Share via


Event ID 620 — Federation Service Communication

Applies To: Windows Server 2008

Federation Service communication is communication between federation servers and Web servers that host the claims-aware agent. The Web server should be updated from the Federation Service. Federation Service communication fails when the Active Directory Federation Services (AD FS) Web Agent cannot be updated.

Event Details

Product: Windows Operating System
ID: 620
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: GettingFsTrustInfoWebException
Message: The AD FS Web Agent was unable to update trust information from the Federation Service. A Hypertext Transfer Protocol (HTTP) or networking error has occurred.
Federation Service URL: %1
WebExceptionStatus value: %2
WebException message: %3

If this failure occurs during startup, no users will be authenticated until the Federation Service can be contacted. If the Federation Service cannot be contacted, the Web agent will continue to be authenticated users with the existing trust information, and it will attempt this operation again at a later time.

User Action
Verify that the Federation Service Uniform Resource Locator (URL) is properly configured, the Federation Service is started, and the Federation Service can be contacted from this computer.

Resolve

Check the Federation Service and the server authentication certificate

Check whether the AD FS-enabled Web server can communicate with a valid Federation Service and whether the application's web.config file is configured correctly.

Check whether the server authentication certificate on all federation servers in the farm chains to a trusted root certificate and whether it has the correct subject name.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

Check whether the Federation Service URL that is specified in the web.config file is valid

To check whether the Federation Service URL that is specified in the web.config file is valid:

  1. On the AD FS-enabled Web server that is hosting the claims-aware agent, locate the web.config file for your claims-aware application, and then open it with Notepad. This file should be located in \inetpub\wwwroot\virtualdirectory, where your claims-aware application files are stored.
  2. Check whether the value between the fs tags is a valid Federation Service URL. To do this:
    1. On the AD FS-enabled Web server, copy the value between the fs tags in the web.config file, paste it into the address bar of a Web browser, and then press ENTER. For example, a valid Federation Service URL format would be https://fs1.treyresearch.net/adfs/fs/federationserverservice.asmx.
    2. If a Web page with the title FederationServerService appears, you have determined that the Web server can communicate with a resource federation server and that the Federation Service URL is valid.

Check whether a certificate chains to a trusted root

To check whether a certificate chains to a trusted root:

  1. On a federation server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the console tree, click ComputerName.
  3. In the center pane, double-click Server Certificates.
  4. Double-click the server authentication certificate.
  5. In the Certificate dialog box, click the Certification Path tab.
  6. Read the description in the Certificate status text box:
    • If the description indicates that the certificate is trusted, the certificate is chaining to a trusted root.
    • If the description indicates that this certificate is not trusted, the server authentication certificate is not chaining to a trusted root. In this case, replace the certificate with a new server authentication certificate that is trusted.

Check whether the certificate subject name matches the Federation Service URL

To check whether the certificate subject name matches the Federation Service URL:

  1. On a federation server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the console tree, click ComputerName.
  3. In the center pane, double-click Server Certificates.
  4. Double-click the server authentication certificate.
  5. In the Certificate dialog box, click the Details tab.
  6. In the list box, click Subject in the list, and record this value.
  7. Determine whether the host name in the Subject value matches the host name portion of a valid Federation Service URL. To do this:
    1. On the federation server, record the host name portion of the Subject value in the certificate, and then enter it into the address bar of a Web browser. For example, if the Subject value contains fs1.treyresearch.net, you would record only the fs1 portion of the value, and then move to the next step.
    2. In the address bar, type https:// and the host name portion of the Subject value, type /adfs/fs/federationserverservice.asmx at the end of the value, and then press ENTER. For example, if the Subject value of the certificate is fs1.treyresearch.net, the URL in the address bar would look like https://fs1/adfs/fs/federationserverservice.asmx.
    3. If a Web page with the title FederationServerService appears, you have determined that the certificate has the correct Subject name value.

Verify

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the AD FS-enabled Web server can access the Federation Service URL specified in the web.config file:

  1. On the AD FS-enabled Web server that is hosting the claims-aware agent, locate the web.config file for your claims-aware application, and then open it with Notepad. This file should be located in \inetpub\wwwroot\virtualdirectory, where your claims-aware application files are stored.
  2. Check that the value between the fs tags is a valid Federation Service URL. To do this:
    1. On the AD FS-enabled Web server, copy the value between the fs tags in the web.config file, paste it into the address bar of a Web browser, and then hit ENTER. For example, a valid Federation Service URL format would be https://fs1.treyresearch.net/adfs/fs/federationserverservice.asmx.
    2. If a Web page with the title FederationServerService is displayed, then you have successfully verified that the Web server can communicate with a resource federation server and that the Federation Service URL is valid.

Federation Service Communication

Active Directory Federation Services