Troubleshooting artifact resolution failures with AD FS 2.0

  • Article

Updated: May 5, 2010

Applies To: Active Directory Federation Services (AD FS) 2.0

This topic provides event-based troubleshooting guidance for failed artifact resolution with Active Directory Federation Services (AD FS) 2.0.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Troubleshooting Failure to Resolve Artifacts

The following table provides troubleshooting guidance for the specific error event messages or other issues that you may encounter if you are having problems resolving artifact requests.

Event or symptom Possible cause Resolution

Event ID 278
The Security Assertion Markup Language (SAML) artifact resolution endpoint is not configured or it is disabled.

The SAML artifact resolution endpoint might not be configured or turned on.

If the artifact resolution service is required, use the AD FS 2.0 snap-in to configure or turn on the SAML artifact resolution endpoint.

Event ID 284
Unable to resolve the SAML artifact.

A malformed response was received from the claims provider.

See the inner exception details for more information about the possible cause for this event.

Use the AD FS 2.0 snap-in to review the following possible configuration changes:

  • Check to see that the SAML artifact resolution endpoint is enabled.

  • Verify that the claims provider trust properties, such as the signing certificate, are up to date in the AD FS 2.0 configuration database.

Event ID 285
The SAML artifact was resolved, but the response is empty or does not contain the expected assertions.

The claims provider configuration is either incomplete or configured differently than expected.

For more information, contact the administrator for your claims provider partner organization.

Event ID 297
The SAML artifact resolution request required an artifact resolution service endpoint with an index that is not configured.

The index for the artifact resolution endpoint is not configured at the relying party. If the relying party trust is configured using imported metadata, this event could occur because a partner configuration has an inaccurate index configured.

Ensure that the configured value and the actual index value for the artifact resolution endpoint are configured to match each other. For imported metadata, the index value should be adjusted at the source or metadata partner configuration first.

Event ID 328
The SAML artifact resolution request was resolved, but the response does not contain the expected assertions.

The artifact resolution endpoint is not configured correctly at the relying party.

For more information, contact the claims provider.

Event ID 353
Unable to resolve the SAML artifact. Verification of the artifact response signature failed.

The claims provider configuration or its signing certificate is out of date.

Verify that the claims provider trust in the AD FS 2.0 configuration database is up to date.

Verify that the claims provider trust's signing certificate is up to date. You can verify this certificate on the Certificates tab in the claims provider trust properties.

Event ID 354
The artifact resolution service could not verify the request signature.

The claims provider configuration or its signing certificate is not configured to sign requests or is out of date.

Configure the relying party certificate for request signing.

Verify that the relying party certificate is up to date.

Event ID 373
The artifact resolution request from the replying party is signed with a weaker signature algorithm.

The relying party is not configured to accept artifact resolution requests with the expected signature algorithm.

Check that the relying party is configured to accept the artifact resolution request with the expected signature algorithm.

To configure the SignatureAlgorithm property, use the Set-ADFSRelyingPartyTrust cmdlet (included with the Windows PowerShell cmdlets for AD FS 2.0).

Troubleshooting Trust Partner Failure to Resolve Artifacts

The following table provides troubleshooting guidance for the specific error event messages or other issues that you may encounter if you are having problems with a trust partner that fails to resolve artifacts.

Event or symptom Possible cause Resolution

Event ID 279
Unable to find a claims provider trust for SAML artifact resolution in the AD FS configuration database.

The claims provider trust either does not exist, or its configuration is stale.

Verify that a claims provider trust exists in the AD FS 2.0 configuration database.

Ensure that the data for the claims provider trust is up to date.

Event ID 280
Unable to resolve the SAML artifact from the claims provider because the claims provider trust does not have the artifact resolution service configured.

The configuration for the claims provider trust does not have the artifact resolution endpoint configured or turned on.

Verify that the claims provider trust in the AD FS 2.0 configuration database is up to date.

Add the artifact resolution service endpoint to the claims provider trust.

Event ID 281
Unable to resolve the SAML artifact from the claims provider.

The claims provider trust does not have the required artifact resolution endpoint with the specified index configured.

Verify that the claims provider trust in the AD FS 2.0 configuration database is up to date.

Use the AD FS 2.0 snap-in to configure the artifact resolution endpoint with the specified index.