Share via


Event ID 688 — Federation Service Malformed Requests

Applies To: Windows Server 2008

Federation Service Malformed Requests logs information about incorrectly configured or missing data values that reside in the trust policy, along with information about client cookie issues and sign-on issues.

Event Details

Product: Windows Operating System
ID: 688
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: TtpCookiesNotFound
Message: Cookies that are needed to complete a passive client request were not present in the request.

When cookies that hold the state for passive client requests cannot be found, requests that are made by the passive client will be received by the Federation Service (or Federation Service Proxy), but they will not be processed.

User Action
Reconfigure the cookie path. The current cookie path is set to '%1', and the request-Uniform Resource Identifier (URI) is set to '%2'. Unless other client-side configuration or user action causes the cookie to be rejected, client browsers should send the cookie if the cookie path matches the prefix for the request-URI.
Cookie path: %1
Request-URI: %2

Modify the Domain Name System (DNS) name for this site so that it is Request for Comments (RFC)-compliant. Compliant DNS host names contain only letters (A through Z), numerals (0 through 9), minus sign (-), and period (.) characters.

Reconfigure the client browser to not reject cookies from this site.

Undo any action that might have been taken by a user to reject or delete the cookies that are needed by this transaction.

Additional Data
For more information about the cookie and request-URI paths, review the following RFCs:

RFC 2616 - This RFC describes the appropriate way to compare Hypertext Transfer Protocol (HTTP) URIs, and it mandates case-sensitive comparisons for the request-URI path.
RFC 2109 - This RFC describes how the cookie path must match a prefix of the request-URI. It is important to note that some browsers treat "/path" or "/path1/samp" as a prefix match of "/path1/sample" while others do not allow matches that consume only parts of the individual words. These strict implementations accept only a subset of those matches that are allowed by the first implementation, for example, "/path1" or "/path1/sample".

Resolve

Unless other client-side configuration or user action causes the cookie to be rejected, client browsers should send the cookie if the cookie path matches the prefix for the request Uniform Resource Identifier (URI). Modify the Domain Name System (DNS) name for this site so that it complies with Internet Engineering Task Force (IETF) Requests for Comments (RFCs). Compliant DNS host names contain only letters (A through Z), numerals (0 through 9), and minus sign (-) and period (.) characters.

Reconfigure the client browser to not reject cookies from this site. Undo any action that might have been taken by a user to reject or delete the cookies that are needed by this transaction. For more information about the cookie and request-URI paths, review the following RFCs:

  • RFC 2616: This RFC describes the appropriate way to compare Hypertext Transfer Protocol (HTTP) URIs, and it mandates case-sensitive comparisons for the request-URI path.
  • RFC 2109: This RFC describes how the cookie path must match a prefix of the request-URI. It is important to note that some browsers treat "/path" or "/path1/samp" as a prefix match of "/path1/sample" while others do not allow matches that consume only parts of the individual words. These strict implementations accept only a subset of those matches that are allowed by the first implementation, for example, "/path1" or "/path1/sample".

For more information about URIs, see Request for Comments (RFC) 2396 (https://go.microsoft.com/fwlink/?LinkId=29138). For general information about cookies, see Cookies used by ADFS (https://go.microsoft.com/fwlink/?LinkId=64775).

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

Federation Service Malformed Requests

Active Directory Federation Services