Troubleshooting Fedpassive request failures with AD FS 2.0

  • Article

Updated: May 5, 2010

Applies To: Active Directory Federation Services (AD FS) 2.0

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems with passive federation in which requests are failing.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Event or symptom Possible cause Resolution

Event ID 362
Encountered error during federation passive sign-out.

An error occurred while processing a WS-Federation or Security Assertion Markup Language (SAML) logout. This event usually occurs together with other events, which should contain additional data.

See the additional data in this event or in other related events to resolve the issue.

Event ID 364
Encountered error during federation passive request.

This event can be caused by anything that is incorrect in the passive request. It can occur during single sign-on (SSO) or logout for both SAML and WS-Federation scenarios.

If this event occurs in connection with Web client applications seeing HTTP 503 (Service unavailable) errors it might also indicate a problem with the AD FS 2.0 application pool or its configuration in IIS.

If you are seeing HTTP 503 errors with this event, use the following steps to attempt to resolve the problem first:

  1. Check to see if the AD FS 2.0 application pool is stopped. If the application pool is stopped it might be because of a password change for the AD FS 2.0 service account. If applicable, update the password for the AD FS 2.0 application pool in IIS or reset the password for both the service account and the application pool. For more information, see Update the AD FS 2.0 Service Identity Password in a Federation Server Farm (https://go.microsoft.com/fwlink/?LinkId=221908).

For more information to help resolve this issue, see the additional data that is provided in this event or in other related events.

For more information about how to determine what other events are related to this event in the AD FS 2.0 event log, see the "Correlating events and traces using Activity ID and Caller ID" section in the blog post Diagnostics in AD FS 2.0 (https://go.microsoft.com/fwlink/?LinkID=188910).

Event ID 383
The Web request failed.

The web.config file for the /adfs/ls site is malformed. For example, this error occurs if the web.config element that is inside microsoft.identityServer.web has an unsupported value, such as <singleSignOn enabled="yes"/ >, instead of a supported value, such as <singleSignOn enabled="true"/>.

Fix the malformed data in the web.config file. For more information to help resolve this issue, see the additional data that is provided in this event.

Event ID 384
The request to the Federation Service failed.

The web.config file has an invalid configuration that the Federation Service does not support. For example, this event can occur if the web.config file does not specify the SAML or WS-Federation endpoint Uniform Resource Identifiers (URIs).

Ensure that the Federation Service supports the configuration of the property that is specified in this event.

Troubleshooting SAML request failures

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems with passive federation in which SAML-specific requests are failing.

Event or symptom Possible cause Resolution

Event ID 303
The Federation Service encountered an error while processing the SAML authentication request.

An error occurred while a SAML authentication request was being processed.

See the additional data that is provided in this event or in other related events to resolve the issue.

Event ID 320
The verification of the SAML message signature failed.

The following are possible causes for this event:

  • The issuer of the logout request is not a known partner.

  • The issuer of the logout request is a known partner, but the issuer does not have a logout response endpoint defined.

  • The issuer of the logout request is known, but the issuer does not have a signing certificate configured, or the signing certificate failed a certificate revocation list (CRL) check.

The following are possible resolutions for this event:

  • Verify that the issuer's certificate is up to date.

  • Update partner trust configuration to match signing requirements.

Event ID 321
The SAML authentication request had a NameID Policy that could not be satisfied.

The following are possible causes for this event:

  • A missing name identifier is required by trust policy to be included in the request.

  • The format of the name identifier is incorrect.

The following are possible resolutions for this event:

  • Add the missing name identifier to the relying party trust configuration.

  • Correct the name identifier in the relying party trust configuration.

Event ID 327
An error occurred during processing of the SAML logout request.

The SAML logout process for a claims provider trust or relying party trust is not configured correctly. The endpoint that is required to enable support for SAML logout is probably not configured.

Ensure that the SAML logout endpoint is configured correctly for this relying party trust or claims provider trust. Check with your trust partner to verify the exact endpoint details to be configured. To confirm or update the SAML logout endpoint for a trust, you can use the AD FS 2.0 snap-in. To do so, use the Endpoints tab in the properties for either the relying party or claims provider trust that is related to this event.

Event ID 368
The SAML Single Logout request does not correspond to the logged-in session participant.

The following are possible causes for this event:

  • The logout request does not contain a name ID.

  • The logout request contains a name ID whose format or value is different from what was issued for this trust.

  • The logout request contains a stored procedure (SP) name qualifier that does not match the security token service (STS) claim issuance rule.

  • The user who sent the logout request has never logged in before.

Verify that the claims provider trust or the relying party trust configuration is up to date. Use the AD FS 2.0 snap-in to make the format of the name ID rule for this partner and its SPNameQualifier value match the name ID that is present in the logout request.

Event ID 378
The SAML request is not signed with the expected signature algorithm.

The signature algorithm for the partner is not configured correctly.

Verify that signature algorithm for the partner is configured as expected. Use the information in this event to correct the signature algorithm.