Event ID 734 — Claims-Aware Application Malformed Requests

Updated: February 27, 2008

Applies To: Windows Server 2008

yellow

Web Agent for Claims-Aware Applications Malformed Requests logs token requests, session cookies, and sign-in requests that are associated with the claims-aware agent. Malformed Requests also provides information about protocol requests that are made to the AD FS Web Agent and client cookies, and it records any sign-on issues.

Event Details

Product: Windows Operating System
ID: 734
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: BadWctxParameter
Message: A malformed protocol request was received by the AD FS Web Agent. The context parameter from the request (%1) did not match the configured cookie domain and cookie path for this application.

This request will be failed.

Resolve

Check the cookie domain or path and return URL

This error can occur when:

  • The cookie domain configuration is not set correctly in the application configuration.
  • The "Path" component of the Uniform Resouce Locator (URL) that was entered in the Web browser does not start with the cookie path that is specified in the Internet Information Services (IIS) snap-in (for Windows NT token-based applications) or in the web.config file (for claims-aware applications). Note that this is a case-sensitive comparison.

To correct this error, do one of the following:

  • Make sure that the server name portion of the URL that is typed in the Web browser matches the server name in the return URL that is specified for the Web application.
  • If you have a Web farm setup, you may have to configure the "cookie domain" to account for the fact that AD FS authentication may have occurred on one computer in the farm, and the cookies may have to be sent to another server in the farm. If a cookie domain is set for this Web application, make sure that the server name portion of the original URL that is typed into the Web browser ends with this cookie domain. For example, if a cookie domain is named treyresearch.net, the URL that is typed in the Web browser must contain this value, for example, https://sales.treyresearch.net/myapp.
  • Make sure that the cookie path that is configured in the Web application is configured correctly. For example, if the accessed application is https://example.com/subdir/gradsubdir.html, the cookie path should be either / or /subdir. This is case sensitive.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

If a failure occurs, verify that the web.config file is configured with correct URL values and that all configuration parameters contain valid values.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the web.config file is configured with the correct Return URL value:

  1. On a resource federation server, click Start, point to Administrative Tools, and then click Active Directory Federation Services.
  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, click Applications, right-click the application in the list that represents this claims-aware application, and then click Properties.
  3. Verify that the https value specified in Application URL—for example, https://www.treyresearch.net/ApplicationName/— is identical to the value specified between the returnurl tags within the web.config file.

Related Management Information

Claims-Aware Application Malformed Requests

Active Directory Federation Services

Community Additions

ADD
Show: