Event ID 665 — Federation Service Proxy Communication
Applies To: Windows Server 2008 R2
.jpg)
Successful communication between federation servers and federation server proxies can depend largely on whether client authentication certificates are valid or are configured correctly.
Event Details
| Product: | Windows Operating System |
| ID: | 665 |
| Source: | Microsoft-Windows-ADFS |
| Version: | 6.1 |
| Symbolic Name: | ProxyWebMethodAccessDeniedInvalidCert |
| Message: | The Federation Service failed a privileged Web method call because the caller's client authentication certificate was not valid. Certificate thumbprint: %1 User Action If this certificate thumbprint corresponds to a valid Federation Service Proxy, ensure that the certificate is valid (for example, is not expired) and that it chains to a trusted root in the Federation Service. |
Resolve
Validate and trust federation server proxy client certificate
If this federation server proxy client certificate thumbprint corresponds to a valid federation server proxy certificate that is listed in the Federation Service, ensure that the certificate is valid (for example, that it is not expired) and that it chains to a trusted root in the Federation Service.
To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To check that the thumbprint of the federation server proxy certificate matches the thumbprint for one the federation server proxy certificates in the Federation Service:
- On a federation server proxy, click Start, point to Administrative Tools, and then click Active Directory Federation Services.
- Right-click Federation Service Proxy, and then click Properties.
- On the General tab, click View, and then record the thumbprint that is associated with the Federation Service Proxy client authentication certificate.
- Check that the federation server proxy client certificate thumbprint that you recorded matches the thumbprint that is listed in the Federation Service. For information about how to view federation server proxy client certificates that are listed in the Federation Service, see the following procedure.
This federation server proxy certificate should be present in the FSP certificates section in the properties of the trust policy. If it is not present or if it is not valid, add a valid federation server proxy client certificate to the Federation Service.
To add a valid federation server proxy client certificate to the Federation Service:
- On a federation server, click Start, point to Administrative Tools, and then click Active Directory Federation Services.
- Double-click Federation Service, right-click Trust Policy, and then click Properties.
- On the FSP Certificates tab, check that the Federation Service Proxy certificate is present in the list. If it is not present, add the appropriate Federation Service Proxy certificate to this list by clicking Add.
For more information about federation server proxy certificates, see Certificates used by federation server proxies (https://go.microsoft.com/fwlink/?LinkId=64767).
Verify
A specific event (ID 674) should be generated on the federation server proxy computer if the federation server proxy is able to communicate successfully with the Federation Service.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To verify that the federation server proxy can communicate with the Federation Service:
Log on to a client computer with Internet access.
Open a browser window, and then type the Uniform Resource Locator (URL) for the Federation Service endpoint, along with the path to the clientlogon.aspx page that is stored on the federation server proxy.
Press ENTER.
At this point your browser should display the error message "Server Error in '/adfs' Application." This step is necessary to generate event message 674 to verify that the clientlogon.aspx page is being loaded properly by Internet Information Services (IIS).
Log on to the federation server proxy.
Click Start, point to Administrative Tools, and then click Event Viewer.
In the details pane, double-click Application.
In the Event column, look for event ID 674.
If the federation server proxy is configured properly, you see a new event in the Application log of Event Viewer, with the event ID 674. This event verifies that the federation server proxy was able to communicate successfully with the Federation Service.