Home » IT - Microsoft » Troubleshooting certificate problems with AD FS 2.0

Troubleshooting certificate problems with AD FS 2.0

Escribe tu dirección de correo electrónico para suscribirte a este blog, y recibir notificaciones de nuevos mensajes por correo.

Join 5 other followers

February 2016
M T W T F S S
« Nov   Mar »
1234567
891011121314
15161718192021
22232425262728
29  

NO! A LOS TOROS

Disclaimer

All messages posted to this blog are provided "AS IS" with no warranties, and confer no rights. The content of this site are personal opinions and might not represent the Microsoft Corporation view. Regarding any sample code that we provide: This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. This blog serves 2 purposes. Firstly, I want to share information with other IT pros about the technologies we work with and how to solve problems we often face. Secondly, I use my blog as a notebook. There's so much to learn and remember in our jobs that it's impossible to keep up. By blogging, I have a notebook that I can access from anywhere. Anything you do to your IT infrastructure, applications, services, computer or anything else is 100% down to your own responsibility and liability. Mcselles bears no responsibility or liability for anything you do. Please independently confirm anything you read on this blog before doing whatever you decide to do.
Advertisements

The following table provides troubleshooting guidance for specific error event messages or other issues that you may encounter if you are having problems working with certificates that are used by the Active Directory Federation Services (AD FS) 2.0 service.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

 

Event or symptom Possible cause Resolution

Event ID 249 
A certificate could not be found in the certificate store. In certificate rollover scenarios, this can potentially cause a failure when the Federation Service is signing or decrypting using this certificate.

The specified certificate either does not exist in the local certificate store, or the AD FS 2.0 service account does not have permissions to access the certificate.

Ensure that the certificate (identified by its thumbprint in the event text) has been added to the LocalMachine\My store folder on the federation server computer. Also, verify that the AD FS 2.0 service account has access to the private key for this certificate. For more information, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 315 
An error occurred during an attempt to build the certificate chain for the claims provider trust signing certificate.

The following are possible causes for this event:

  • The certificate has been revoked.
  • The certificate chain could not be verified as specified by the revocation settings of the signing certificate for this claims provider trust.
  • The certificate is not within its validity period.
noteNote
You can use Windows PowerShell cmdlets for AD FS 2.0 to configure the revocation settings for the claims provider trust’s signing certificate. For the specific setting, use the SigningCertificateRevocationCheck parameter of the Set-ADFSClaimsProviderTrustcmdlet.

The following are possible resolutions to this event:

  • Ensure that the claims provider trust’s signing certificate is valid and has not been revoked.
  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 316 
An error occurred during an attempt to build the certificate chain for the relying party trust signing certificate.

The following are possible causes for this event:

  • The certificate has been revoked.
  • The certificate chain could not be verified as specified by the revocation settings of the signing certificate for this relying party trust.
  • The certificate is not within its validity period.
noteNote
You can use Windows PowerShell cmdlets for AD FS 2.0 to configure the revocation settings for the relying party trust’s signing certificate. For the specific setting, use theSigningCertificateRevocationCheck parameter of the Set-ADFSRelyingPartyTrustcmdlet.

The following are possible resolutions to this event:

  • Ensure that the relying party trust’s signing certificate is valid and has not been revoked.
  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 317 
An error occurred during an attempt to build the certificate chain for the relying party trust encryption certificate.

The following are possible causes for this event:

  • The certificate has been revoked.
  • The certificate chain could not be verified as specified by the revocation settings of the encryption certificate for this relying party trust.
  • The certificate is not within its validity period.
noteNote
You can use Windows PowerShell cmdlets for AD FS 2.0 to configure the revocation settings for the relying party trust’s encryption certificate. For the specific setting, use the EncryptionCertificateRevocationCheck parameter of the Set-ADFSRelyingPartyTrust cmdlet.

The following are possible resolutions to this event:

  • Ensure that the relying party trust’s encryption certificate is valid and has not been revoked.
  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 319 
An error occurred while the certificate chain for the client certificate was being built.

The following are possible causes for this event:

  • The client certificate has been revoked.
  • The certificate chain could not be verified as specified by the revocation settings of the client certificate.
  • The client certificate is not within its validity period.
noteNote
To configure the revocation settings for the client certificate, you can use the Set-ADFSProperties cmdlet with the ClientcertRevocationCheck parameter in Windows PowerShell for AD FS 2.0.

The following are possible resolutions to this event:

  • Ensure that the client encryption certificate is valid and has not been revoked.
  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 360 
A request was made to a certificate transport endpoint, but the request did not include a client certificate.

The following are possible causes for this event:

  • The root certification authority (CA) certificate that issued the client certificate is not in the Trust CA certificate store.
  • The client certificate is expired.
  • The client certificate is self-signed and is not trusted.

The following are possible resolutions for this event:

  • Ensure that the CA that issued the client certificate in this request has its certificate in the trusted root certification authority store on the local computer.
  • Ensure that the client certificate is not expired.
  • Use a trusted certificate to replace the self-signed certificate.

Event ID 374 
An error occurred while building the certificate chain for the claims provider trust encryption certificate.

The following are possible causes for this event:

  • The certificate has been revoked.
  • The certificate chain could not be verified as specified by the revocation settings of the encryption certificate for this claims provider trust.
  • The certificate is not within its validity period.
noteNote
You can use Windows PowerShell cmdlets for AD FS 2.0 to configure the revocation settings for the claims provider trust’s encryption certificate. For the specific setting, use the EncryptionCertificateRevocationCheck parameter of the Set-ADFSClaimsProviderTrust cmdlet.

The following are possible resolutions to this event:

  • Ensure that the claims provider trust’s encryption certificate is valid and has not been revoked.
  • Ensure that AD FS 2.0 can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
  • Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS 2.0.

Event ID 381 
An error occurred during an attempt to build the certificate chain for configuration certificate.

This event occurs whenever the Federation Service updates its service state or tries to refresh its cached certificate configuration data. If the configuration has changed so that one of the configured certificates is invalid when a refresh occurs, this event is logged.

The following are possible causes for this event:

  • The certificate has been revoked.
  • The certificate is not within its validity period.

Ensure that the certificate is valid and has not been revoked or expired.

Event ID 385 
AD FS 2.0 detected that one or more certificates in the AD FS 2.0 configuration database need to be updated manually.

This event occurs because one or more certificates are expired, or will expire soon.

If certificate rollover is enabled, this issue resolves on its own. In other cases, refer to the thumbprint or other certificate-identifying data in the additional details section of the event itself. After you identify the certificate that caused this event to occur, manually update the certificate to correct the problem.

Event ID 387 
AD FS 2.0 detected that one or more of the certificates that are specified in the Federation Service were not accessible to the service account that is used by the AD FS 2.0 Windows Service.

The AD FS 2.0 service account does not have permissions to read the private keys for the configured certificates.

Ensure that the AD FS 2.0 service account has read permissions on the certificate private keys. For more information, see Confirm that private keys for certificates are accessible by the AD FS service user account.

Event ID 389 
AD FS 2.0 detected that one or more of your trusts require their certificates to be updated manually because they are expired, or will expire soon.

This event occurs because the certificates that are configured for one or more claims provider trusts or relying party trusts are expired, or will expire soon.

If you manually created the trust, you must update the certificate configuration yourself. If you used Federation Metadata when you created the trust, the certificate configuration updates dynamically.

noteNote
For dynamic update to occur reliably, your trust partner must have updated the certificate that is expired, or that will expire soon, in their configuration.

The following table can be helpful in determining the certificate that is the root cause of an error in your AD FS 2.0 certificate configuration.

 

Policy CRL Checking certificate Scenario Protocols affected Occurs Event thrown Expiration check

Relying Party

Relying party signing certificate

AD FS 2.0 receives a signed SAML-P request sent by a relying party.

noteNote
Requiring signing of sign-in requests is a configurable option. To set this requirement for a relying party trust, use the RequireSignedSamlRequestsparameter with the Set-ADFSRelyingPartyTrust cmdlet.

SAML-P

Sign in

Event ID 316

Yes

AD FS 2.0 receives a signed SAML sign-out request from RP (sign-out request must be signed)

SAML-P

Sign Out (POST or Redirect Binding)

Event ID 316

Yes

Relying party encryption certificate

AD FS 2.0 receives a sign out request from a claims provider and encrypts a sign out request for the relying party. In this scenario, the claims provider initiates signout.

SAML-P/WS-*

Sign Out request (POST or Redirect Binding)

Event ID 317

Yes

AD FS 2.0 issues an encrypted token for a relying party.

SAML-P/WS-*

Token Issuance

Event ID 317

Yes

Claims Provider

Claims provider signing certificate

AD FS 2.0 receives an issued token from a claims provider.

SAML-P/WS-*

Token Acceptance

Event ID 315

Yes

AD FS 2.0 receives a signed SAML sign-out request from a claims provider. In this scenario, the signout request must be signed.

SAML-P

Sign Out request (POST or Redirect Binding)

Event ID 315

Yes

Claims provider encryption certificate

AD FS 2.0 receives a sign out request from a relying party and encrypts a signout request for claims provider.

SAML-P

Sign Out

Event ID 374

Yes

Self

Self-issued signing certificate

AD FS 2.0 issuing a token for a relying party.

SAML-P/WS-*

Token Issuance

None

Yes

Self-issued encryption certificate

AD FS 2.0 accepts an encrypted token from a claims provider.

SAML-P/WS-*

Token Acceptance

None

No

Source: https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-certificate-problems(v=ws.10).aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Microsoft on the Issues

News and perspectives on legal, public policy and citizenship topics

Mike Crowley's Whiteboard

“There are no limits to what you can accomplish when you are supposed to be doing something else."

T.B.D.

There Be Dragons

Ken Cenerelli

My life in software development

VMware, Windows, Virtualization (Servers & Desktops)

VMware, Windows, Virtualization (Servers & Desktops)

Just a random "Microsoft Server / Client Tech" info..

"Feeding Your Training and Technology Obsessions"

WordPress.com

WordPress.com is the best place for your personal blog or business site.

DocSharing

Documentación técnica, notas y apuntes sobre Administración de Sistemas, Servidores, Redes y más

Microsoft Taste

Mary's Blog

%d bloggers like this: