Event ID 605 — Federation Server Communication
Applies To: Windows Server 2008
.jpg)
Federation Server communication is communication between federation servers and federation server proxies. A federation server proxy should be updated from the Federation Service. Federation Server communication fails if the federation server proxy cannot be updated and the information in the trust policy is configured incorrectly.
Event Details
| Product: | Windows Operating System |
| ID: | 605 |
| Source: | Microsoft-Windows-ADFS |
| Version: | 6.0 |
| Symbolic Name: | ExceptionFromFedServer |
| Message: | The Federation Service Proxy encountered an exception when it called a Federation Service Web method. Federation Server URL: %1 Web method: %2 Proxy certificate thumbprint: %3 This may cause a user request to fail. User Action The exception details may give an indication of the precise problem. Check network connectivity between the Federation Service Proxy and the Federation Service. Ensure that the Federation Service is running. Ensure that the Federation Service Proxy client authentication certificate has been added to the list of proxy authentication certificates in the Federation Service trust policy. Ensure that the Federation Service Proxy client authentication certificate chains to a root that is trusted by the Federation Service. Ensure that the Federation Service Proxy service account, which is set to Network Service by default, can access the private key of the certificate that was identified by the thumbprint '%3'. Conditions that can prevent the Federation Service Proxy service account from having access to the certificate private key include the following: (1) The certificate was installed from a file that did not include the private key, such as a .cer or .p7b file. (2) The certificate's private key was imported (for example, from a .pfx file) into a user's certificate store instead of the Local Computer Personal certificate store. (3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option. (4) The Federation Service Proxy service account has not been granted Read access to the certificate's private key. Ensure that the Federation Service Internet Information Services (IIS) Secure Sockets Layer (SSL) server certificate chains to a root that is trusted by the Federation Service Proxy. Ensure that the Federation Service Uniform Resource Locator (URL) that is configured in the Federation Service Proxy web.config uses the name that is the subject of the Federation Service IIS SSL server certificate. Additional Data Exception information: %4 |
Resolve
Review the exception details
The exception details may give an indication of the precise problem.
Check network connectivity between the federation server proxy and the federation server.
Ensure that the Federation Service is running.
Ensure that the federation server proxy client authentication certificate has been added to the list of proxy authentication certificates in the trust policy.
Ensure that the federation server proxy client authentication certificate chains to a root that is trusted by the Federation Service.
Ensure that the Federation Service Internet Information Services (IIS) Secure Sockets Layer (SSL) server certificate chains to a root that is trusted by the federation server proxy.
Ensure that the Federation Service Uniform Resource Locator (URL) that is configured in the federation server proxy web.config file uses the name that is the subject of the Federation Service IIS SSL server certificate.
Verify
Verify that a specific event (ID 674) was generated on the federation server proxy computer. This event is generated when the federation server proxy is able to successfully communicate with the Federation Service.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
Log on to a client computer with Internet access.
Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the clientlogon.aspx page that is stored on the federation server proxy.
Press ENTER.
Note At this point your browser should display the error Server Error in '/adfs' Application. This step is necessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by Internet Information Services (IIS).
Log on to the federation server proxy.
Click Start, point to Administrative Tools, and then click Event Viewer.
In the details pane, double-click Application.
In the Event column, look for event ID 674.
If the federation server proxy is configured properly, you see a new event in the Application log of Event Viewer, with the event ID 674. This event verifies that the federation server proxy was able to communicate successfully with the Federation Service.