Troubleshooting Federation Service startup and shutdown problems

Event ID 131
During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The configured value '%2' could not be parsed as type '%3'.

The Federation Service configuration data contains invalid data.

Fix the configuration error as reported in the event, and then try to start the Federation Service again.

Event ID 133
During processing of the Federation Service configuration, the element '%1' was found to have invalid data.

This condition can occur when the certificate is found in the specified store, but there is a problem accessing the certificate's private key. Common causes for this condition include the following:

• The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file.
  
  
• The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store that is specified in this event.
  
  
• The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.
  
  
• The Federation Service identity <identity> has not been granted read access to the certificate's private key.
  
  

Possible resolutions for this condition include the following:

• If the certificate was imported from a source that has no private key, select a certificate that has a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file).
  
  
• If the certificate was imported in a user context, verify that the store that was specified earlier matches the store the certificate was imported into.
  
  
• If the certificate was generated by a certificate request that did not specify the "Machine Key" option, and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file, and then import it again directly into the store that is specified in the configuration file.
  
  
• If the key is not marked as exportable, request a new certificate by using the "Machine Key" option.
  
  
• If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition by using the Certificates snap-in. For more information, see the procedure "Confirm that private keys for certificates are accessible by the AD FS 2.0 service user account" in Things to Check Before Troubleshooting AD FS 2.0.
  
  

Event ID 135
During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was identified by the findValue '%2' was not unique.

This condition can occur when the certificate is found in the specified store, but there is more than one certificate that matches the findValue.

If the certificate was identified by name, and there are multiple certificates of the same name, configure the certificate by using the certificate thumbprint.

Locate the element that is specified in this event, and modify its findValue to use the thumbprint of the certificate instead.

Event ID 201
The Federation Service encountered an Access Denied error while trying to register one or more endpoint URLs.

This condition typically occurs when the access control list (ACL) for the endpoint URL is missing, or the HTTP namespace in the ACL is not a prefix match of the endpoint URL.

Ensure that a valid ACL for each URL is configured on this computer.

Event ID 203
The Federation Service could not be shut down correctly.

The service encountered a critical error that prevents it from operating normally.

Reboot the computer that is hosting the Federation Service. Review the additional data in this event to investigate the possible source of the problem. If the problem reoccurs, contact your product support resources for more information, using the data that is provided in this event.

Event ID 217
A WS-Trust endpoint that was configured could not be opened.

An error in the configuration binding for an endpoint occurred.

Fix configuration errors using the Set-ADFSEndpoint cmdlet or the cmdlets in Windows PowerShell, and restart the Federation Service.

If the problem persists, run the AD FS 2.0 Federation Server Configuration Wizard again to repair the endpoint.

Event ID 244
The Federation Service was unable to listen for WS-MetadataExchange requests due to an unexpected error.

An unexpected error occurred with the WS-MetadataExchange endpoint.

Check the event context for the details of the exception. If this error occurs repeatedly, and you cannot interpret the exception details, contact your product support resources for help.

Event ID 352
A SQL Server operation in the AD FS configuration database with connection string %1 failed.

This event is raised for all possible SQL Server failures that AD FS 2.0 encounters in servicing its configuration data store, except for constraint violations or deadlock errors. The additional details in this event provide more information about the error that was encountered.

Possible causes for this event condition include the following:

• An attempted connection to SQL Server timed out.
  
  
• The SQL Server service or the computer that hosts the database is not reachable.
  
  
• An issue occurred within SQL Server operations.
  
  

For SQL Server time-out issues, review overall SQL query loads to determine whether moving the AD FS 2.0 configuration database to another server computer might improve performance.

For connectivity issues, determine whether the computer that is hosting SQL Server is reachable. For more information, see the Troubleshooting Event ID 220 section later in this topic.

Event ID 380
During processing of the Federation Service configuration, the element '%1' was found to have invalid data.

The AD FS 2.0 token issuance service failed to start because one of the primary certificates has expired.

Primary certificates are used for either token-signing, token-decrypting, or service communications.

Check to see whether Event ID 349 has also been logged. If it has, the AD FS 2.0 administration subservice has been started successfully. This enables you to use Windows PowerShell cmdlets for AD FS 2.0, such as Set-ADFSProperties, to reconfigure the Federation Service.

The Federation Service is unable to communicate with a certificate revocation list (CRL) server.

The following are possible causes for this event:

• The Federation Service does not have access to the Internet.
  
  
• A firewall or extranet access policy might be blocking traffic between the Federation Service and the CRL server.
  
  
• The Federation Service might have multiple network connections active and be unable to determine the best connection to use to contact the CRL server.
  
  

The following are possible resolutions for this event:

• Verify network connectivity from the federation server to other Web sites on the Internet. Check for router configuration, incorrect TCP/IP client settings or disconnected or defective network cabling.
  
  
• Review firewall or extranet policy to determine if policy is blocking access between the CRL server and the Federation Service.
  
  
• Increase the Windows services pipeline timeout interval to a value that allows the CRL check process to fully complete itself. To change this setting, open the Windows Registry Editor (Regedit.exe) and add the following registry value:
  
  
  • Navigate to the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
    
    
  • Add a registry value of DWORD data type. Name the value "ServicesPipeTimeout" and set the data value to 120000. Note that this value is read in milliseconds and is equal to 120 seconds (2 minutes).
    
    
• Disable code access security (CAS) publisher policy on the federation server computer in the application configuration file for Microsoft.IdentityServer.ServiceHost.exe. For more information, on modifying this setting, see the .NET configuration reference for the <publisherPolicy> element reference in the MSDN library (https://go.microsoft.com/fwlink/?LinkId=190641)
  
  

The computer that is running SQL Server and that is configured for storing AD FS 2.0 configuration data is not started.

Start the SQL Server instance that hosts the AdfsConfiguration database.

Verify that the service is running the sc query mssqlserver on the computer that hosts SQL Server, and ensure that STATE = RUNNING. This assumes that the default instance of SQL Server is being used. Each SQL Server database instance has its own services, and you can check their names by looking at the Services node in Server Manager. When you locate the corresponding named instance, start the service by using net start mssqlserver on the remote computer that is running SQL Server.

The AD FS 2.0 Windows service identity cannot log on to SQL Server.

Ensure that SQL Server is running under a built-in account, such as NetworkService or LocalSystem. If SQL Server is running under a domain account, verify that the service principal name (SPN) for that account has been registered correctly.

To verify the SPN, use the following syntax with the SetSpn.exe command:

SetSpn –L <serviceaccount>

The output of this command should have MSSQLSvc/<SQL server name>.

Another possible resolution for this error includes connecting to SQL Server using SQL Management Studio, and verifying the following settings:

• Confirm that the AD FS 2.0 Windows service identity is present under the Security->Logins node in the SQL console.
  
  
• Confirm that the AD FS 2.0 Windows service identity is present under Databases->AdfsConfiguration->Security->Users, and that it owns the IdentityServerPolicy schema.
  
  

SQL Server is timing out.

The following are possible resolutions for this error:

• Determine the query load on the SQL Server installation by looking at other databases that are hosted on the computer.
  
  
• Consider hosting AdfsConfiguration on a dedicated server.
  
  
• Restart SQL Server.