Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Updated: January 7, 2011
Applies To: Active Directory Federation Services (AD FS) 2.0
The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems with trust management in Active Directory Federation Services (AD FS) 2.0.
Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.
| Event or symptom | Possible cause | Resolution |
|---|---|---|
Event ID 143 |
The following are possible causes for this event:
For more information about the cause of this event, see the additional details that are specified within the event. |
Typically, if the event was caused by misconfiguration, check the additional data in the details for this event. Use that data to modify service properties appropriately. For example, the following is a possible resolution for this event:
|
Event ID 155 |
The AD FS 2.0 Windows service might not have permissions to access the Federation Metadata endpoint URL, or it might be blocked by more restrictive access control list (ACL) permissions that override its URL permissions. |
Use the netsh commands for HTTP to check the URL ACL permissions on your Federation Metadata endpoint URL, or for other URLs that might be overriding permissions that are needed for the endpoints that the federation server uses. For more information, see the examples for netsh http show urlacl syntax in Netsh Commands for Hypertext Transfer Protocol (HTTP) (https://go.microsoft.com/fwlink/?LinkID=167789). The following example shows typical output for the netsh http show urlacl command when you check the Federation Metadata endpoint permissions where a user-defined service user account ("adfssrv") has been configured and used for the AD FS 2.0 service identity. |
Event ID 159 |
The following are possible causes for this event:
|
The following are possible resolutions for this event:
|
Event ID 164 |
The following are possible causes for this event:
|
The following are possible resolutions for this event:
|
Event ID 165 |
For more information about the cause of this event, see the additional details that are specified within the event. |
Use the additional data that is provided within this event to troubleshoot the problem. If the issue persists, contact product support for further assistance. |
Event ID 166 |
Partner metadata does not comply with the WS-Federation 1.2 specification. |
Use the additional data that is provided within this event to determine the parser location and the context of the compliance issue. For more information about WS-Federation 1.2, see the WS-Federation 1.2 specification (https://go.microsoft.com/fwlink/?LinkID=188673). |
Event ID 167 |
The metadata document that the Federation Service received back from its trust partner contained unexpected data. |
Use the additional details that are provided within this event to learn the exact context of the metadata document error. |
Event ID 168 |
The SSL certificate used to secure the federation metadata retrieval of the trust is not trusted by the service account assigned to this Federation Service. Monitoring of the trust will fail. For more information about the cause of this event, see the additional details that are specified within the event. |
The following are possible resolutions for this event: Ensure that the Federation Metadata URL is available. First, try visiting the configured URL using a web browser to troubleshoot the problem. Next, check for certificate errors. For more information, see About certificate errors (https://go.microsoft.com/fwlink/?LinkId=190867) If there are no certificate errors from the web browser when accessing the federation metadata document, it is possible that the certificate is issued by an authority that is trusted in the user's certificate store but not in the local machine certificate store. By default, the SSL certificate for a relying party trust partner’s website is not trusted. It should only be trusted once you can verify it securely. Once you have confirmed the authenticity of the certificate and are sure you can trust it, add the root certification authority (CA) of the SSL certificate for the relying party trust to the Local Computer Trusted Root Certification Authorities store on the monitoring computer or in a farm scenario, on each federation server in the farm. Verify your proxy server setting. For more information about how to verify your proxy server setting, see Things to Check Before Troubleshooting AD FS 2.0. |
Event ID 173 |
Some of the metadata that was received from the trust partner might have been ignored by the Federation Service. |
Use the additional details that are provided within this event to verify that all Federation Metadata that is needed to maintain the trust has been applied. |
Event ID 174 |
Differences in the metadata document that was returned to the Federation Service were ignored and not applied by the Federation Service. You can trace the exact cause of the difference to the additional data that is provided in the event. For example, if multiple WS-Federation endpoints were included, only the first compatible endpoint is used and applied. Another possible cause is that key metadata was included that was not in the form of an X.509 certificate. |
Use the additional details that are provided within this event to verify that the critical Federation Metadata that is needed to maintain the trust was not ignored. |