ADFS Troubleshooting

-

ADFS/IdS Troubleshooting and Common Problems:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff641685(v=ws.10)?redirectedfrom=MSDN

Applies To: Active Directory Federation Services (AD FS) 2.0

Before you begin the troubleshooting process, we recommend that you first try to configure Active Directory Federation Services (AD FS) 2.0 for troubleshooting and check for known common issues that might prevent normal functioning of the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Troubleshooting trust establishment failures

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems with establishing trusts with AD FS 2.0.

Event or symptomPossible causeResolution

Event ID 275
The federation server proxy could not establish a trust relationship for the Secure Sockets Layer (SSL) secure channel with the Federation Service.

The SSL certificate for the Federation Service is invalid or is not trusted by the federation server proxy.

Ensure that the SSL certificate for the Federation Service has a valid chain to a trusted certification authority (CA) store. Also, verify that the certificate is present in a trusted store on the federation server proxy computer.

Event ID 276
The federation server proxy could not authenticate to the Federation Service.

The federation server proxy is not trusted by the Federation Service.

Ensure that the federation server proxy is trusted by the Federation Service. To do this, log on to the federation server proxy computer and establish a trust between the proxy and the Federation Service by using the AD FS 2.0 Proxy Configuration Wizard.

Event ID 393
The federation server proxy could not establish a trust with the Federation Service.

The following are possible causes for this event:

  • The credentials that are used to establish a trust between the federation server proxy and the Federation Service are not valid, or the Federation Service cannot be reached.

  • The federation server proxy trust was revoked.

  • The federation server proxy has been inactive for a long period of time (such as 30 days or more).

The following are possible resolutions for this event:

  • Ensure that the credentials that are being used to establish a trust between the federation server proxy and the Federation Service are valid, and that the Federation Service can be reached.

  • Run the AD FS 2.0 Proxy Configuration Wizard again to renew trust with the Federation Service.

Event ID 394
The federation server proxy could not renew its trust with the Federation Service.

The federation server proxy is not trusted by the Federation Service. Either the trust does not exist, or it was revoked.

Ensure that the federation server proxy is trusted by the Federation Service. If the trust does not exist or has been revoked, renew trust by running the AD FS 2.0 Proxy Configuration Wizard again.

Troubleshooting proxy startup failure

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems with starting a federation server proxy in your AD FS 2.0 deployment.

Event or symptomPossible causeResolution

Event ID 199
The federation server proxy could not be started.

The following are possible causes for this event:

  • No SSL certificate is configured in HTTPS bindings in Internet Information Services (IIS).

  • The HTTP listener cannot listen on proxy endpoints. This indicates that URL access control lists (ACLs) are not configured for the identity of the Federation Service.

The following are possible resolutions for this event:

  • Using IIS Manager, verify that a valid SSL certificate is configured for HTTPS bindings.

  • Use the netsh http show urlacl command or the netsh http add urlacl command to verify or update the URL ACLs respectively.

  • If needed, run the AD FS 2.0 Proxy Configuration Wizard to restore the federation server proxy configuration.

Event ID 215
The Federation Service did not return any WS-Trust endpoints to be published by the federation server proxy.

No WS-Trust endpoints are either configured or enabled for the Federation Service.

Using the AD FS 2.0 snap-in, open to the Endpoints node and verify that WS-Trust endpoints are proxy enabled. To enable an endpoint, on the Action menu, click Enable on proxy.

If you are using AD FS 2.0 cmdlets for Windows PowerShell, use the Set-ADFSEndpoint cmdlet with the Proxy=True parameter to enable a specific endpoint. For example, to enable the WS-Trust 1.3 endpoint for proxy use, use the following command at the Windows PowerShell prompt:

Set-ADFSEndpoint -TargetAddress /adfs/services/trust/13/Windows -Proxy $true

Event ID 224
The federation server proxy configuration could not be loaded correctly from the configuration file.

The federation server proxy configuration could not be loaded correctly at service startup from the configuration file.

A configuration element that is specified in the additional data provided in the event is misconfigured. Correct the specified error in the federation server proxy configuration database.

Event ID 274
The federation server proxy encountered an error while it was trying to listen on one of the proxy endpoints.

The federation server proxy encountered an error while it was trying to listen on one of the proxy endpoints. The federation server proxy cannot start until it can listen on all required proxy endpoints.

Ensure that the permissions on the URLs of the proxy endpoints allow the federation server proxy security account (the default is Network Service) to listen on them.

The proxy endpoints that are referenced in this event are actually the base addresses that the federation server proxy is listening on. These include the following endpoints:

http://hostname/adfs/services/
https://hostname/adfs/services/
https://hostname/FederationMetadata/2007-06/
https://hostname/adfs/fs/FederationServerService.asmx

Troubleshooting failure to retrieve configuration data from the Federation Service

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems replicating configuration data to a federation server proxy from a federation server in your AD FS 2.0 deployment.

Event or symptomPossible causeResolution

Event ID 248
The federation server proxy was not able to retrieve the list of endpoints from the Federation Service.

Network connectivity is a possible cause of this event. Also, you should review any error message that is returned with this event to further determine the actual cause as needed.

Make sure that the Federation Service is running. Troubleshoot network connectivity. For more information, see Verify network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the AD FS 2.0 Proxy Configuration Wizard again.

Troubleshooting connection failures

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having connection failures between a federation server proxy and its configured federation server in your AD FS 2.0 deployment.

Event or symptomPossible causeResolution

Event ID 218
The federation server proxy received an error code while making a request to the Federation Service.

This could mean that the AD FS 2.0 Windows Service is not started on the federation server computer.

Verify that the AD FS 2.0 Windows service is running on the remote federation server computer, and that the remote federation server is reachable. For more information, see Verify that AD FS is installed and running and Verify network connectivity.

Event ID 222
The federation server proxy was unable to complete a request to the Federation Service.

The federation server proxy timed out while it was trying to reach the federation server. This might mean that the Federation Service is currently unavailable.

Verify that the AD FS 2.0 Windows service is running on the remote federation server computer, and that the remote federation server is reachable. For more information, see Verify that AD FS is installed and running and Verify network connectivity.

 

Comments

Post a Comment

Popular posts from this blog

altiris software key

-
Image
I think a lot of people, like me, spend a lot of time try finding how to get those download: Latest Symantec workspace Virtualization , SWV 6.1, that is advanced SVS version, is integrated with the Altiris client management suite CMS 7.  (Yes, it was also named "SVS PRO") Notice 1: This package includes the "Wise Virtual Composer", and both x86+x64 versions. Notice 2: This link currently also includes SWS (Streaming) and SWC (Corporate) [please vote my post if you use it ;-] Story : I was thinking only SVS 2.1 (Software Virtualization Solution) was integrated into the "Client Management Suite 7". But this is not the case and SWV 6.1 (Symantec Workspace Virtualization) must not be paid in addition . Free home license : Both SVS 2.1 "light" version & SWV are still free personal use. I suggest you use now the latest SWV 6.4 (That is SWV 6.1 SP7 or following! Yes Symantec do this version naming - vote here also to a...
Read more

Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe)

-
Image
Service Principal Names (SPNs) SetSPN Syntax (Setspn.exe) Table of Contents SPN Purpose SPN Format SetSPN Viewing or Checking SPN Registrations SPN Registration Errors Related to SPN Registration or Configuration Manually Registering SPNs Troubleshooting SPN Issues Resolving SPN Registration Issues SPN Lookup Errors Delegation External Articles SPN Purpose A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. ↑  Return to T...
Read more

Troubleshooting Netlogon Error Codes

-
Image
Quick Reference: Troubleshooting Netlogon Error Codes ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ January 28, 2013   by  Mark Morowczynski [MSFT]   //   24 Comments 0 0 Hi this is Brandon Wilson and today I will be providing you with a quick reference for troubleshooting Netlogon error codes. I say “quick reference” very loosely here, because this is one of those sticky subjects that can easily expand into many more areas and become a very long discussion. So, I’m going to do my best to focus on just the codes and possible solutions for the error codes that are more common to see. Anyone who has dealt with some of these issues knows that some of these outlined areas can lead to huge revenue loss for a business, or at the very least an annoying authentication prompt J I welcome you to leave comments and questions, or suggestions for articles that you as the reader would be interested in seeing us do on AskPFE Platforms ( http://blogs.tech...
Read more