Event ID 703 — Trust Policy and Configuration
Applies To: Windows Server 2008
.jpg)
The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.
Event Details
| Product: | Windows Operating System |
| ID: | 703 |
| Source: | Microsoft-Windows-ADFS |
| Version: | 6.0 |
| Symbolic Name: | SigningMethodChainNotValid |
| Message: | The Federation Service has detected a discrepancy between its signing and verification methods. If this condition is caused by a change in trust policy, the Federation Service will continue to use the old trust policy until the condition is resolved. If this condition occurs at startup, the Federation Service will not be able to service requests until the condition is resolved. Signing certificate thumbprint: %1 The certificate chain for the signing certificate cannot be verified. Native Error Code: %2 User Action The native error code comes from CertGetCertificateChain or CertVerifyCertificateChainPolicy. Check the documentation to determine the error code, and take action accordingly. For example, if the error code is CERT_E_EXPIRED, the signing certificate has expired and must be replaced or renewed. |
Resolve
Replace or renew the invalid token-signing certificate
The native error code comes from CertGetCertificateChain or CertVerifyCertificateChainPolicy.
This error occurs because the token-signing certificate is not valid. That is, it is not trusted, it is expired or revoked, or the certificate revocation list (CRL) of the certificate is not reachable.
For more information about token-signing certificates and how to request one from Microsoft Certificate Services, see Certificate Requirements for Federation Servers (https://go.microsoft.com/fwlink/?LinkId=110473).
Check Event Viewer to determine the error code. Use Winerror.exe to get more information about the error, and take action accordingly. For example, if the error code is CERT_E_EXPIRED, type winerror.exe CERT_E_EXPIRED at a command prompt, and then press ENTER.
You can obtain the Winerror.exe tool by downloading the Windows Driver Kit (WDK). For more information about the WDK, see Index of Windows Driver Kit Tools (https://go.microsoft.com/fwlink/?LinkId=110509).
Verify
Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.