Troubleshooting token issuance problems with AD FS 2.0
Updated: May 5, 2010
Applies To: Active Directory Federation Services (AD FS) 2.0
The following table provides troubleshooting guidance for the specific error event messages or other issues that you may encounter if you are having problems with token issuance in Active Directory Federation Services (AD FS) 2.0.
Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.
Event or symptom | Possible cause | Resolution | ||
---|---|---|---|---|
Event ID 111 |
For more information about the cause of this event, see the additional details that are specified within the event.
|
For more information about how to resolve this issue, see the additional details that are provided with this event and other events that are related to this error. For more information about how to determine what other events are related to this event in the AD FS 2.0 event log, see the section "Correlating events and traces using Activity ID and Caller ID" in the blog post Diagnostics in AD FS 2.0 (https://go.microsoft.com/fwlink/?LinkID=188910). |
||
Event ID 184 |
The Uniform Resource Identifier (URI) that identifies the relying party trust does not exist. |
Review the key data, which is the URI that is specified for the relying party trust. If the URI appears to be valid and trustworthy, verify that it is configured for the relying party in the AD FS 2.0 snap-in. You can manage the URI on the Identifiers tab in the relying party trust properties. |
||
Event ID 186 |
More than one name ID claim was configured in the claims policy for the relying party. |
Ensure that the issuance transform rules that are configured for the relying party do not result in multiple name ID claims. |
||
Event ID 193 |
The authentication type that was requested by the relying party and specified in this event is not available. You can verify the current authentication type by using the Get-ADFSProperties cmdlet to view the current AuthenticationContextOrder property setting and compare that to the correct authentication type that is specified in the details of this event. |
Ensure that the relying party is configured to request the correct authentication type. If you are confident that it makes sense for your security policy to modify the allowed authentication context type, you can modify the AuthenticationContextOrder property setting by using the Set-ADFSProperties cmdlet. |
||
Event ID 197 |
The accompanying credentials do not meet the authentication type requirement for the relying party. You can verify the current authentication type by using the Get-ADFSProperties cmdlet to view the current AuthenticationContextOrder property setting and compare that to the desired authentication type that is specified in the details of this event. |
Ensure that the relying party is configured to request the correct authentication type. If you are confident that it makes sense for your security policy to modify the allowed authentication context type, you can modify the AuthenticationContextOrder property setting by using the Set-ADFSProperties cmdlet. |
||
Event ID 206 |
The following are possible causes for this event:
|
The following are possible resolutions for this event:
|
||
Event ID 258 |
The relying party is not configured with the SAML Assertion Consumer Services. |
Use the AD FS 2.0 snap-in to configure one or more Assertion Consumer Services for this relying party. To configure SAML Assertion Consumer Services, add or update the required SAML assertion consumer endpoints on the Endpoints tab in the properties for this relying party trust. If you imported metadata, check your metadata provider configuration. If you configured your relying party trust manually, check the relying party trust configuration locally on the federation server computer. If you imported metadata to configure your relying party trust, verify that the configuration of your metadata partner server is accurate and up to date. |
||
Event ID 259 |
The Assertion Consumer Services index that is specified in the request is not valid. |
Use the AD FS 2.0 snap-in to configure Assertion Consumer Services with the specified index for this relying party. To configure SAML Assertion Consumer Services, add or update the required SAML assertion consumer endpoints on the Endpoints tab in the properties for this relying party trust. If you imported metadata, check your metadata provider configuration. If you configured your relying party trust manually, check the relying party trust configuration locally on the federation server computer. If you imported metadata to configure your relying party trust, verify that the configuration on your metadata partner server is accurate and up to date. |
||
Event ID 260 |
The Assertion Consumer Services protocol binding that is specified in the request is not valid. |
