Windows NT Token-Based Application Configuration
Applies To: Windows Server 2008
Web Agent for Windows NT token-based application configuration contains information about the AD FS Web Agent Authentication Service, creation of Windows NT tokens, and Windows token-based agent authentication requests.
Events
| Event ID | Source | Message |
|---|---|---|
Microsoft-Windows-ADFS |
The AD FS Web Agent for Windows NT token-based applications could not contact the Federation Service during startup. Federation Service URL: %1 The Web agent will not be able to authenticate users until it can retrieve trust information from the Federation Service. User Action Ensure that the Uniform Resource Locator (URL) for the Federation Service is properly configured and that the Federation Service can be contacted from this Web server. Ensure that this Web server is joined to an Active Directory Domain Services domain. Ensure that the ADFS Web Agent Authentication Service is started. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent for Windows NT token-based applications successfully retrieved trust information from the Federation Service. | |
Microsoft-Windows-ADFS |
The AD FS Web Agent Internet Server Application Programming Interface (ISAPI) Extension encountered a serious error. The AD FS configuration information could not be retrieved from the Internet Information Services (IIS) configuration. The Web agent will not be able to authenticate users until it can retrieve configuration information from the IIS metabase. This condition can occur if the IIS metabase schema extension fails during AD FS setup. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent Internet Server Application Programming Interface (ISAPI) Extension was unable to obtain a Windows NT token from the authentication service. An anonymous token will be generated for this request. User Action Ensure that this application is configured as a Windows NT token-based application in the Federation Service trust policy. If the user comes from an account partner where Windows Trust may be applicable, ensure that Windows Trust is enabled for the account partner and that the account partner has enabled Windows Trust for this resource partner. If you are using shadow accounts: - Ensure that a shadow account exists for this user. - Ensure that user principal name (UPN) claims or e-mail claims are enabled for this application. - Ensure that UPN claims or e-mail claims are being produced for this user by the account store or the account partner. Additional Data Look for additional events in the security log that may contain more details. Consider enabling failure auditing on this Web server if auditing is not already enabled. |
|
Microsoft-Windows-ADFS |
The ADFS Web Agent Authentication Service encountered a serious error. The ADFS configuration information could not be retrieved from the Internet Information Services (IIS) metabase. The metabase could not be opened. The Web agent will not be able to authenticate users until it can retrieve configuration information from the IIS metabase. User Action Ensure that IIS is installed and enabled on this server. Ensure that the IIS Admin Service is started. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent for Windows NT token-based applications did not find the Uniform Resource Locator (URL) for the Federation Service in the Internet Information Services (IIS) configuration. The Web agent will not be able to generate Windows NT tokens for users until it can find the Federation Service URL. Claims-aware applications are not affected by this condition. User Action Ensure that the Federation Service URL is configured in the IIS Manager Web Sites property page. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent for Windows NT token-based applications did not find the Uniform Resource Locator (URL) for the application return in the Internet Information Services (IIS) configuration. The Web agent will not be able to generate Windows NT tokens for users until it can find the application return URL. Claims-aware applications are not affected by this condition. User Action Ensure that the return URL is configured in the IIS Manager Virtual Directory property page. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent for Windows NT token-based applications encountered a serious error. Registration for change notification in the Internet Information Services (IIS) configuration failed. This condition prevents the Web agent authentication service from starting. Users will not be able to access protected resources until the authentication service can be restarted. Additional Data The data field contains an HRESULT error code. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent Authentication Service was not able to start. The authentication service has not been configured to run as a principal that has been granted the "Act as part of the operating system" privilege (SeTcbPrivilege). Users will not be able to access protected resources until the authentication service can be restarted. User Action Either grant the AD FS authentication service principal the "Act as part of the operating system" privilege or configure the service to run as a principal that has already been granted the "Act as part of the operating system" privilege. (For example, configure the authentication service to run as LocalSystem.) |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent Authentication Service was not able to start. The authentication service has not been configured to run as a principal that has been granted the "Impersonate a client after authentication" privilege (SeImpersonatePrivilege). Users will not be able to access protected resources until the authentication service can be restarted. User Action Either grant the AD FS authentication service principal the "Impersonate a client after authentication" privilege or configure the service to run as a principal that has already been granted the "Impersonate a client after authentication" privilege. (For example, configure the authentication service to run as LocalSystem.) This privilege is granted by default to the SERVICE group, but on a hardened server it may be necessary to grant the privilege explicitly. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent Authentication Service received a remote procedure call (RPC) from a user who is not in the IIS_IUSRS group. This request will be denied. User Action If this error results in failed AD FS authentications, ensure that the failing Internet Information Services (IIS) application pool's identity is a member of the IIS_IUSRS group. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent Authentication Service encountered an invalid configuration value for a parameter in the registry. Registry value: %1 The authentication service will default to the minimum allowed value for this parameter until the parameter is changed to a valid value. User Action Increase the parameter value to a value that is within the valid range. Additional Data The data field contains the current (too-small) value of the parameter. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent for Windows token-based applications could not contact the Federation Service during startup. Federation Service URL: could not be obtained The Web agent will not be able to authenticate users until it can retrieve trust information from the Federation Service. User Action Ensure that the Uniform Resource Locator (URL) for the Federation Service is properly configured and that the Federation Service can be contacted from this Web server. Ensure that this Web server is joined to an Active Directory Domain Services domain. |
|
Microsoft-Windows-ADFS |
The AD FS Web Agent for Windows NT token-based applications successfully retrieved trust information from the Federation Service. GUID: %1 Version: %2 Federation Service Uniform Resource Locator (URL): %3 Federation Service Uniform Resource Identifier (URI): %4 Federation Service Endpoint URL: %5 Federation Service Domain Account: %6 |