Event ID 129 — Windows NT Token-Based Application Configuration

  • Article

Applies To: Windows Server 2008

Web Agent for Windows NT token-based application configuration contains information about the AD FS Web Agent Authentication Service, creation of Windows NT tokens, and Windows token-based agent authentication requests.

Event Details

Product: Windows Operating System
ID: 129
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: SSO_RPC_CALLER_NOT_IN_IIS_WPG
Message: The AD FS Web Agent Authentication Service received a remote procedure call (RPC) from a user who is not in the IIS_IUSRS group.

This request will be denied.

User Action
If this error results in failed AD FS authentications, ensure that the failing Internet Information Services (IIS) application pool's identity is a member of the IIS_IUSRS group.

Resolve

Configure the IIS application pool's identity to be a member of the IIS_IUSRS group

If this error results in failed Active Directory Federation Services (AD FS) authentications, ensure that the failing Internet Information Services (IIS) application pool's identity is a member of the IIS_IUSRS group. This group is located in Computer Management\System Tools\Local Users and Groups\Groups.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

If you cannot access the application successfully, verify that the Windows token-based agent is configured with correct URL values and that all configuration parameters contain valid values.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the Windows token-based agent is configured with correct values:

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the console tree, click YourComputerName**(local computer)**.
  3. In the console tree, double-click Sites, and then click YourWebSiteName.
  4. In the center pane, double-click Authentication, highlight AD FS Windows Token-Based Agent, and then in the Actions pane click Edit.
  5. In the AD FS Windows Token-Based Agent dialog box, confirm that the Enable AD FS Web Agent check box is selected.
  6. Make sure that the following values are valid, and then click OK.
    • Cookie path
    • Cookie domain
    • Return URL

Windows NT Token-Based Application Configuration

Active Directory Federation Services