Event ID 698 — Federation Service Authentication Web Pages

Updated: December 3, 2008

Applies To: Windows Server 2008 R2

yellow

The Federation Service provides Web pages that prompt the user to select an appropriate account partner to which the user can authenticate. The Federation Service also provides Web pages that prompt for the user’s credentials, such as a user name and password, for forms-based authentication. A Web page is also provided that supports Windows Integrated authentication and Secure Sockets Layer (SSL) client certificate authentication.

Event Details

Product: Windows Operating System
ID: 698
Source: Microsoft-Windows-ADFS
Version: 6.1
Symbolic Name: ClientCertificateMissing
Message: The ClientCredentialInfo static method CreateCertificateCredential was called in a context where no client certificate was available.

User Action
Ensure that only anonymous access is enabled for the ls/auth/sslclient directory and that "Require client certificates" is selected in the Secure Communications dialog box.

Ensure that CreateCertificateCredential is called only from the authentication Web form in the ls/auth/sslclient directory.

Resolve

Enable only anonymous access

Using the Internet Information Services (IIS) Manager snap-in, ensure that only Anonymous Authentication is enabled for the ls/auth/sslclient directory and that the Client certificates setting is set to Require.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To enable only Anonymous Authentication and ensure that Client certificates is set to Require:

  1. On the federation server, open the Internet Information Services (IIS) Manager snap-in.
  2. Click ComputerName\Sites\Default Web site\adfs\ls\auth\sslclient, and, in the center pane, double-click Authentication.
  3. Ensure that all statuses in the center pane are set to Disabled except for Anonymous Authentication, which should be set to Enabled.
  4. Click ComputerName\Sites\Default Web site\adfs\ls\auth\sslclient, and, in the center pane, double-click SSL Settings.
  5. Ensure that Client certificates is set to Require.

To ensure that CreateCertificateCredential is called only from the authentication Web form in the ls/auth/sslclient directory:

  1. Using Notepad on the federation server, open the file clientlogon.aspx under %systemdrive%\Windows\SystemData\ADFS\sts\ls\auth\sslclient.
  2. Ensure that the following line of code is present in the file:

    HttpClientCertificate cert = HttpContext.Current.Request.ClientCertificate.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

Related Management Information

Federation Service Authentication Web Pages

Active Directory Federation Services

Community Additions

ADD
Show: