Federation Service Authentication Web Pages
Applies To: Windows Server 2008
The Federation Service provides Web pages that prompt the user to select an appropriate account partner to which the user can authenticate. The Federation Service also provides Web pages that prompt for the user’s credentials, such as a user name and password, for forms-based authentication. A Web page is also provided that supports Windows Integrated authentication and Secure Sockets Layer (SSL) client certificate authentication.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-ADFS |
The LSAuthenticationObject method LogonClient was called with the anonymous WindowsIdentity. This condition occurs when LogonClient(WindowsIdentity) is called in a context where anonymous access has been enabled in Internet Information Services (IIS). User Action Ensure that only integrated authentication is enabled for the ls/auth/integrated directory. Ensure that LogonClient(WindowsIdentity) is called only from the authentication Web form in the ls/auth/integrated directory. |
|
Microsoft-Windows-ADFS |
The ClientCredentialInfo static method CreateCertificateCredential was called in a context where no client certificate was available. User Action Ensure that only anonymous access is enabled for the ls/auth/sslclient directory and that "Require client certificates" is selected in the Secure Communications dialog box. Ensure that CreateCertificateCredential is called only from the authentication Web form in the ls/auth/sslclient directory. |
|
Microsoft-Windows-ADFS |
The LSAuthenticationObject method LogonClient was called, but the Federation Service trust policy does not define any account stores. User Action If the Federation Service is intended to authenticate users, configure at least one account store. Otherwise, consider replacing clientlogon.aspx with a static page that indicates that logon is not supported. |
|
Microsoft-Windows-ADFS |
The LSAuthenticationObject method LogonClient was called with a WindowsIdentity, but the Federation Service has no Active Directory account store configured. User Action If this Federation Service is intended to service integrated authentication logons to Active Directory Domain Services, configure the Active Directory Domain Services account store. If this Federation Service is not intended to service integrated authentication logons to Active Directory Domain Services, consider replacing ls/auth/integrated/clientlogon.aspx with a static page that indicates that integrated authentication is not supported. |
|
Microsoft-Windows-ADFS |
The LSAuthenticationObject method LogonClient was called with certificate credentials, but only Active Directory Lightweight Directory Services (AD LDS) account stores are configured at the Federation Service. AD LDS account stores do not support certificate credentials. User Action If this Federation Service is intended to service certificate authentication logons, configure the Active Directory Domain Services account store. If this Federation Service is not intended to service certificate authentication logons, consider replacing ls/auth/sslclient/clientlogon.aspx with a static page that indicates that certificate authentication is not supported. |