Event ID 701 — Federation Service Authentication Web Pages

Updated: December 3, 2008

Applies To: Windows Server 2008 R2

yellow

The Federation Service provides Web pages that prompt the user to select an appropriate account partner to which the user can authenticate. The Federation Service also provides Web pages that prompt for the user’s credentials, such as a user name and password, for forms-based authentication. A Web page is also provided that supports Windows Integrated authentication and Secure Sockets Layer (SSL) client certificate authentication.

Event Details

Product: Windows Operating System
ID: 701
Source: Microsoft-Windows-ADFS
Version: 6.1
Symbolic Name: NoAccountStoresForCert
Message: The LSAuthenticationObject method LogonClient was called with certificate credentials, but only Active Directory Lightweight Directory Services (AD LDS) account stores are configured at the Federation Service. AD LDS account stores do not support certificate credentials.

User Action
If this Federation Service is intended to service certificate authentication logons, configure the Active Directory Domain Services account store.

If this Federation Service is not intended to service certificate authentication logons, consider replacing ls/auth/sslclient/clientlogon.aspx with a static page that indicates that certificate authentication is not supported.

Resolve

Configure the Active Directory Domain Services account store

If this Federation Service is intended to service integrated authentication logons or certificate authentication logons to Active Directory Domain Services (AD DS), use the following procedure to configure the AD DS account store.

If this Federation Service is not intended to service integrated authentication logons or certificate authentication logons to AD DS, consider replacing %systemdrive%\Windows\ADFS\sts\ls\auth\integrated\clientlogon.aspx with a static page indicating that integrated authentication or certificate authentication is not supported.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To add an AD DS account store to the Federation Service:

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, right-click Account Stores, point to New, and then click Account Store.
  3. On the Welcome to the Add Account Store Wizard page, click Next.
  4. On the Account Store Type page, ensure that Active Directory Domain Services (AD DS) is selected, and then click Next.
  5. On the Enable this Account Store page, ensure that the Enable this account store check box is selected, and then click Next.
  6. On the Completing the Add Account Store Wizard page, click Finish.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

Related Management Information

Federation Service Authentication Web Pages

Active Directory Federation Services

Community Additions

ADD
Show: