Event ID 601 — Trust Policy and Configuration

Applies To: Windows Server 2008

The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.

Event Details

Product: Windows Operating System
ID: 601
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: BadConfigurationCertificateHasNoPrivateKey
Message: During processing of web.config section '%1', the parameter '%2' was found to have invalid data. The private key for the certificate that was identified by the thumbprint '%3' could not be accessed.
Section: %1
Parameter: %2
Thumbprint: %3

The Federation Service or Federation Service Proxy will not be able to start until this configuration parameter is corrected.

This condition can occur when the certificate that is identified by the thumbprint is found in the Local Computer Personal store but there is a problem accessing the certificate's private key. Common causes for this condition include the following:
(1) The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file.
(2) The certificate's private key was imported (for example, from a .pfx file) into a user's certificate store instead of the Local Computer Personal store.
(3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.
(4) The Federation Service identity has not been granted read access to the certificate's private key.

User Action
If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file).

If the certificate was imported in a user context, import the certificate again directly into the Local Computer Personal store.

If the certificate was generated by a certificate request that did not specify the "Machine Key" option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file and import it again directly into the Local Computer Personal store. If the key is not marked as exportable, request a new certificate using the "Machine Key" option.

If the FS Identity has not been granted read access to the certificate's private key, open the AD FS snap-in. In the console tree, right-click Federation Service, and then click Properties. Under Token Signing Certificate, click View. If the private key has incorrect access control configured, an option to reconfigure the key's access control will appear.

Resolve

Reimport a certificate that has a private key

If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate into the Local Computer Personal store of the federation server or federation server proxy again from a source that includes the private key, for example, a .pfx file.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To import a certificate to the Local Computer Personal store:

  1. On each federation server or federation server proxy where a certificate issue has occurred, click Start, click Run, type mmc, and then click OK.
  2. Click File, and then click Add/Remove Snap-in.
  3. Select Certificates, click Add, click Computer account, and then click Next.
  4. Click Local computer (the computer this console is running on), click Finish, and then click OK.
  5. Double-click the Certificates (Local Computer) folder, double-click the Personal folder, right-click Certificates, point to All Tasks, and then click Import.
  6. On the Welcome to the Certificate Import Wizard page, click Next.
  7. On the File to Import page, type the path to the certificate file, and then click Next.
  8. On the Password page, type the password for the certificate file, and then click Next.
  9. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
  10. On the Completing the Certificate Import Wizard page, verify that the information you provided is accurate, and then click Finish.

If the certificate was imported in a user context, import the certificate again directly into the Local Computer Personal store.

If the certificate was generated by a certificate request that did not specify the Machine Key option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file, and import it again directly into the Local Computer Personal store.

If the key is not marked as exportable, request a new certificate using the Machine Key option.

Check whether the Federation Service identity has been granted Read access to the certificate's private key.

To check whether the certificate's private key is configured for Read access:

  1. Open the Active Directory Federation Services snap-in.
  2. In the console tree, right-click Federation Service, and then click Properties.
  3. Under Token Signing Certificate, click View. If the private key has access control configured incorrectly, an option to reconfigure the key's access control appears.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.

Trust Policy and Configuration

Active Directory Federation Services