Share via


Trust Policy and Configuration

Applies To: Windows Server 2008

The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.

Events

Event ID Source Message

600

Microsoft-Windows-ADFS

During processing of web.config section '%1', the parameter '%2' was found to have invalid data. The configured data '%3' could not be parsed as type '%4'.
Section: %1
Parameter: %2
Data: %3
Type: %4

The Federation Service or Federation Service Proxy will not be able to start until this configuration parameter is corrected.

User Action
Correct the specified web.config parameter to conform to the given type.

601

Microsoft-Windows-ADFS

During processing of web.config section '%1', the parameter '%2' was found to have invalid data. The private key for the certificate that was identified by the thumbprint '%3' could not be accessed.
Section: %1
Parameter: %2
Thumbprint: %3

The Federation Service or Federation Service Proxy will not be able to start until this configuration parameter is corrected.

This condition can occur when the certificate that is identified by the thumbprint is found in the Local Computer Personal store but there is a problem accessing the certificate's private key. Common causes for this condition include the following:
(1) The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file.
(2) The certificate's private key was imported (for example, from a .pfx file) into a user's certificate store instead of the Local Computer Personal store.
(3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.
(4) The Federation Service identity has not been granted read access to the certificate's private key.

User Action
If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file).

If the certificate was imported in a user context, import the certificate again directly into the Local Computer Personal store.

If the certificate was generated by a certificate request that did not specify the "Machine Key" option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file and import it again directly into the Local Computer Personal store. If the key is not marked as exportable, request a new certificate using the "Machine Key" option.

If the FS Identity has not been granted read access to the certificate's private key, open the AD FS snap-in. In the console tree, right-click Federation Service, and then click Properties. Under Token Signing Certificate, click View. If the private key has incorrect access control configured, an option to reconfigure the key's access control will appear.

602

Microsoft-Windows-ADFS

During processing of web.config section '%1', the parameter '%2' was found to have invalid data. The certificate that was identified by the thumbprint '%3' could not be found.
Section: %1
Parameter: %2
Thumbprint: %3

The Federation Service or the Federation Service Proxy will not be able to start until this configuration parameter is corrected.

This condition occurs when the thumbprint that is specified does not match the thumbprint of any certificate in the Local Computer Personal store. Common causes for this condition include the following:
(1) The web.config was edited by hand and the thumbprint string contains a typographical error.
(2) The certificate with the specified thumbprint is from a user store instead of the Local Computer store.

User Action
If the web.config contains a typographical error, correct the thumbprint string. To correct the thumbprint string, open the Certificates snap-in. On the Details tab in the certificate property page, select the Thumbprint field. The thumbprint in the web.config should match the string - with the spaces removed - that appears in the property page.

If a certificate with a matching thumbprint exists in a user store and a .pfx file for the certificate is available, import the .pfx file directly into the Local Computer Personal store. If no .pfx file is available and the key is exportable, you can create a .pfx file by exporting the certificate with private key. If the key is not exportable and no .pfx file is available, request a new certificate and ensure that the request is for a machine certificate instead of a user certificate.

603

Microsoft-Windows-ADFS

During processing of web.config section '%1', the required parameter '%2' was not found.
Section: %1
Parameter: %2

The Federation Service or the Federation Service Proxy will not be able to start until this configuration parameter is corrected.

User Action
Add the required parameter.

610

Microsoft-Windows-ADFS

An unexpected exception was encountered when reading the web.config section '%1':
Section: %1

Additional Data
Exception information:
%2

611

Microsoft-Windows-ADFS

A required configuration section of web.config was missing: '%1'
Section: %1

The Federation Service cannot start until this condition is corrected.

User Action
Add the required web.config section.

623

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy field '%1' was set to an unacceptable value. The field must not be negative.
Field: %1
Value: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
Correct the '%1' field by configuring it with a nonnegative value.

624

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy field '%1' was set to an unacceptable value. The field must contain a valid Uniform Resource Identifier (URI).
Field: %1
Value: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
Correct the '%1' field by configuring it with a valid URI value.

Additional Data
UriFormatException message: %3

625

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The required trust policy field '%1' was not present.
Field: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
Configure the '%1' field with a valid value.

626

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy contains a universally unique identifier (UUID) reference to an organization claim that does not exist.
Referencing type: %1
UUID: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. The UUID must be corrected to reference an existing organization claim.

