Event ID 123 — Windows NT Token-Based Application Configuration

Applies To: Windows Server 2008

Web Agent for Windows NT token-based application configuration contains information about the AD FS Web Agent Authentication Service, creation of Windows NT tokens, and Windows token-based agent authentication requests.

Event Details

Product: Windows Operating System
ID: 123
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: SSO_METABASE_QUERY_RETURN_URL_FAILURE
Message: The AD FS Web Agent for Windows NT token-based applications did not find the Uniform Resource Locator (URL) for the application return in the Internet Information Services (IIS) configuration.

The Web agent will not be able to generate Windows NT tokens for users until it can find the application return URL. Claims-aware applications are not affected by this condition.

User Action
Ensure that the return URL is configured in the IIS Manager Virtual Directory property page.

Resolve

Configure the return URL in the IIS Manager snap-in

Ensure that the return Uniform Resource Locator (URL) is configured in the IIS Manager snap-in.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To check the return URL:

  1. On the Web server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager snap-in.
  2. Click ComputerName\Sites\Web site or Virtual Directory.
  3. In the center pane, double-click Authentication.
  4. Click AD FS Windows Token-Based Agent, and then click Edit.
  5. In the AD FS Windows Token-Based Agent dialog box, ensure that the URL is configured.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

If you cannot access the application successfully, verify that the Windows token-based agent is configured with correct URL values and that all configuration parameters contain valid values.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the Windows token-based agent is configured with correct values:

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the console tree, click YourComputerName**(local computer)**.
  3. In the console tree, double-click Sites, and then click YourWebSiteName.
  4. In the center pane, double-click Authentication, highlight AD FS Windows Token-Based Agent, and then in the Actions pane click Edit.
  5. In the AD FS Windows Token-Based Agent dialog box, confirm that the Enable AD FS Web Agent check box is selected.
  6. Make sure that the following values are valid, and then click OK.
    • Cookie path
    • Cookie domain
    • Return URL

Windows NT Token-Based Application Configuration

Active Directory Federation Services