Troubleshooting federation server proxy problems with AD FS 2.0
Updated: May 5, 2010
Applies To: Active Directory Federation Services (AD FS) 2.0
Before you begin the troubleshooting process, we recommend that you first try to configure Active Directory Federation Services (AD FS) 2.0 for troubleshooting and check for known common issues that might prevent normal functioning of the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.
Troubleshooting trust establishment failures
The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems with establishing trusts with AD FS 2.0.
| Event or symptom | Possible cause | Resolution |
|---|---|---|
Event ID 275 |
The SSL certificate for the Federation Service is invalid or is not trusted by the federation server proxy. |
Ensure that the SSL certificate for the Federation Service has a valid chain to a trusted certification authority (CA) store. Also, verify that the certificate is present in a trusted store on the federation server proxy computer. |
Event ID 276 |
The federation server proxy is not trusted by the Federation Service. |
Ensure that the federation server proxy is trusted by the Federation Service. To do this, log on to the federation server proxy computer and establish a trust between the proxy and the Federation Service by using the AD FS 2.0 Proxy Configuration Wizard. |
Event ID 393 |
The following are possible causes for this event:
|
The following are possible resolutions for this event:
|
Event ID 394 |
The federation server proxy is not trusted by the Federation Service. Either the trust does not exist, or it was revoked. |
Ensure that the federation server proxy is trusted by the Federation Service. If the trust does not exist or has been revoked, renew trust by running the AD FS 2.0 Proxy Configuration Wizard again. |
Troubleshooting proxy startup failure
The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems with starting a federation server proxy in your AD FS 2.0 deployment.
| Event or symptom | Possible cause | Resolution |
|---|---|---|
Event ID 199 |
The following are possible causes for this event:
|
The following are possible resolutions for this event:
|
Event ID 215 |
No WS-Trust endpoints are either configured or enabled for the Federation Service. |
Using the AD FS 2.0 snap-in, open to the Endpoints node and verify that WS-Trust endpoints are proxy enabled. To enable an endpoint, on the Action menu, click Enable on proxy. If you are using AD FS 2.0 cmdlets for Windows PowerShell, use the Set-ADFSEndpoint cmdlet with the Proxy=True parameter to enable a specific endpoint. For example, to enable the WS-Trust 1.3 endpoint for proxy use, use the following command at the Windows PowerShell prompt: |
Event ID 224 |
The federation server proxy configuration could not be loaded correctly at service startup from the configuration file. |
A configuration element that is specified in the additional data provided in the event is misconfigured. Correct the specified error in the federation server proxy configuration database. |
Event ID 274 |
The federation server proxy encountered an error while it was trying to listen on one of the proxy endpoints. The federation server proxy cannot start until it can listen on all required proxy endpoints. |
Ensure that the permissions on the URLs of the proxy endpoints allow the federation server proxy security account (the default is Network Service) to listen on them. The proxy endpoints that are referenced in this event are actually the base addresses that the federation server proxy is listening on. These include the following endpoints: |
Troubleshooting failure to retrieve configuration data from the Federation Service
The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems replicating configuration data to a federation server proxy from a federation server in your AD FS 2.0 deployment.
| Event or symptom | Possible cause | Resolution |
|---|---|---|
Event ID 248 |
Network connectivity is a possible cause of this event. Also, you should review any error message that is returned with this event to further determine the actual cause as needed. |
Make sure that the Federation Service is running. Troubleshoot network connectivity. For more information, see Verify network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the AD FS 2.0 Proxy Configuration Wizard again. |
Troubleshooting connection failures
The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having connection failures between a federation server proxy and its configured federation server in your AD FS 2.0 deployment.
| Event or symptom | Possible cause | Resolution |
|---|---|---|
Event ID 218 |
This could mean that the AD FS 2.0 Windows Service is not started on the federation server computer. |
Verify that the AD FS 2.0 Windows service is running on the remote federation server computer, and that the remote federation server is reachable. For more information, see Verify that AD FS is installed and running and Verify network connectivity. |
Event ID 222 |
The federation server proxy timed out while it was trying to reach the federation server. This might mean that the Federation Service is currently unavailable. |
Verify that the AD FS 2.0 Windows service is running on the remote federation server computer, and that the remote federation server is reachable. For more information, see Verify that AD FS is installed and running and Verify network connectivity. |