627

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy defines an Active Directory Domain Services group population that does not specify any Active Directory Domain Services principals.
Organization Group Claim: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. The ADGroupGeneration object must specify one or more security IDs (SIDs) that specify Active Directory Domain Services users or groups to be included in the organization group.

628

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy defines a claim whose format is not valid.
Claim type: %1
Claim value: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Correct the claim so that it has the proper format.

629

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy defines a custom claim whose name is unspecified.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur if the trust policy file has been modified without use of the AD FS administrative tools. Correct the custom claim to to specify a name.

630

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. A collection in the trust policy contains duplicate items.
Collection type: %1
Duplicate property name: %2
Duplicate property value: %3

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the duplicate item from the collection.

631

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. A custom claim collection in the trust policy contains a duplicate item.
Collection type: CustomClaimCollection
Custom claim name: %1
Custom claim value: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the duplicate item from the collection.

632

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An exception was thrown during loading of a custom module assembly.
Assembly path: %1

If this error occurs startup of the during Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

This error may be generated by a non-Microsoft module that is not part of AD FS.

User Action
Ensure that the assembly path is correct and that the assembly file has appropriate permissions.

Additional Data
Exception information:
%2

633

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An exception was thrown during instantiation of a custom module class from a custom module assembly.
Assembly path: %1
Class name: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

This error may be generated by a non-Microsoft module that is not part of AD FS.

User Action
Verify that the appropriate assembly and class are configured. Contact the module vendor for further troubleshooting steps.

Additional Data
Exception information:
%3

634

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The specified class could not be instantiated from the custom module assembly.
Assembly path: %1
Class name: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

This error may be generated by a non-Microsoft module that is not part of AD FS.

User Action
Verify that the appropriate assembly and class are configured. Contact the module vendor for further troubleshooting steps.

635

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The specified class was found in the custom module assembly, but the class does not implement the required AD FS interface.
Assembly path: %1
Class name: %2
Interface name: %3

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

This error may be generated by a non-Microsoft module that is not part of AD FS.

User Action
Verify that the appropriate assembly and class are configured. Contact the module vendor for further troubleshooting steps.

636

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy file path is not valid.
Path: %1

The Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected.

User Action
Correct the configuration to specify a fully qualified file path to an existing trust policy file. This configuration can be corrected in the web.config file or by using the AD FS administration console.

637

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The Active Directory Domain Services account store is configured improperly.

The '%1' field, which is configured on the Active Directory Domain Services store, is supported only on Active Directory Lightweight Directory Services (AD LDS) stores.
Field: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the specified field from the trust policy file.

638

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An Active Directory Lightweight Directory Services (AD LDS) account store is configured improperly.

A required configuration field '%1' is missing for the AD LDS store.
Field: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Add the missing field to the trust policy file.

639

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An account partner is misconfigured.

The AllowedTrustedWindowsDomains field is configured for an account partner for which Windows trust is not enabled.
Field: AllowedTrustedWindowsDomains

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Either enable Windows trust on the account partner or remove the AllowedTrustedWindowsDomains field.

640

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. A collection contains a duplicate item.
Collection: %1
Duplicate key: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Either enable Windows trust on the account partner or remove the AllowedTrustedWindowsDomains field.

641

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. A configured e-mail suffix contains the @ sign.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the @ sign from the configured e-mail suffix.

642

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An application is configured with an e-mail or user principal name (UPN) suffix transformation.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the suffix transformation from the application.

643

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An account partner with Windows trust enabled has been configured with a group-to-UPN transformation.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the group-to-UPN transformation from this account partner.

644

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An account partner that does not have Windows trust enabled is configured to allow all user principal name (UPN) suffixes.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Account partners that do not have Windows trust enabled must provide an explicit list of UPN suffixes for validation. Add at least one UPN suffix for this account partner.

645

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An account partner that does not have Windows trust enabled is configured to allow all e-mail suffixes.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Account partners that do not have Windows trust enabled must provide an explicit list of e-mail suffixes for validation. Add at least one e-mail suffix for this account partner.

646

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy field '%1' is empty.
Field: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Add data to the '%1' field.

647

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. Multiple Active Directory Domain Services account stores are configured.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Reduce the number of Active Directory Domain Services account stores in the trust policy to one.

648

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. A partner is configured with more than one group-to-UPN transformations that use the same group.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. No two group-to-UPN transformations on one partner may use the same group.

649

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The Active Directory Domain Services account store has been configured to fetch user principal name (UPN) from a custom Lightweight Directory Access Protocol (LDAP) attribute.

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Remove the custom LDAP attribute for UPN from the Active Directory Domain Services account store configuration.

650

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An application or resource partner is configured to use Kerberos-based token verification, but the Service Principal Name (SPN) for the application is not valid.
SPN: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Correct the SPN to a valid value.

651

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An Active Directory Lightweight Directory Services (AD LDS) account store is configured with a Lightweight Directory Access Protocol (LDAP) port number that is not valid.
Port number: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. The LDAP port must be a valid TCP socket port number. Change the configured value to fall between 1 and %2.

652

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An Active Directory Lightweight Directory Services (AD LDS) account store was configured with an identity claim extraction.
AD LDS store: %1

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Configure at least one identity claim extraction for this account store: user principal name (UPN), e-mail, or common name.

653

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. A resource partner has no identity claim transformation.
Resource partner: %1

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Configure an identity claim transformation for this partner.

654

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An account partner has no identity claim transformation.
Account partner: %1

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Configure an identity claim transformation for this partner.

655

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An application has no identity claim enabled.
Application: %1

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Enable an identity claim for this application.

656

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. A Uniform Resource Locator (URL) in the trust policy is not valid.
URL: %1

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Enter a valid URL.

658

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy specifies a trust policy update period that is less than its allowed minimum.
Configured value: %1
Minimum value: %2

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Increase the trust policy update period above the minimum.

659

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy specifies a Windows trust cache update period that is less than its allowed minimum.
Configured value: %1
Minimum value: %2

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Increase the Windows trust cache update period above the minimum.

660

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. An unexpected exception was encountered.

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was loaded successfully, and it will attempt to load the policy again in %1 minutes.
Retry period: %1

User Action
If this error persists, enable the AD FS troubleshooting log.

Additional Data
Exception information:
%2

674

Microsoft-Windows-ADFS

The Federation Service Proxy successfully updated its configuration information from the Federation Service.
Old policy GUID: %1
Old policy version: %2
New policy GUID: %3
New policy version: %4

679

Microsoft-Windows-ADFS

The Federation Service encountered an unexpected error while loading the trust policy: %1.

Because the Federation Service is not able to start, all requests will fail until the configuration is corrected.

681

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy specifies a token cache entry lifetime that is less than its allowed minimum.
Configured value: %1
Minimum value: %2

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Increase the token cache entry lifetime above the minimum.

682

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy specifies a token cache scavenge period that is less than its allowed minimum.
Configured value: %1
Minimum value: %2

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was successfully loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Increase the token cache scavenge period above the minimum.

702

Microsoft-Windows-ADFS

The Federation Service has detected a discrepancy between its signing and verification methods. If this condition is caused by a change in trust policy, the Federation Service will continue to use the old trust policy until the condition is resolved. If this condition occurs at startup, the Federation Service will not be able to service requests until the condition is resolved.
Signing certificate thumbprint: %1

The signing method identifies a Subject Key Identifier (SKI) which is not recognized by the verification method.
SKI: %2

User Action
If a signing method is to be identified by the SKI, the verification method must contain the signing certificate. Add the signing certificate to the verification certificate list.

703

Microsoft-Windows-ADFS

The Federation Service has detected a discrepancy between its signing and verification methods. If this condition is caused by a change in trust policy, the Federation Service will continue to use the old trust policy until the condition is resolved. If this condition occurs at startup, the Federation Service will not be able to service requests until the condition is resolved.
Signing certificate thumbprint: %1

The certificate chain for the signing certificate cannot be verified.
Native Error Code: %2

User Action
The native error code comes from CertGetCertificateChain or CertVerifyCertificateChainPolicy. Check the documentation to determine the error code, and take action accordingly. For example, if the error code is CERT_E_EXPIRED, the signing certificate has expired and must be replaced or renewed.

704

Microsoft-Windows-ADFS

The Federation Service has detected a discrepancy between its signing and verification methods. If this condition is caused by a change in trust policy, the Federation Service will continue to use the old trust policy until the condition is resolved. If this condition occurs at startup, the Federation Service will not be able to service requests until the condition is resolved.
Signing certificate thumbprint: %1

Neither the signing certificate nor any certificate in its chain was found in the verification certificates collection.

