Export (0) Print
Expand All

Federation Server Communication

Updated: February 27, 2008

Applies To: Windows Server 2008

Federation Server communication is communication between federation servers and federation server proxies. A federation server proxy should be updated from the Federation Service. Federation Server communication fails if the federation server proxy cannot be updated and the information in the trust policy is configured incorrectly.

Events

Event ID Source Message

605

Microsoft-Windows-ADFS

The Federation Service Proxy encountered an exception when it called a Federation Service Web method.
Federation Server URL: %1
Web method: %2
Proxy certificate thumbprint: %3

This may cause a user request to fail.

User Action
The exception details may give an indication of the precise problem.

Check network connectivity between the Federation Service Proxy and the Federation Service.

Ensure that the Federation Service is running.

Ensure that the Federation Service Proxy client authentication certificate has been added to the list of proxy authentication certificates in the Federation Service trust policy.

Ensure that the Federation Service Proxy client authentication certificate chains to a root that is trusted by the Federation Service.

Ensure that the Federation Service Proxy service account, which is set to Network Service by default, can access the private key of the certificate that was identified by the thumbprint '%3'.
Conditions that can prevent the Federation Service Proxy service account from having access to the certificate private key include the following:
(1) The certificate was installed from a file that did not include the private key, such as a .cer or .p7b file.
(2) The certificate's private key was imported (for example, from a .pfx file) into a user's certificate store instead of the Local Computer Personal certificate store.
(3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.
(4) The Federation Service Proxy service account has not been granted Read access to the certificate's private key.

Ensure that the Federation Service Internet Information Services (IIS) Secure Sockets Layer (SSL) server certificate chains to a root that is trusted by the Federation Service Proxy.

Ensure that the Federation Service Uniform Resource Locator (URL) that is configured in the Federation Service Proxy web.config uses the name that is the subject of the Federation Service IIS SSL server certificate.

Additional Data
Exception information:
%4

606

Microsoft-Windows-ADFS

The Federation Service did not produce an appropriate result.

This request will be failed.

User Action
If this condition persists, enable the AD FS troubleshooting log.

663

Microsoft-Windows-ADFS

A sign-in request was received, but no account stores or account partners are configured in the Federation Service trust policy.

Until at least one account store or account partner is configured in the trust policy, no sign-in requests can be processed.

User Action
Ensure that the Federation Service trust policy defines at least one account store or account partner.

This error may occur in the Federation Service Proxy when data replication from the Federation Service is delayed. To refresh the trust policy immediately, restart Internet Information Services (IIS) in the Federation Service Proxy.

685

Microsoft-Windows-ADFS

The Federation Service Proxy was not able to update trust information from the Federation Service. The Federation Service's Secure Sockets Layer (SSL) server certificate could not be validated.
Federation Service URL: %1

User Action
Verify that the Federation Service's SSL server certificate chains to a root certificate that is in the Local Computer Trusted Root Certification Authorities certificate store in the Federation Service Proxy.

Verify that the SSL server certificate is neither expired nor revoked.

Verify that the SSL server certificate subject matches the host name portion of the Federation Service Uniform Resource Locator (URL).

689

Microsoft-Windows-ADFS

The Simple Object Access Protocol (SOAP) client object for communicating with the Federation Service could not be created because of an invalid operation.
FS URL: %1
Client certificate thumbprint: %2

This condition can occur when the path that is specified by the TEMP environment variable is not writable by the application pool identity. The TEMP path is used by the .NET Framework to create a temporary assembly that is used for SOAP communication.

User Action
Grant the application pool identity access to the path that is specified in the TEMP environment variable.

Additional Data
Exception information:
%3

690

Microsoft-Windows-ADFS

The Simple Object Access Protocol (SOAP) client object for communicating with the Federation Service could not be created because of an unknown exception.
FS URL: %1
Client certificate thumbprint: %2

Additional Data
Exception information:
%3

Related Management Information

Federation Service Proxy

Active Directory Federation Services

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft