Event ID 642 — Trust Policy and Configuration

Updated: February 27, 2008

Applies To: Windows Server 2008

red

The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.

Event Details

Product: Windows Operating System
ID: 642
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: NameSuffixTransformInvalid
Message: The Federation Service encountered an error while loading the trust policy. An application is configured with an e-mail or user principal name (UPN) suffix transformation.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the suffix transformation from the application.

Resolve

Specify a valid e-mail or UPN suffix

This error occurs only if the trust policy file has been modified without the use the Active Directory Federation Services snap-in.

When you create a resource partner, make sure that you specify a valid e-mail or user principal name (UPN) suffix that can accept e-mail and UPN claims for this partner.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

 To specify e-mail or UPN suffixes using the Add Resource Partner Wizard:

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
  2. In the console tree, double-click Federation Service, Trust Policy, and Partner Organizations.
  3. In the console tree, right-click Resource Partners, point to New, and then click Resource Partner.
  4. On the Welcome to the Add Resource Partner Wizard page, click Next.
  5. On the Import Policy File page, ensure that No is selected, and then click Next.
  6. On the Resource Partner Details page, do the following, and then click Next:
    • In Display name, type the display name of the resource partner.
    • In Federation Service URI, type the Uniform Resource Identifier (URI) for the resource partner Federation Service.
    • In Federation Service endpoint URL, type the endpoint Uniform Resource Locator (URL) of the resource partner Federation Service.
  7. On the Federation Scenario page, do one of the following, and then click Next:
    • If you are establishing a federated trust with another organization or if you do not want to use an existing forest trust, click Federated Web SSO.
    • If you are establishing a federated trust in the same organization when both sides already share a forest trust, click Federated Web SSO with Forest Trust.
  8. On the Resource Partner Identity Claims page, select one or more identity claims to share with the resource partner, and then click Next:
    • If the resource partner requires UPN claims to make authorization decisions, select the UPN Claim check box.

      Note: If you selected the Federated Web SSO with Forest Trust scenario, the UPN Claim option is selected and not configurable because UPN claims are required for this scenario.

    • If the resource partner requires e-mail claims to make authorization decisions, select the E-mail Claim check box.
    • If the resource partner requires common name claims to make authorization decisions, select the Common Name Claim check box.
  9. If you selected UPN Claim as an identity claim, on the Select UPN Suffix page, do one of the following, and then click Next:
    • To pass all UPN suffixes through without replacing them, click Pass all UPN suffixes through unchanged.
    • To replace all UPN suffixes with a different suffix, click Replace all UPN suffixes with the following, and then type the suffix that you want to use to replace all UPN suffixes.
  10. If you selected E-mail Claim as an identity claim, on the Select E-mail Suffix page, do one of the following, and then click Next:
    • To pass all e-mail suffixes without replacing them, click Pass all E-mail suffixes through unchanged.
    • To replace all e-mail suffixes with a different suffix, click Replace all E-mail suffixes with, and then type the suffix that you want to use to replace all e-mail suffixes.
  11. On the Enable this Resource Partner page, if you do not want to enable the resource partner now, clear the Enable this resource partner check box, and then click Next.
  12. To add the new resource partner and close the wizard, click Finish.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.

Related Management Information

Trust Policy and Configuration

Active Directory Federation Services

Community Additions

ADD
Show: