Troubleshooting token acceptance problems with AD FS 2.0

Updated: May 5, 2010

Applies To: Active Directory Federation Services (AD FS) 2.0

The following table provides troubleshooting guidance for the specific error event messages or other issues that you may encounter if you are having problems with token acceptance in Active Directory Federation Services (AD FS) 2.0.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Event or symptom Possible cause Resolution

Event ID 104
The artifact resolution service is not running. The service must be running to perform token replay detection.

The artifact resolution service might not be configured correctly.

Make sure that the artifact resolution service is configured correctly. The artifact resolution service is required for token replay detection and the Security Assertion Markup Language (SAML) protocol. You can enable or disable the artifact resolution service by enabling or disabling the artifact resolution endpoint (located in /adfs/services/trust/artifactresolution) by using the AD FS 2.0 snap-in.

If you do not require token replay detection, you can also reconfigure token replay detection to disable it by using the Set-ADFSProperties cmdlet with the PreventTokenReplays parameter in Windows PowerShell cmdlets for AD FS 2.0.

Event ID 147
A token was received from a claims provider, but the token could not be validated.

The certificate thumbprint does not identify any known claims provider trust.

First, verify that the certificate (identified by its thumbprint value as specified in the event data) is the expected signing certificate for the claims provider. If the certificate that is identified in this event is the correct one to use, verify that it is configured on the Certificates tab of the claims provider trust properties using the AD FS 2.0 snap-in.

Event ID 262
The artifact resolution request failed.

For more information about the cause of this event, see the additional details that are specified within the event.

For more information about how to resolve this issue, see the additional details that are provided with this event and other events that are related to this error.

For more information about how to determine what other events are related to this event in the AD FS 2.0 event log, see the section "Correlating events and traces using Activity ID and Caller ID" in the blog post Diagnostics in AD FS 2.0 (https://go.microsoft.com/fwlink/?LinkID=188910).

Event ID 341
The NotBefore attribute for the token has a value that is set to a future time.

The system time on the computer on which the Federation Service is running is not synchronized with the computer on which the request originated.

Verify that the system clock is synchronized.

Event ID 342
Token validation failed.

For more information about the cause of this event, see the additional details that are specified within the event.

Some examples of possible causes for this event include the following:

  • A user authenticated using Windows-integrated authentication with a non-domain account.

  • The InResponseTo attribute was incorrect for a SAML message.

See the inner exception in the event for more details that can be useful for subsequent token validations to succeed.

For more information about the SAML 2.0 protocol, including an explanation of the InResponseTo attribute, see the SAML 2.0 Technical Overview (https://go.microsoft.com/fwlink/?LinkID=189505).

Event ID 366
A token was received from the claims provider, but the token could not be validated.

The claims provider trust is not enabled.

If this claims provider trust should be enabled, enable it by using the AD FS 2.0 snap-in or Windows PowerShell cmdlets for AD FS 2.0.

Event ID 367
The audience restriction was not valid.

The specified audience identifier is not present in the acceptable identifiers list of this Federation Service.

See the exception details for the audience identifier that failed validation. If the audience identifier identifies this Federation Service, add the audience identifier to the acceptable identifiers list by using Windows PowerShell cmdlets for AD FS 2.0. You can configure the acceptable identifiers list by using the AcceptableIdentifier parameter on the Set-ADFSProperties cmdlet.

The audience identifier is used to verify whether the token was sent to this Federation Service. If you think that the audience identifier does not identify your Federation Service, adding it to the acceptable identifiers list might cause vulnerability in the security of your system.

Event ID 370
Incoming Time-Triggered Protocol (TTP) response is not valid. Processing response failed with the following exception.

The partner federation provider is not configured correctly to send a valid TTP response.

Ensure that the partner federation provider is configured correctly to send a valid TTP response.

Also, ensure that senders or users enable cookies in their browser settings, and limit or reduce the token size for the response by eliminating claims that are not required.

Event ID 371
Cannot find certificate to validate the message/token signature that was obtained from the claims provider.

The claims provider trust configuration is out of date. For example, this event might occur in situations where certificates are configured for manual rollover.

Verify that the claims provider trust configuration is up to date. Specifically, verify that the claims provider trust has the current certificates in its configuration.

Event ID 372
Authentication failed.

The token that is used to authenticate the user is signed using a weaker signature algorithm than expected.

Verify that the claims provider is configured to accept tokens with the expected signature algorithm. To resolve this issue, you can use either the Windows PowerShell cmdlets for AD FS 2.0, or the AD FS 2.0 snap-in to reconfigure the signature algorithm. For cmdlet update, use the SignatureAlgorithm parameter with the Set-ADFSClaimsProviderTrust cmdlet. For a Microsoft Management Console (MMC)-based update, you can modify the signature algorithm property on the Advanced tab of the claims provider trust properties.

Event ID 379
A security token was rejected.

The specified IssueInstant was before the allowed time frame.

If token replay is enabled and the lifetime of the token exceeded the replay cache expiration interval, the Federation Service cannot accept the token because the token will be removed from the replay detection cache before it is expired.

To allow tokens for a larger timeframe, use the Windows PowerShell cmdlets for AD FS 2.0 to adjust the amount of time that the federation server can accept a replayed token. To view the current setting for the replay cache expiration interval, use the Get-ADFSProperties cmdlet. To set its value, you can specify the ReplayCacheExpirationInterval parameter with the Set-ADFSProperties cmdlet.