User Action
Add the signing certificate or a certification authority from its chain to the collection of verification certificates.

714

Microsoft-Windows-ADFS

The Federation Service encountered an error while loading the trust policy. The trust policy contains an application that has been configured with custom namespaces.
Application URL: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Remove the Namespaces object from the TrustingApplication object in question.

720

Microsoft-Windows-ADFS

The Federation Service has encountered an error while loading the trust policy. A resource partner with Windows trust enabled also has enhanced identity privacy enabled.
Resource partner URI: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Disable enhanced identity privacy or Windows trust from the resource partner in question.

721

Microsoft-Windows-ADFS

The Federation Service has encountered an error while loading the trust policy. An application has enhanced identity privacy enabled.
Application URL: %1

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Disable enhanced identity privacy from the application in question.

722

Microsoft-Windows-ADFS

The Federation Service has encountered an error while loading the trust policy. The trust policy contains a privacy key that is not the expected length.
Expected length: %1
Actual length: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Configure a privacy key of the expected length.

724

Microsoft-Windows-ADFS

A client request to the Federation Service failed because the syntax of a Lightweight Directory Access Protocol (LDAP) attribute is different from the standard syntaxes that are defined in RFC 2252.

This event can occur if the directory schema has been extended to new syntaxes.

User Action
If this is a valid attribute with a new syntax, extract this claim from a custom transform module instead.

Additional Data
LDAP Server: %1
LDAP attribute name: %2
LDAP attribute type: %3

725

Microsoft-Windows-ADFS

The Group Policy setting 'DisallowFederationService' is configured for this machine. The Federation Service will fail all requests until this condition is corrected.

User Action
Disable or do not configure the DisallowFederationService Group Policy setting for Active Directory Federation Services.

726

Microsoft-Windows-ADFS

The Federation Service has encountered an error while reading Group Policy settings. This may indicate an attempt by the local administrator to bypass Group Policy. The Federation Service will fail all requests until this condition is corrected.

User Action
Ensure that the Access Control List for the registry path HKLM\Software\Policies\Microsoft\Windows\ADFS grants read access to the Federation Service principal.

Additional Data
Exception information:
%1

727

Microsoft-Windows-ADFS

The Federation Service has detected that Secure Sockets Layer (SSL) is not enabled for communication between this federation server and the server hosting the Active Directory Lightweight Directory Services (AD LDS) account store, identified by URI: %1, that you specified in the trust policy. Although communications between a federation server and an AD LDS server will be successful when a secure channel has not been established, we recommend that you configure the properties of your AD LDS account store using SSL unless this communication has already been secured by other means, such as Internet Protocol security (IPsec).

User Action
Ensure that communication between this federation server and the AD LDS server is secure. You can use the Active Directory Federation Services snap-in to edit the properties of your AD LDS account stores and configure them to use a secure channel. To enable this configuration, select the Enable Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols check box in the properties for each AD LDS account store in the trust policy.

728

Microsoft-Windows-ADFS

The last remaining valid verification certificate for account partner %1, or a certificate in its trust chain, is due to expire within %2 days.

Account partner name: %1

When this certificate expires input from the account partner will not be verifiable.

User Action
Contact the account partner administrator as soon as possible and replace or renew the certificate.

Additional Data
Subject: %3
Issuer: %4
Thumbprint: %5

729

Microsoft-Windows-ADFS

The last valid verification certificate for account partner %1, or a certificate in its trust chain, has expired.

Account partner name: %1

Input from this account partner cannot be verifed.

User Action
Contact the account partner administrator as soon as possible and obtain a valid certificate.

Additional Data
Subject: %2
Issuer: %3
Thumbprint: %4

730

Microsoft-Windows-ADFS

An unexpected error occured while checking the account partner verfication certificates for expiration.

Exception information:
%1

User Action
Check all acount partner verification certificates for problems. If the problem persists, contact Microsoft technical support.

731

Microsoft-Windows-ADFS

The Federation Service was unable to read configuration information from the domain controller.

User Action
Ensure that the Federation Server is joined to an Active Directory Domain Services (AD DS) domain.
Ensure that the domain controller is available and can be accessed by the Federation Service.

732

Microsoft-Windows-ADFS

AD FS began checking the account partner verification certificates for expiration.

733

Microsoft-Windows-ADFS

AD FS finished checking the account partner verification certificates for expiration.

Federation Service

Active Directory Federation Services