Event ID 671 — Claims-Aware Application Membership/Role Provider
Applies To: Windows Server 2008
.jpg)
Web Agent for Claims-Aware Applications Membership/Role Providers log the creation and management of users accounts, group accounts, and the various roles that are associated with the claims-aware agent.
Event Details
| Product: | Windows Operating System |
| ID: | 671 |
| Source: | Microsoft-Windows-ADFS |
| Version: | 6.0 |
| Symbolic Name: | ProviderExceptionFromFedServer |
| Message: | The AD FS role or membership provider was not able to retrieve configuration information from the Federation Service. Federation Server URL: %1 Provider: %3 The current administrative action will fail. User Action This error generally indicates a protocol or networking failure. Check the following: (1) the Federation Service Uniform Resource Locator (URL) is properly configured, (2) the Federation Service is started, (3) the Federation Service is reachable from this computer, (4) the Federation Service Secure Sockets Layer (SSL) certificate chains to a root that is trusted by this computer. Additional Data An exception was returned from a Federation Service Web method. Web Method: %2 Exception information: %4 |
Resolve
Check the Federation Service and the SSL certificate
This error generally indicates a protocol or networking failure.
Ensure that the AD FS-enabled Web server can communicate with a valid Federation Service and that the applications web.config file is configured correctly.
Ensure that the server authentication certificate on all federation servers in the farm chains to a trusted root certificate and has the correct subject name.
To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To check that the Federation Service URL specified in the web.config file is valid:
- On the AD FS-enabled Web server that is hosting the claims-aware agent, locate the web.config file for your claims-aware application, and then open it with Notepad. This file should be located in \inetpub\wwwroot\virtualdirectory, where your claims-aware application files are stored.
- Check that the value between the fs tags is a valid Federation Service URL. To do this:
- On the AD FS-enabled Web server, copy the value between the fs tags in the web.config file, paste it into the address bar of a Web browser, and then hit ENTER. For example, a valid Federation Service URL format would be https://fs1.treyresearch.net/adfs/fs/federationserverservice.asmx.
- If a Web page with the title FederationServerService is displayed, then you have successfully verified that the Web server can communicate with a resource federation server and that the Federation Service URL is valid.
To check that a certificate chains to a trusted root:
On a federation server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
In the console tree, click ComputerName, and then in the center pane double-click Server Certificates.
Double-click the server authentication certificate.
In the Certificate dialog box, click on the Certification Path tab.
Read the description provided in the Certificate status text box.
If the description indicates that the certificate is trusted, the certificate is chaining to a trusted root.
If the description indicates that this certificate is not trusted, then the server authentication certificate is not chaining to a trusted root. In this case, you should replace the certificate with a new server authentication certificate that is trusted.
To check that the certificate subject name matches the Federation Service URL:
- On a federation server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- In the console tree, click ComputerName, and then in the center pane double-click Server Certificates.
- Double-click the server authentication certificate.
- In the Certificate dialog box, click on the Details tab.
- In the list box, click Subject in the list, and record this value.
- Verify that the host name in the Subject value matches the host name portion of a valid Federation Service URL. To do this:
- On the federation server, record the host name portion of the Subject value in the certificate and enter it into the address bar of a Web browser. For example, if the Subject value contains fs1.treyresearch.net, you would record only the fs1 portion of the value, and then move to the next step.
- In the address bar, type https:// and the host name portion of the Subject value, type /adfs/fs/federationserverservice.asmx at the end of the value, and then hit ENTER. For example, if the Subject value of the certificate is fs1.treyresearch.net, the URL in the address bar would look like https://fs1/adfs/fs/federationserverservice.asmx.
- If a Web page with the title FederationServerService is displayed then you have successfully verified that the certificate has the correct Subject name value.
Verify
Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.
If a failure occurs, verify that the web.config file is configured with correct URL values and that all configuration parameters contain valid values.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To verify that the web.config file is configured with a Federation Service URL value:
- On a resource federation server, click Start, point to Administrative Tools, and then click Active Directory Federation Services.
- Double-click Federation Service, double-click Trust Policy, double-click My Organization, click Applications, right-click the application in the list that represents this claims-aware application, and then click Properties.
- Verify that the value specified between the fs tags within the web.config file is valid.