Troubleshooting token issuance problems with AD FS 2.0

Updated: May 5, 2010

Applies To: Active Directory Federation Services (AD FS) 2.0

The following table provides troubleshooting guidance for the specific error event messages or other issues that you may encounter if you are having problems with token issuance in Active Directory Federation Services (AD FS) 2.0.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Event or symptom Possible cause Resolution

Event ID 111
The Federation Service encountered an error while processing the WS-Trust request.

For more information about the cause of this event, see the additional details that are specified within the event.

Note
Some of the descriptions in the exception details that appear with this event are messages that might not apply to AD FS 2.0, but are generated by other external sources, such as Windows Identity Foundation (WIF).

For more information about how to resolve this issue, see the additional details that are provided with this event and other events that are related to this error.

For more information about how to determine what other events are related to this event in the AD FS 2.0 event log, see the section "Correlating events and traces using Activity ID and Caller ID" in the blog post Diagnostics in AD FS 2.0 (https://go.microsoft.com/fwlink/?LinkID=188910).

Event ID 184
A token request was received for a relying party, but the request could not be fulfilled because the key does not identify any known relying party trust.

The Uniform Resource Identifier (URI) that identifies the relying party trust does not exist.

Review the key data, which is the URI that is specified for the relying party trust. If the URI appears to be valid and trustworthy, verify that it is configured for the relying party in the AD FS 2.0 snap-in. You can manage the URI on the Identifiers tab in the relying party trust properties.

Event ID 186
The Federation Service could not fulfill the token-issuance request.

More than one name ID claim was configured in the claims policy for the relying party.

Ensure that the issuance transform rules that are configured for the relying party do not result in multiple name ID claims.

Event ID 193
The Federation Service could not satisfy a token request.

The authentication type that was requested by the relying party and specified in this event is not available.

You can verify the current authentication type by using the Get-ADFSProperties cmdlet to view the current AuthenticationContextOrder property setting and compare that to the correct authentication type that is specified in the details of this event.

Ensure that the relying party is configured to request the correct authentication type. If you are confident that it makes sense for your security policy to modify the allowed authentication context type, you can modify the AuthenticationContextOrder property setting by using the Set-ADFSProperties cmdlet.

Event ID 197
The Federation Service could not satisfy a token request.

The accompanying credentials do not meet the authentication type requirement for the relying party.

You can verify the current authentication type by using the Get-ADFSProperties cmdlet to view the current AuthenticationContextOrder property setting and compare that to the desired authentication type that is specified in the details of this event.

Ensure that the relying party is configured to request the correct authentication type. If you are confident that it makes sense for your security policy to modify the allowed authentication context type, you can modify the AuthenticationContextOrder property setting by using the Set-ADFSProperties cmdlet.

Event ID 206
The Federation Service could not fulfill the token-issuance request.

The following are possible causes for this event:

  • An incorrect protocol method was used to verify the Federation Service. For example, a request was made that uses WS-Federation to verify Security Assertion Markup Language (SAML) support.

  • The relying party is missing a WS-Federation Passive endpoint address.

The following are possible resolutions for this event:

  • Verify that you are using the correct protocol to test your federation partnership. For example, a frequent method of testing the operational status of the Federation Service is to use a browser-based request to a service endpoint. This method of access uses WS-Federation, but it cannot be used to verify SAML support. You can verify SAML support only by using a client that can send and receive SAML protocol messages.

  • Use the AD FS 2.0 snap-in to configure a WS-Federation Passive endpoint on this relying party.

Event ID 258
The relying party is not configured.

The relying party is not configured with the SAML Assertion Consumer Services.

Use the AD FS 2.0 snap-in to configure one or more Assertion Consumer Services for this relying party. To configure SAML Assertion Consumer Services, add or update the required SAML assertion consumer endpoints on the Endpoints tab in the properties for this relying party trust.

If you imported metadata, check your metadata provider configuration. If you configured your relying party trust manually, check the relying party trust configuration locally on the federation server computer. If you imported metadata to configure your relying party trust, verify that the configuration of your metadata partner server is accurate and up to date.

Event ID 259
The request specified an Assertion Consumer Services index that is not configured on the relying party.

The Assertion Consumer Services index that is specified in the request is not valid.

Use the AD FS 2.0 snap-in to configure Assertion Consumer Services with the specified index for this relying party. To configure SAML Assertion Consumer Services, add or update the required SAML assertion consumer endpoints on the Endpoints tab in the properties for this relying party trust.

If you imported metadata, check your metadata provider configuration. If you configured your relying party trust manually, check the relying party trust configuration locally on the federation server computer. If you imported metadata to configure your relying party trust, verify that the configuration on your metadata partner server is accurate and up to date.

Event ID 260
The request specified an Assertion Consumer Service protocol binding that is not configured on the relying party.

The Assertion Consumer Services protocol binding that is specified in the request is not valid.

Use the AD FS 2.0 snap-in to configure Assertion Consumer Services with the specified protocol binding for this relying party. To configure SAML Assertion Consumer Services, add or update the required SAML assertion consumer endpoints on the Endpoints tab in the properties for this relying party trust.

