryption certificate. For the specific setting, use the EncryptionCertificateRevocationCheck parameter of the Set-ADFSRelyingPartyTrust cmdlet.

The following are possible resolutions to this event:

  • Ensure that the relying party trust's encryption certificate is valid and has not been revoked.

  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.

  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 319
An error occurred while the certificate chain for the client certificate was being built.

The following are possible causes for this event:

  • The client certificate has been revoked.

  • The certificate chain could not be verified as specified by the revocation settings of the client certificate.

  • The client certificate is not within its validity period.

Note

To configure the revocation settings for the client certificate, you can use the Set-ADFSProperties cmdlet with the ClientcertRevocationCheck parameter in Windows PowerShell for AD FS 2.0.

The following are possible resolutions to this event:

  • Ensure that the client encryption certificate is valid and has not been revoked.

  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.

  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 360
A request was made to a certificate transport endpoint, but the request did not include a client certificate.

The following are possible causes for this event:

  • The root certification authority (CA) certificate that issued the client certificate is not in the Trust CA certificate store.

  • The client certificate is expired.

  • The client certificate is self-signed and is not trusted.

The following are possible resolutions for this event:

  • Ensure that the CA that issued the client certificate in this request has its certificate in the trusted root certification authority store on the local computer.

  • Ensure that the client certificate is not expired.

  • Use a trusted certificate to replace the self-signed certificate.

Event ID 374
An error occurred while building the certificate chain for the claims provider trust encryption certificate.

The following are possible causes for this event:

  • The certificate has been revoked.

  • The certificate chain could not be verified as specified by the revocation settings of the encryption certificate for this claims provider trust.

  • The certificate is not within its validity period.

Note

You can use Windows PowerShell cmdlets for AD FS 2.0 to configure the revocation settings for the claims provider trust's encryption certificate. For the specific setting, use the EncryptionCertificateRevocationCheck parameter of the Set-ADFSClaimsProviderTrust cmdlet.

The following are possible resolutions to this event:

  • Ensure that the claims provider trust's encryption certificate is valid and has not been revoked.

  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.

  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 381
An error occurred during an attempt to build the certificate chain for configuration certificate.

This event occurs whenever the Federation Service updates its service state or tries to refresh its cached certificate configuration data. If the configuration has changed so that one of the configured certificates is invalid when a refresh occurs, this event is logged.

The following are possible causes for this event:

  • The certificate has been revoked.

  • The certificate is not within its validity period.

Ensure that the certificate is valid and has not been revoked or expired.

Event ID 385
AD FS 2.0 detected that one or more certificates in the AD FS 2.0 configuration database need to be updated manually.

This event occurs because one or more certificates are expired, or will expire soon.

If certificate rollover is enabled, this issue resolves on its own. In other cases, refer to the thumbprint or other certificate-identifying data in the additional details section of the event itself. After you identify the certificate that caused this event to occur, manually update the certificate to correct the problem.

Event ID 387
AD FS 2.0 detected that one or more of the certificates that are specified in the Federation Service were not accessible to the service account that is used by the AD FS 2.0 Windows Service.

The AD FS 2.0 service account does not have permissions to read the private keys for the configured certificates.

Ensure that the AD FS 2.0 service account has read permissions on the certificate private keys. For more information, see Confirm that private keys for certificates are accessible by the AD FS service user account.

Event ID 389
AD FS 2.0 detected that one or more of your trusts require their certificates to be updated manually because they are expired, or will expire soon.

This event occurs because the certificates that are configured for one or more claims provider trusts or relying party trusts are expired, or will expire soon.

If you manually created the trust, you must update the certificate configuration yourself. If you used Federation Metadata when you created the trust, the certificate configuration updates dynamically.

Note

For dynamic update to occur reliably, your trust partner must have updated the certificate that is expired, or that will expire soon, in their configuration.

How certificates are used and checked by AD FS 2.0

The following table can be helpful in determining the certificate that is the root cause of an error in your AD FS 2.0 certificate configuration.

Policy CRL Checking certificate Scenario Protocols affected Occurs Event thrown Expiration check

Relying Party

Relying party signing certificate

AD FS 2.0 receives a signed SAML-P request sent by a relying party.

Note

Requiring signing of sign-in requests is a configurable option. To set this requirement for a relying party trust, use the RequireSignedSamlRequests parameter with the Set-ADFSRelyingPartyTrust cmdlet.

SAML-P

Sign in

Event ID 316

Yes

AD FS 2.0 receives a signed SAML sign-out request from RP (sign-out request must be signed)

SAML-P

Sign Out (POST or Redirect Binding)

Event ID 316

Yes

Relying party encryption certificate

AD FS 2.0 receives a sign out request from a claims provider and encrypts a sign out request for the relying party. In this scenario, the claims provider initiates signout.

SAML-P/WS-*

Sign Out request (POST or Redirect Binding)

Event ID 317

Yes

AD FS 2.0 issues an encrypted token for a relying party.

SAML-P/WS-*

Token Issuance

Event ID 317

Yes

Claims Provider

Claims provider signing certificate

AD FS 2.0 receives an issued token from a claims provider.

SAML-P/WS-*

Token Acceptance

Event ID 315

Yes

AD FS 2.0 receives a signed SAML sign-out request from a claims provider. In this scenario, the signout request must be signed.

SAML-P

Sign Out request (POST or Redirect Binding)

Event ID 315

Yes

Claims provider encryption certificate

AD FS 2.0 receives a sign out request from a relying party and encrypts a signout request for claims provider.

SAML-P

Sign Out

Event ID 374

Yes

Self

Self-issued signing certificate

AD FS 2.0 issuing a token for a relying party.

SAML-P/WS-*

Token Issuance

None

Yes

Self-issued encryption certificate

AD FS 2.0 accepts an encrypted token from a claims provider.

SAML-P/WS-*

Token Acceptance

None

No