Federation Server Communication
Applies To: Windows Server 2008
Federation Server communication is communication between federation servers and federation server proxies. A federation server proxy should be updated from the Federation Service. Federation Server communication fails if the federation server proxy cannot be updated and the information in the trust policy is configured incorrectly.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-ADFS |
The Federation Service Proxy encountered an exception when it called a Federation Service Web method. Federation Server URL: %1 Web method: %2 Proxy certificate thumbprint: %3 This may cause a user request to fail. User Action The exception details may give an indication of the precise problem. Check network connectivity between the Federation Service Proxy and the Federation Service. Ensure that the Federation Service is running. Ensure that the Federation Service Proxy client authentication certificate has been added to the list of proxy authentication certificates in the Federation Service trust policy. Ensure that the Federation Service Proxy client authentication certificate chains to a root that is trusted by the Federation Service. Ensure that the Federation Service Proxy service account, which is set to Network Service by default, can access the private key of the certificate that was identified by the thumbprint '%3'. Conditions that can prevent the Federation Service Proxy service account from having access to the certificate private key include the following: (1) The certificate was installed from a file that did not include the private key, such as a .cer or .p7b file. (2) The certificate's private key was imported (for example, from a .pfx file) into a user's certificate store instead of the Local Computer Personal certificate store. (3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option. (4) The Federation Service Proxy service account has not been granted Read access to the certificate's private key. Ensure that the Federation Service Internet Information Services (IIS) Secure Sockets Layer (SSL) server certificate chains to a root that is trusted by the Federation Service Proxy. Ensure that the Federation Service Uniform Resource Locator (URL) that is configured in the Federation Service Proxy web.config uses the name that is the subject of the Federation Service IIS SSL server certificate. Additional Data Exception information: %4 |
|
Microsoft-Windows-ADFS |
The Federation Service did not produce an appropriate result. This request will be failed. User Action If this condition persists, enable the AD FS troubleshooting log. |
|
Microsoft-Windows-ADFS |
A sign-in request was received, but no account stores or account partners are configured in the Federation Service trust policy. Until at least one account store or account partner is configured in the trust policy, no sign-in requests can be processed. User Action Ensure that the Federation Service trust policy defines at least one account store or account partner. This error may occur in the Federation Service Proxy when data replication from the Federation Service is delayed. To refresh the trust policy immediately, restart Internet Information Services (IIS) in the Federation Service Proxy. |
|
Microsoft-Windows-ADFS |
The Federation Service Proxy was not able to update trust information from the Federation Service. The Federation Service's Secure Sockets Layer (SSL) server certificate could not be validated. Federation Service URL: %1 User Action Verify that the Federation Service's SSL server certificate chains to a root certificate that is in the Local Computer Trusted Root Certification Authorities certificate store in the Federation Service Proxy. Verify that the SSL server certificate is neither expired nor revoked. Verify that the SSL server certificate subject matches the host name portion of the Federation Service Uniform Resource Locator (URL). |
|
Microsoft-Windows-ADFS |
The Simple Object Access Protocol (SOAP) client object for communicating with the Federation Service could not be created because of an invalid operation. FS URL: %1 Client certificate thumbprint: %2 This condition can occur when the path that is specified by the TEMP environment variable is not writable by the application pool identity. The TEMP path is used by the .NET Framework to create a temporary assembly that is used for SOAP communication. User Action Grant the application pool identity access to the path that is specified in the TEMP environment variable. Additional Data Exception information: %3 |
|
Microsoft-Windows-ADFS |
The Simple Object Access Protocol (SOAP) client object for communicating with the Federation Service could not be created because of an unknown exception. FS URL: %1 Client certificate thumbprint: %2 Additional Data Exception information: %3 |