If you imported metadata, check your metadata provider configuration. If you configured your relying party trust manually, check the relying party trust configuration locally on the federation server computer. If you imported metadata to configure your relying party trust, verify that the configuration on your metadata partner server is accurate and up to date.

Event ID 261
The request specified an Assertion Consumer Services URL that is not configured on the relying party.

The Assertion Consumer Services URL that is specified in the request is not valid.

Use the AD FS 2.0 snap-in to configure Assertion Consumer Services with the specified URL for this relying party. To configure SAML Assertion Consumer Services, add or update the required SAML assertion consumer endpoints on the Endpoints tab in the properties for this relying party trust.

If you imported metadata, check your metadata provider configuration. If you configured your relying party trust manually, check the relying party trust configuration locally on the federation server computer. If you imported metadata to configure your relying party trust, verify that the configuration on your metadata partner server is accurate and up to date.

Event ID 273
The request specified an Assertion Consumer Service that is not configured or is not supported on the relying party.

The Assertion Consumer Service is not configured or enabled on the relying party.

For more information about the request parameters that are not available on the relying party that might have caused this event, see the additional details that are specified within the event.

Use the AD FS 2.0 snap-in to configure Assertion Consumer Services with the specified parameters for this relying party. Also, verify whether the artifact resolution service is enabled if the SAML artifact is requested.

Event ID 302
The Federation Service could not authorize token issuance for caller '%2' as subject '%3' to the relying party '%4'.

The specified caller is not authorized to act as the subject for this relying party

For more information about the cause of this event, see Event 501 and Event 503 with the same instance ID for the caller identity and the ActAs identity (if any).

Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended.

Use the AD FS 2.0 snap-in to ensure that the caller is authorized to act as the subject to the relying party. Specifically, you can review delegation policy for this trust by following these steps in the snap-in.

  1. In the console tree, navigate to the Relying Party Trusts node (under AD FS 2.0\Trust Relationships).

  2. In the details pane, select the relying party trust that is specified in the message text for this event.

  3. On the Action menu, click Edit Claim Rules.

  4. Click the Delegation Authorization Rules tab.

    Review the contents of this tab to troubleshoot the authorization issue. Add or update the delegation policy as appropriate to authorize the caller that is specified in the event text.

Verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule (https://go.microsoft.com/fwlink/?LinkID=189504).

Event ID 323
The Federation Service could not authorize token issuance for the caller on behalf of the subject to the relying party.

The specified caller is not authorized to act on behalf of the subject of this relying party

For more information about the specific cause of this event, see Event 501 and Event 502 with the same instance ID for the caller identity and the OnBehalfOf identity (if any).

Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended.

Use the AD FS 2.0 snap-in to ensure that the caller is authorized to act on behalf of the subject to the relying party.

First, verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule (https://go.microsoft.com/fwlink/?LinkID=189504).

If you have to update impersonation authorization policy for this relying party trust, you can use the Windows PowerShell cmdlets for AD FS 2.0. Specifically, you can view and set impersonation authorization rules policy as part of the ImpersonationAuthorizationRules property. To read this property, use the Get-ADFSRelyingPartyTrust cmdlet. To modify this property, use the Set-ADFSRelyingPartyTrust cmdlet.

Event ID 325
The Federation Service could not authorize token issuance for the caller.

The caller is not authorized to request a token for the relying party.

Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended.

Use the AD FS 2.0 snap-in to ensure that the caller is authorized to request a token for the relying party. Specifically, you can review issuance policy for this trust by following these steps in the snap-in.

  1. In the console tree, navigate to the Relying Party Trusts node (under AD FS 2.0\Trust Relationships).

  2. In the details pane, select the relying party trust that is specified in the message text for this event.

  3. On the Action menu, click Edit Claim Rules.

  4. Click the Issuance Authorization Rules tab.

    Review the contents of this tab to troubleshoot the authorization issue. Add or update the issuance policy as appropriate to authorize the caller that is specified in the event text.

Verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule (https://go.microsoft.com/fwlink/?LinkID=189504).

Event ID 326
Failed to load the AD FS claims policy engine using a policy type.

AD FS 2.0 might not have installed correctly.

Make sure AD FS 2.0 is installed correctly. Run the AD FS 2.0 Federation Server Configuration Wizard again to restore the configuration. If the problem continues, contact your product support resource.

Event ID 363
A communication error occurred during an attempt to retrieve a token from the Federation Service.

This event might occur during service startup if a service dependency was not available. For example, this event might occur if the Internet Information Services (IIS) service was offline when the AD FS 2.0 Windows Service started.

For more information about the specific cause of this event, review the additional details that are specified within the event.

Make sure that the Federation Service is running. Start (or restart) it as necessary. For more information about verifying whether AD FS 2.0 is installed and running, see Things to Check Before Troubleshooting AD FS 2.0.

Use the additional details in the event to determine whether other services are unavailable or misconfigured.

Event ID 365
A token request was received for the relying party, but the request could not be fulfilled.

The relying party trust is not enabled.

If this relying party trust should be enabled, enable it by using the AD FS 2.0 snap-in or the Windows PowerShell cmdlets for AD FS 2.0.