Use the AD FS 2.0 snap-in to configure Assertion Consumer Services with the specified protocol binding for this relying party. To configure SAML Assertion Consumer Services, add or update the required SAML assertion consumer endpoints on the Endpoints tab in the properties for this relying party trust. If you imported metadata, check your metadata provider configuration. If you configured your relying party trust manually, check the relying party trust configuration locally on the federation server computer. If you imported metadata to configure your relying party trust, verify that the configuration on your metadata partner server is accurate and up to date. |
||
Event ID 261 |
The Assertion Consumer Services URL that is specified in the request is not valid. |
Use the AD FS 2.0 snap-in to configure Assertion Consumer Services with the specified URL for this relying party. To configure SAML Assertion Consumer Services, add or update the required SAML assertion consumer endpoints on the Endpoints tab in the properties for this relying party trust. If you imported metadata, check your metadata provider configuration. If you configured your relying party trust manually, check the relying party trust configuration locally on the federation server computer. If you imported metadata to configure your relying party trust, verify that the configuration on your metadata partner server is accurate and up to date. |
||
Event ID 273 |
The Assertion Consumer Service is not configured or enabled on the relying party. For more information about the request parameters that are not available on the relying party that might have caused this event, see the additional details that are specified within the event. |
Use the AD FS 2.0 snap-in to configure Assertion Consumer Services with the specified parameters for this relying party. Also, verify whether the artifact resolution service is enabled if the SAML artifact is requested. |
||
Event ID 302 |
The specified caller is not authorized to act as the subject for this relying party For more information about the cause of this event, see Event 501 and Event 503 with the same instance ID for the caller identity and the ActAs identity (if any). Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended. |
Use the AD FS 2.0 snap-in to ensure that the caller is authorized to act as the subject to the relying party. Specifically, you can review delegation policy for this trust by following these steps in the snap-in.
Verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule (https://go.microsoft.com/fwlink/?LinkID=189504). |
||
Event ID 323 |
The specified caller is not authorized to act on behalf of the subject of this relying party For more information about the specific cause of this event, see Event 501 and Event 502 with the same instance ID for the caller identity and the OnBehalfOf identity (if any). Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended. |
Use the AD FS 2.0 snap-in to ensure that the caller is authorized to act on behalf of the subject to the relying party. First, verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule (https://go.microsoft.com/fwlink/?LinkID=189504). If you have to update impersonation authorization policy for this relying party trust, you can use the Windows PowerShell cmdlets for AD FS 2.0. Specifically, you can view and set impersonation authorization rules policy as part of the ImpersonationAuthorizationRules property. To read this property, use the Get-ADFSRelyingPartyTrust cmdlet. To modify this property, use the Set-ADFSRelyingPartyTrust cmdlet. |
||
Event ID 325 |
The caller is not authorized to request a token for the relying party. Generally, this event might indicate that a claims authorization rule in the claims policy for this relying party trust is not operating as intended. |
Use the AD FS 2.0 snap-in to ensure that the caller is authorized to request a token for the relying party. Specifically, you can review issuance policy for this trust by following these steps in the snap-in.
Verify that the claims authorization rules for this relying party trust are configured as intended. For more information, see When to Use a Claims Authorization Rule (https://go.microsoft.com/fwlink/?LinkID=189504). |
||
Event ID 326 |
AD FS 2.0 might not have installed correctly. |
Make sure AD FS 2.0 is installed correctly. Run the AD FS 2.0 Federation Server Configuration Wizard again to restore the configuration. If the problem continues, contact your product support resource. |
||
Event ID 363 |
This event might occur during service startup if a service dependency was not available. For example, this event might occur if the Internet Information Services (IIS) service was offline when the AD FS 2.0 Windows Service started. For more information about the specific cause of this event, review the additional details that are specified within the event. |
Make sure that the Federation Service is running. Start (or restart) it as necessary. For more information about verifying whether AD FS 2.0 is installed and running, see Things to Check Before Troubleshooting AD FS 2.0. Use the additional details in the event to determine whether other services are unavailable or misconfigured. |
||
Event ID 365 |
The relying party trust is not enabled. |
If this relying party trust should be enabled, enable it by using the AD FS 2.0 snap-in or the Windows PowerShell cmdlets for AD FS 2.0. |