Troubleshooting trust management problems with AD FS 2.0

Updated: January 7, 2011

Applies To: Active Directory Federation Services (AD FS) 2.0

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems with trust management in Active Directory Federation Services (AD FS) 2.0.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Event or symptom Possible cause Resolution

Event ID 143
The Federation Service was unable to create the Federation Metadata document because of an error.

The following are possible causes for this event:

  • The claims description contains a non–Uniform Resource Identifier (URI) value.

  • There are document validation errors in the Federation Metadata document.

For more information about the cause of this event, see the additional details that are specified within the event.

Typically, if the event was caused by misconfiguration, check the additional data in the details for this event. Use that data to modify service properties appropriately. For example, the following is a possible resolution for this event:

  • Check the claim descriptions for the Federation Service. For example, search the event XML data in this event for the following featured text to indicate where the error detail is located. The italic text indicates the specific document error, for example, the claims description contains a value ("bad") that must be a full valid URI.

    Microsoft.IdentityModel.Protocols.WSFederation.Metadata.MetadataSerializationException:ID0014: The value 'bad' must be an absolute URI.

Event ID 155
The Federation Service was unable to listen for metadata document requests because of an unexpected error.

The AD FS 2.0 Windows service might not have permissions to access the Federation Metadata endpoint URL, or it might be blocked by more restrictive access control list (ACL) permissions that override its URL permissions.

Use the netsh commands for HTTP to check the URL ACL permissions on your Federation Metadata endpoint URL, or for other URLs that might be overriding permissions that are needed for the endpoints that the federation server uses. For more information, see the examples for netsh http show urlacl syntax in Netsh Commands for Hypertext Transfer Protocol (HTTP) (https://go.microsoft.com/fwlink/?LinkID=167789).

The following example shows typical output for the netsh http show urlacl command when you check the Federation Metadata endpoint permissions where a user-defined service user account ("adfssrv") has been configured and used for the AD FS 2.0 service identity.

C:\>netsh http show urlacl url=https://+:443/FederationMetadata/2007-06/
  Reserved URL            : https://+:443/FederationMetadata/2007-06/
        User: NT SERVICE\adfssrv
            Listen: Yes
            Delegate: Yes
            SDDL: D:(A;;GA;;;S-1-5-80-2246541699-21809830-3603976364-117610243-975697593)

Event ID 159
The Federation Service encountered an error while writing to an object in the configuration database.

The following are possible causes for this event:

  • The AD FS configuration database is not reachable.

  • The database service was interrupted or taken offline while the Federation Service was accessing the AD FS configuration database.

The following are possible resolutions for this event:

Event ID 164
An error occurred during a read operation from the configuration database. Trust monitoring was shut down and will be tried again after a period of time that corresponds to the trust monitoring interval.

The following are possible causes for this event:

  • The AD FS configuration database is not reachable.

  • The database service was interrupted or taken offline while the Federation Service was accessing the AD FS configuration database.

The following are possible resolutions for this event:

  • Verify that the AD FS configuration database is reachable and that the identity of the AD FS service user account has the necessary permissions to write to the database. For more information, see Verify that the Federation Service can connect to the AD FS configuration database.

  • Retry read access to the AD FS configuration database after you investigate the status of the database service. To set the trust monitoring interval, use the MonitoringInterval parameter on the Set-ADFSProperties cmdlet while using Windows PowerShell for AD FS 2.0.

Event ID 165
An error occurred during trust monitoring. The trust monitoring cycle was shut down.

For more information about the cause of this event, see the additional details that are specified within the event.

Use the additional data that is provided within this event to troubleshoot the problem. If the issue persists, contact product support for further assistance.

Event ID 166
Trust monitoring service encountered an error while parsing the Federation Metadata document.

Partner metadata does not comply with the WS-Federation 1.2 specification.

Use the additional data that is provided within this event to determine the parser location and the context of the compliance issue. For more information about WS-Federation 1.2, see the WS-Federation 1.2 specification (https://go.microsoft.com/fwlink/?LinkID=188673).

Event ID 167
The trust monitoring service encountered an error while applying the data in the Federation Metadata document.

The metadata document that the Federation Service received back from its trust partner contained unexpected data.

Use the additional details that are provided within this event to learn the exact context of the metadata document error.

Event ID 168
The Federation Service encountered an error while retrieving the Federation Metadata document.

The SSL certificate used to secure the federation metadata retrieval of the trust is not trusted by the service account assigned to this Federation Service. Monitoring of the trust will fail.

For more information about the cause of this event, see the additional details that are specified within the event.

The following are possible resolutions for this event:

Ensure that the Federation Metadata URL is available. First, try visiting the configured URL using a web browser to troubleshoot the problem. Next, check for certificate errors. For more information, see About certificate errors (https://go.microsoft.com/fwlink/?LinkId=190867)

If there are no certificate errors from the web browser when accessing the federation metadata document, it is possible that the certificate is issued by an authority that is trusted in the user's certificate store but not in the local machine certificate store.

By default, the SSL certificate for a relying party trust partner’s website is not trusted. It should only be trusted once you can verify it securely. Once you have confirmed the authenticity of the certificate and are sure you can trust it, add the root certification authority (CA) of the SSL certificate for the relying party trust to the Local Computer Trusted Root Certification Authorities store on the monitoring computer or in a farm scenario, on each federation server in the farm.

Verify your proxy server setting. For more information about how to verify your proxy server setting, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 173
The trust monitoring service automatically updated the trust of a partner successfully with the partner's published changes.

Some of the metadata that was received from the trust partner might have been ignored by the Federation Service.

Use the additional details that are provided within this event to verify that all Federation Metadata that is needed to maintain the trust has been applied.

Event ID 174
The trust monitoring service detected changes in the configuration of a partner, but it did not automatically apply the changes on the trust partner.

Differences in the metadata document that was returned to the Federation Service were ignored and not applied by the Federation Service.

You can trace the exact cause of the difference to the additional data that is provided in the event.

For example, if multiple WS-Federation endpoints were included, only the first compatible endpoint is used and applied. Another possible cause is that key metadata was included that was not in the form of an X.509 certificate.

Use the additional details that are provided within this event to verify that the critical Federation Metadata that is needed to maintain the trust was not ignored.