Export (0) Print
Expand All

Federation Service Authentication Web Pages

Updated: February 27, 2008

Applies To: Windows Server 2008

The Federation Service provides Web pages that prompt the user to select an appropriate account partner to which the user can authenticate. The Federation Service also provides Web pages that prompt for the user’s credentials, such as a user name and password, for forms-based authentication. A Web page is also provided that supports Windows Integrated authentication and Secure Sockets Layer (SSL) client certificate authentication.

Events

Event ID Source Message

697

Microsoft-Windows-ADFS

The LSAuthenticationObject method LogonClient was called with the anonymous WindowsIdentity. This condition occurs when LogonClient(WindowsIdentity) is called in a context where anonymous access has been enabled in Internet Information Services (IIS).

User Action
Ensure that only integrated authentication is enabled for the ls/auth/integrated directory.

Ensure that LogonClient(WindowsIdentity) is called only from the authentication Web form in the ls/auth/integrated directory.

698

Microsoft-Windows-ADFS

The ClientCredentialInfo static method CreateCertificateCredential was called in a context where no client certificate was available.

User Action
Ensure that only anonymous access is enabled for the ls/auth/sslclient directory and that "Require client certificates" is selected in the Secure Communications dialog box.

Ensure that CreateCertificateCredential is called only from the authentication Web form in the ls/auth/sslclient directory.

699

Microsoft-Windows-ADFS

The LSAuthenticationObject method LogonClient was called, but the Federation Service trust policy does not define any account stores.

User Action
If the Federation Service is intended to authenticate users, configure at least one account store. Otherwise, consider replacing clientlogon.aspx with a static page that indicates that logon is not supported.

700

Microsoft-Windows-ADFS

The LSAuthenticationObject method LogonClient was called with a WindowsIdentity, but the Federation Service has no Active Directory account store configured.

User Action
If this Federation Service is intended to service integrated authentication logons to Active Directory Domain Services, configure the Active Directory Domain Services account store.

If this Federation Service is not intended to service integrated authentication logons to Active Directory Domain Services, consider replacing ls/auth/integrated/clientlogon.aspx with a static page that indicates that integrated authentication is not supported.

701

Microsoft-Windows-ADFS

The LSAuthenticationObject method LogonClient was called with certificate credentials, but only Active Directory Lightweight Directory Services (AD LDS) account stores are configured at the Federation Service. AD LDS account stores do not support certificate credentials.

User Action
If this Federation Service is intended to service certificate authentication logons, configure the Active Directory Domain Services account store.

If this Federation Service is not intended to service certificate authentication logons, consider replacing ls/auth/sslclient/clientlogon.aspx with a static page that indicates that certificate authentication is not supported.

Related Management Information

Federation Service

Active Directory Federation Services

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft