Home » IT - Microsoft » Troubleshooting certificate management problems with AD FS 2.0

Troubleshooting certificate management problems with AD FS 2.0

Escribe tu dirección de correo electrónico para suscribirte a este blog, y recibir notificaciones de nuevos mensajes por correo.

Join 5 other followers

February 2016
M T W T F S S
« Nov   Mar »
1234567
891011121314
15161718192021
22232425262728
29  

NO! A LOS TOROS

Disclaimer

All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights. The content of this site are personal opinions and might not represent the Microsoft Corporation view. Regarding any sample code that we provide: This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. Secondly, I use my blog as a notebook. There's so much to learn and remember in our jobs that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. Anything you do to your IT infrastructure, applications, services, computer or anything else is 100% down to your own responsibility and liability. Mcselles bears no responsibility or liability for anything you do. Please independently confirm anything you read on this blog before doing whatever you decide to do.
Advertisements

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems with managing certificates.

Before you begin the troubleshooting process, we recommend that you first try to configure Active Directory Federation Services (AD FS) 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

 

Event or symptom Possible cause Resolution

Event ID 329 
The certificate could not be decrypted by using the keys for X.509 certificate private key sharing.

The following are possible causes for this event:

  • Active Directory objects are missing under the specified distinguished name in the diagnostic information regarding X.509 certificate private key sharing that is provided in this event.
  • The access control list (ACL) permissions of the Active Directory objects that are specified in the diagnostic information have changed, and the service identity of AD FS no longer has rights to read or modify those objects.

The following are possible resolutions for this event:

  • You may have to restore all Active Directory objects under the distinguished name that was specified in the event-included diagnostic information.
  • Work with your domain administrator to help restore read/write ACL permissions.

Event ID 331 
The certificate management service encountered an error during decryption of the keys.

The following are possible causes for this event:

  • Active Directory objects are missing under the specified distinguished name in the diagnostic information regarding X.509 certificate private key sharing that is provided in this event.
  • The ACL permissions of the Active Directory objects that are specified in the diagnostic information have changed, and the service identity of AD FS no longer has rights to read or modify those objects.

The following are possible resolutions for this event:

  • You may have to restore all Active Directory objects under the distinguished name that was specified in the event-included diagnostic information.
  • Work with your domain administrator to help restore read/write ACL permissions.

Event ID 332 
The certificate management service encountered an error during encryption of the keys.

The following are possible causes for this event:

  • Active Directory objects are missing under the specified distinguished name in the diagnostic information regarding X.509 certificate private key sharing that is provided in this event.
  • The ACL permissions of the Active Directory objects that are specified in the diagnostic information have changed, and the service identity of AD FS no longer has rights to read or modify those objects.

The following are possible resolutions for this event:

  • You may have to restore all Active Directory objects under the distinguished name that was specified in the event-included diagnostic information.
  • Work with your domain administrator to help restore read/write ACL permissions.

Event ID 333 
The certificate management service encountered an error during database access.

The SQL Server database is possibly offline.

Confirm that the SQL store is online. Also, the Windows Event log should contain other SQL-related service events that will have more detailed information if this event occurs. Use those events to help further troubleshoot database access.

Event ID 334 
Certificate rollover service must roll over certificates urgently. Partners cannot apply the update in time.

The certificate rollover service forced an urgent rollover of certificates.

Partners must apply the certificate rollover update manually to be in time.

Event ID 338 
An error was encountered during certificate rollover. The monitoring cycle was shut down.

Any error in the certificate rollover service task can cause this event to occur. If this event occurs, a preceding error in the AD FS 2.0 event log contains the actual cause for this error.

Manually check to determine whether any certificates are nearing expiration. If certificates are not nearing expiration, no further action is required. If certificates are near to expiration, restart the AD FS 2.0 Windows service to restart the certificate rollover process.


Source: https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-management-problems(v=ws.10).aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Microsoft on the Issues

News and perspectives on legal, public policy and citizenship topics

Mike Crowley's Whiteboard

“There are no limits to what you can accomplish when you are supposed to be doing something else."

T.B.D.

There Be Dragons

Ken Cenerelli

My life in software development

VMware, Windows, Virtualization (Servers & Desktops)

VMware, Windows, Virtualization (Servers & Desktops)

Just a random "Microsoft Server / Client Tech" info..

"Feeding Your Training and Technology Obsessions"

WordPress.com

WordPress.com is the best place for your personal blog or business site.

DocSharing

Documentación técnica, notas y apuntes sobre Administración de Sistemas, Servidores, Redes y más

Microsoft Taste

Mary's Blog

%d bloggers like this: