Event ID 107 — Windows NT Token-Based Application Configuration

Applies To: Windows Server 2008 R2

Web Agent for Windows NT token-based application configuration contains information about the AD FS Web Agent Authentication Service, creation of Windows NT tokens, and Windows token-based agent authentication requests.

Event Details

Product: Windows Operating System
ID: 107
Source: Microsoft-Windows-ADFS
Version: 6.1
Symbolic Name: WSEXT_NT_TOKEN_GEN_FAILURE
Message: The AD FS Web Agent Internet Server Application Programming Interface (ISAPI) Extension was unable to obtain a Windows NT token from the authentication service.

An anonymous token will be generated for this request.

User Action
Ensure that this application is configured as a Windows NT token-based application in the Federation Service trust policy.

If the user comes from an account partner where Windows Trust may be applicable, ensure that Windows Trust is enabled for the account partner and that the account partner has enabled Windows Trust for this resource partner.

If you are using shadow accounts:
- Ensure that a shadow account exists for this user.
- Ensure that user principal name (UPN) claims or e-mail claims are enabled for this application.
- Ensure that UPN claims or e-mail claims are being produced for this user by the account store or the account partner.

Additional Data
Look for additional events in the security log that may contain more details. Consider enabling failure auditing on this Web server if auditing is not already enabled.

Resolve

Check the Windows trust setting and other trust policy settings

Ensure that this application is configured as a Windows NT token-based application in the Federation Service trust policy. If the user comes from an account partner where a Windows trust is being used, ensure that the Windows trust check box is selected for the account partner and that the account partner has selected the Windows trust check box for this resource partner. If you are using resource accounts, ensure that:

  • A resource account exists for this user.
  • User principal name (UPN) claims or e-mail claims are enabled for this application.
  • UPN claims or e-mail claims are being produced for this user by the account store or the account partner.

Look for additional events in the security log that may contain more details. Consider enabling failure auditing on this Web server if auditing is not already enabled.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

If you cannot access the application successfully, verify that the Windows token-based agent is configured with correct URL values and that all configuration parameters contain valid values.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the Windows token-based agent is configured with correct values:

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the console tree, click YourComputerName**(local computer)**.
  3. In the console tree, double-click Sites, and then click YourWebSiteName.
  4. In the center pane, double-click Authentication, highlight AD FS Windows Token-Based Agent, and then in the Actions pane click Edit.
  5. In the AD FS Windows Token-Based Agent dialog box, confirm that the Enable AD FS Web Agent check box is selected.
  6. Make sure that the following values are valid, and then click OK.
    • Cookie path
    • Cookie domain
    • Return URL

Windows NT Token-Based Application Configuration

Active Directory Federation Services