Troubleshooting configuration failures with AD FS 2.0

  • Article

Updated: May 5, 2010

Applies To: Active Directory Federation Services (AD FS) 2.0

The following table provides troubleshooting guidance for the specific error event messages or other issues that you may encounter if you are having problems with accessing or loading Federation Service configuration data.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Event or symptom Possible cause Resolution

Event ID 221
A change to the token service configuration was detected, but there was an error reloading the changes to configuration.

Network delays or time-outs may have occurred while the Federation Service was trying to reload service configuration data. This might occur if the federation server and the computer that is running SQL Server that hosts its configuration data are located across network links in different sites, and where latency is an issue.

Consider relocating the computers that are used for the Federation Service and SQL Server closer to each other.

Event ID 326
Failed to load the AD FS claims policy engine.

The following are potential causes for this event condition:

  • The assembly that hosts the AD FS 2.0 policy engine (Microsoft.IdentityServer.ClaimsPolicy.dll) is deleted from the AD FS 2.0 installation folder (%programfiles%\Active Directory Federation Services 2.0).

  • AD FS 2.0 configuration data was modified or corrupted to change the policy engine type.

This error is severe and indicates that the Federation Service is failing to evaluate policies and to complete any of the following policy-based decisions: determining access to configuration data, issuing tokens, or performing authorizations or other service operations.

To resolve this issue, investigate the full health of your AD FS 2.0 installation, and if necessary, reinstall AD FS 2.0 to correct the problem.

Event ID 352
A SQL Server operation in the AD FS configuration database with connection string %1 failed.

An error in SQL Server operations occurred when accessing AD FS 2.0 configuration data.

If this event occurs along with event ID 221, the cause might be similar and related to that event.

If Event ID 221 also occurs when this event occurs, relocate the computers that are used for the Federation Service and SQL Server so that they are closer together.

Event ID 356
Failed to register notification to the SQL Server database with the connection string for a certain cache type. Changes to settings may not take effect until the Federation Service restarts.

The SQL Server service broker is disabled for the AdfsConfiguration database, or SQL Server is too busy.

The following are possible resolutions for this event:

  • Verify that the service broker is enabled by executing the following SQL query on the target computer that is running SQL Server:

    SELECT is_broker_enabled FROM sys.databases WHERE name = 'AdfsConfiguration'

  • If the service broker is not enabled, run the following SQL script on the target computer that is running SQL Server:

    ALTER DATABASE AdfsConfiguration SET ENABLE_BROKER WITH ROLLBACK IMMEDIATE
  • If the service broker is already enabled, consider restarting the Federation Service.