Troubleshooting AD FS
Applies To: Windows Server 2008, Windows Server 2008 R2
What problem are you having?
Setup issues
I receive a Web browser error page with the message “This page cannot be displayed,” “Cannot find server," or "DNS Error”.
When I try to connect to the application, I get a Web browser error page with the message “This page cannot be found” or “HTTP Error 404 – File or directory not found”.
After setting up a Windows NT token–based application, I attempt to connect to it but I am not prompted to choose a host realm and login credentials.
Logging issues
I want to enable logging on the account federation server.
I want to enable logging on the AD FS-enabled Web server for the AD FS Web Agent Authentication Package.
I want to enable logging on the AD FS-enabled Web server for the AD FS Windows Token–Based Agent Extension.
I want to enable logging on the AD FS-enabled Web server for the AD FS Web Agent Authentication Service.
I want to know where the logs are located.
AD LDS issues
After my user accounts are created in Active Directory Lightweight Directory Services (AD LDS) and the trust policy is configured with information about the AD LDS store, the Federation Service is not able to validate users in the AD LDS store.
I have enabled an AD LDS account store, but the Federation Service is not able to retrieve any claims.
Configuration issues
I am receiving a server error.
I am receiving a validation error.
Setup issues
I receive a Web browser error page with the message “This page cannot be displayed,” “Cannot find server," or "DNS Error.”
There are a few things that can cause this problem:
Verify that all federation servers have a server authentication certificate issued to the default Web site.
Verify that all AD FS-enabled Web servers have a server authentication certificate issued to the Web site where the application resides.
If there is an external account partner Federation Service Proxy involved, verify that the correct Federation Service host name was used during installation.
If you are using a Windows NT token–based application, verify that the Federation Service Uniform Resource Locator (URL) in the Internet Information Services (IIS) Manager snap-in (under <computer name>\Federation Services URL) is configured correctly.
When I try to connect to the application, I get a Web browser error page with the message “This page cannot be found” or “HTTP Error 404 – File or directory not found.”
This issue might be caused by the following configuration problems:
Verify that the Web application is properly configured in Internet Information Services (IIS).
Verify that the Web application URL is properly named in the Active Directory Federation Services snap-in.
Verify that Microsoft ASP.NET is installed on the AD FS-enabled Web server and in the Federation Service.
If you are connecting to a Windows NT token–based application that uses ASP and you receive the 404 error after supplying your credentials, verify that the ASPClassic handler in IIS is enabled and configured to handle *.asp pages. Verify also that the ASP feature is installed for IIS.
After setting up a Windows NT token–based application, I attempt to connect to it but you I am not prompted to choose a host realm and login credentials.
Verify that the virtual directory of the Windows NT token–based application is set up to use the Ifsext.dll Internet Server Application Programming Interface (ISAPI) extension.
Logging issues
I want to enable logging on the account federation server.
The account federation server uses an authentication package for mapping client certificates. To enable logging for the account federation server authentication package, perform the following tasks in order:
If it is not already installed, install the Federation Service component of Active Directory Federation Services (AD FS).
Set the following registry key: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\WebSso\Parameters]
"DebugLevel"=dword:ffffffff
I want to enable logging on the AD FS-enabled Web server for the AD FS Web Agent Authentication Package.
The AD FS Web Agent authentication package is used by Windows NT token–based applications for generating tokens when Service-for-User (S4U) is not available. It is also used when the token contains security identifiers (SIDs), such as in scenarios that use resource groups or the Windows Trust option.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\WebSso\Parameters]
"DebugLevel"=dword:ffffffff
I want to enable logging on the AD FS-enabled Web server for the AD FS Windows Token-Based Agent Extension.
The AD FS Windows Token-Based Agent Extension handles the protocols that are used by AD FS to authenticate requests.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS\WebServerAgent]
"DebugPrintLevel"=dword:ffffffff
I want to enable logging on the AD FS-enabled Web server for the AD FS Web Agent Authentication Service.
The AD FS Web Agent Authentication Service validates incoming tokens and cookies.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IFSSVC\Parameters]
"DebugPrintLevel"=dword:ffffffff
I want to know where the logs are located.
They are located in %systemroot%\SystemData\ADFS\logs.
AD LDS issues
After my user accounts are created in Active Directory Lightweight Directory Services (AD LDS) and the trust policy is configured with information about the AD LDS store, the Federation Service is not able to validate users in the AD LDS store.
Solution: Use caution when you create user accounts with the AD LDS ADSI Edit snap-in. Always create a user account with a password. If you create a user account without a password, use ADSI Edit to reset the password for the user account. Most importantly, check the value of the msDS-UserAccountDisabled property of the user account. This property should not have the value True. The value should be either False or Not set. If the value of msDS-UserAccountDisabled property is True, it means that the user account is disabled and the Federation Service cannot validate credentials for this AD LDS user account.
I have enabled an AD LDS account store, but the Federation Service is not able to retrieve any claims.
If the Federation Service is running as Local System, you must add the machine account of the computer hosting the Federation Service to the Readers group in the AD LDS store.
If the Federation Service is running as Network Service, you must add the domain account to the Readers group in the AD LDS store.
Configuration issues
The following section covers some of the known issues with AD FS configuration.
I am receiving a server error.
Error: The token request for the application with URL https://... cannot be fulfilled because the Uniform Resource Locator (URL) does not identify any known trusting application
Solution: This error is returned by the resource Federation Service when the application URL does not identify any known application. Make sure that the application has been added to the trust policy for the Federation Service.
For a claims-aware application, verify that the return URL is typed correctly in the application’s Web.config file and that it matches the application URL that is specified in the trust policy of the Federation Service.
For a Windows NT token–based application, verify that the return URL is typed correctly in the Internet Information Services (IIS) Manager snap-in (under <Web site name>\Authentication\AD FS Windows Token-Based Agent and that it matches the application URL in the trust policy of the Federation Service.
I am receiving a validation error.
Error: Validation of viewstate media access control (MAC) failed. If this application is hosted by a Web farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm.
AutoGenerate cannot be used in a cluster. An unhandled exception occurred during the running of the current Web request. Review the stack trace for more information about the error and where it originated in the code.
Or
Error: An unhandled exception was generated during the running of the current Web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Solution: Using a text editor, add the following setting to the Web.config file on the computer hosting either the Federation Service, Federation Service Proxy, or AD FS Web Agent that will be farmed:
<system.web>
<machineKey>
<machineKey validationKey="specify key for the appropriate algorithm"
decryptionKey="specify key"
validation="SHA1|MD5|3DES"/>
Or
Solution: Add the following element in the <system.web> section of the Web.config file on the computers hosting the Federation Service, Federation Service Proxy, or AD FS Web Agent that are set up in the farm:
<pages enableViewStateMac="false"/>