Event ID 684 — Federation Service Communication

  • Article

Applies To: Windows Server 2008 R2

Federation Service communication is communication between federation servers and Web servers that host the claims-aware agent. The Web server should be updated from the Federation Service. Federation Service communication fails when the Active Directory Federation Services (AD FS) Web Agent cannot be updated.

Event Details

Product: Windows Operating System
ID: 684
Source: Microsoft-Windows-ADFS
Version: 6.1
Symbolic Name: GettingFsTrustInfoTrustFailure
Message: The AD FS Web Agent was unable to update trust information from the Federation Service. The Federation Service Secure Sockets Layer (SSL) server certificate could not be validated.
Federation Service URL: %1

User Action
Verify that the Federation Service SSL server certificate chains to a root certificate that is in the Local Computer Trusted Root Certification Authorities certificate store on the web server.

Verify that the SSL certificate is neither expired nor revoked.

Verify that the SSL certificate subject matches the host name portion of the Federation Service Uniform Resource Locator (URL).

Resolve

Check the federation server's SSL server authentication certificate

Determine whether the server authentication certificate on all federation servers in the farm chains to a trusted root certificate and whether it has the correct subject name.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To determine whether a certificate chains to a trusted root:

  1. On a federation server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the console tree, click ComputerName.
  3. In the center pane, double-click Server Certificates.
  4. Double-click the server authentication certificate.
  5. In the Certificate dialog box, click the Certification Path tab.
  6. Read the description in the Certificate status text box:
    • If the description indicates that the certificate is trusted, the certificate is chaining to a trusted root.
    • If the description indicates that this certificate is not trusted, the server authentication certificate is not chaining to a trusted root. In this case, you should replace the certificate with a new server authentication certificate that is trusted.

To determine whether the certificate subject name matches the Federation Service URL:

  1. On a federation server, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
  2. In the console tree, click ComputerName.
  3. In the center pane, double-click Server Certificates.
  4. Double-click the server authentication certificate.
  5. In the Certificate dialog box, click the Details tab.
  6. In the list box, click Subject in the list, and record this value.
  7. Verify that the host name in the Subject value matches the host name portion of a valid Federation Service URL. To do this:
    1. On the federation server, record the host name portion of the Subject value in the certificate, and enter it into the address bar of a Web browser. For example, if the Subject value contains fs1.treyresearch.net, record only the fs1 portion of the value, and then move to the next step.
    2. In the address bar, type https:// and the host name portion of the Subject value, type /adfs/fs/federationserverservice.asmx at the end of the value, and then press ENTER. For example, if the Subject value of the certificate is fs1.treyresearch.net, the URL in the address bar would look like https://fs1/adfs/fs/federationserverservice.asmx.
    3. If a Web page with the title FederationServerService appears, you have determined that the certificate has the correct Subject name value.

Verify

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the AD FS-enabled Web server can access the Federation Service URL specified in the web.config file:

  1. On the AD FS-enabled Web server that is hosting the claims-aware agent, locate the web.config file for your claims-aware application, and then open it with Notepad. This file should be located in \inetpub\wwwroot\virtualdirectory, where your claims-aware application files are stored.
  2. Check that the value between the fs tags is a valid Federation Service URL. To do this:
    1. On the AD FS-enabled Web server, copy the value between the fs tags in the web.config file, paste it into the address bar of a Web browser, and then hit ENTER. For example, a valid Federation Service URL format would be https://fs1.treyresearch.net/adfs/fs/federationserverservice.asmx.
    2. If a Web page with the title FederationServerService is displayed, then you have successfully verified that the Web server can communicate with a resource federation server and that the Federation Service URL is valid.

Federation Service Communication

Active Directory Federation Services