AD FS Help AD FS Event Viewer

AD FS Event Viewer

If you're looking for an AD FS event and don't want to log into your server to find it, we've got you covered. We have a full list of all AD FS events spanning several Windows Server versions. Pick your server version, find your event. Just keep in mind that some of the data is specific to when the event is logged, so you won't see that here. That information is represented as %1, %2, etc.

Select the version of Windows Server for which you want to see the AD FS events.



ID Event Name Event Description
100 FsServiceStart The Federation Service started successfully. The following service hosts have been added: %1
102 StartupException There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. Additional Data Exception details: %1
103 FsServiceStop The Federation Service stopped successfully.
104 ArtifactServiceNotRunningForReplayDetectionCheck The artifact resolution service is not running. The service must be running to perform token replay detection. User Action Make sure that the artifact resolution service is configured properly. Or disable token replay detection by using the Set-ADFSProperties cmdlet with the PreventTokenReplays parameter in Windows PowerShell for AD FS.
105 AuthMethodLoadError An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. Identifier: %1 Context: %2 Additional Data Exception details: %3
106 AuthMethodLoadSuccess An authentication provider was successfully loaded: Identifier: '%1', Context: '%2'
111 WsTrustRequestProcessingError The Federation Service encountered an error while processing the WS-Trust request. Request type: %1 Additional Data Exception details: %2
131 BadConfigurationFormatError During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The configured value '%2' could not be parsed as type '%3'. Element: %1 Value: %2 Type: %3 The Federation Service will not be able to start until this configuration element is corrected. User Action Correct the specified configuration element to conform to the given type.
132 BadConfigurationValueMissing During processing of the Federation Service configuration, the required element '%1' was missing. Element: %1 The Federation Service will not be able to start until this configuration element is configured. User Action Configure the specified configuration element using the AD FS Management snap-in.
133 BadConfigurationIdentityCertificateHasNoPrivateKey During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The private key for the certificate that was configured could not be accessed. The following are the values of the certificate: Element: %1 Subject: %2 Thumbprint: %3 storeName: %4 storeLocation: %5 Federation Service identity: %6 The Federation Service will not be able to start until this configuration element is corrected. This condition can occur when the certificate is found in the specified store but there is a problem accessing the certificate's private key. Common causes for this condition include the following: (1) The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file. (2) The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store specified above. (3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option. (4) The Federation Service identity '%6' has not been granted read access to the certificate's private key. User Action If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file). If the certificate was imported in a user context, verify that the store specified above matches the store the certificate was imported into. If the certificate was generated by a certificate request that did not specify the "Machine Key" option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file and import it again directly into the store specified in the configuration file. If the key is not marked as exportable, request a new certificate using the "Machine Key" option. If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition using the Certificates snap-in.
134 BadConfigurationCertificateNotFound During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was identified by the findValue '%2' could not be found. Element: %1 storeName: %3 storeLocation: %4 x509FindType: %5 findValue: %2 The Federation Service will not be able to start until this configuration element is corrected. This condition occurs when the findValue that is specified does not match any certificate in the specified store. Common causes for this condition include the following: (1) The certificate with the specified findValue is from a store that is different from the configured store. (2) The certificate was deleted from the store after configuration. User Action If the certificate exists in a different store, find the location using the certificates snap-in and correct the configuration appropriately. If the certificate has been deleted, configure a different certificate.
135 BadConfigurationMultipleCertificatesMatch During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was identified by the findValue '%2' was not unique. Element: %1 storeName: %3 storeLocation: %4 x509FindType: %5 findValue: %2 The Federation Service will not be able to start until this configuration element is corrected. This condition can occur when the certificate is found in the specified store but there is more than one certificate that matches the findValue. User Action If the certificate was identified by name and there are multiple certificates of the same name, configure the certificate using the certificate thumbprint.
136 ConfigurationErrorsException During processing of the Federation Service configuration, the Federation Service encountered a configuration error. %1 Additional Data %2 The Federation Service will not be able to start until this error has been corrected. User Action Correct the specified configuration error using the AD FS Management snap-in.
143 UnableToCreateFederationMetadataDocument The Federation Service was unable to create the federation metadata document as a result of an error. Document Path: %1 Additional Data Exception details: %2
144 RequestBlocked The Federation Service Proxy blocked an illegitimate request made by a client, as there was no matching endpoint registered at the proxy. This could point to a DNS misconfiguration, a partially configured application published through the proxy, or a malicious request. Url Path: %1
147 InvalidClaimsProviderError A token was received from a claims provider identified by the key '%1', but the token could not be validated because the key does not identify any known claims provider trust. Key: %1 This request failed. User Action If this key represents the certificate thumbprint of a claims provider trust, verify that it matches the signing certificate of the claims provider trust in the AD FS configuration database.
149 AttributeStoreLoadFailure During processing of the Federation Service configuration, the attribute store '%1' could not be loaded. Attribute store type: %2 User Action If you are using a custom attribute store, verify that the custom attribute store is configured using AD FS Management snap-in. Additional Data %3
155 MetadataListenerError The Federation Service was unable to listen at '%1' for metadata document requests due to an unexpected error. Additional Data %Exception details: %2
156 TrustMonitoringInitiated Trust monitoring cycle initiated.
157 TrustMonitoringComplete Trust monitoring cycle completed.
159 TrustMonitoringConfigurationDatabaseWriteError The Federation Service encountered an error while writing to the following object in the configuration database. Object Type: %1 Name: %2 Metadata document URL: %3 Additional Data Exception details: %4 Additional details: %5
163 TrustMonitoringInitiationError An error occurred during initialization of trust monitoring. Trust monitoring against the published partner configuration will be disabled for the lifetime of this service. Additional Data Exception details: %1 User Action If you want to try to start the trust monitoring service again, restart the Federation Service.
164 TrustMonitoringConfigurationDatabaseError An error occurred during a read operation from the configuration database. Trust monitoring was shut down and will be tried again after an amount of time that corresponds to the trust monitoring interval. Additional Data Exception details: %1 Additional details: %2
165 TrustMonitoringGenericError An error occurred during trust monitoring. The trust monitoring cycle was shut down. Additional Data Exception details: %1 Additional details: %2
166 TrustMonitoringMetadataFormatError Trust monitoring service encountered an error while parsing the metadata document from '%1'. Trust monitoring failed for: Object Type: %2 Name: %3 Additional Data Exception details: %4 Additional details: %5
167 TrustMonitoringMetadataProcessingError Trust monitoring service encountered an error while applying the data in the metadata document from '%1'. Trust monitoring failed for: Object Type: %2 Name: %3 Additional Data Exception details: %4 Additional details: %5
168 TrustManagementMetadataRequestError The Federation Service encountered an error while retrieving the federation metadata document from '%1'. The monitoring for the following trusts failed: Claims providers: %2 Relying parties: %3 Additional Data Exception details: %4 Additional details: %5 User Action Make sure federation metadata URL is accessible. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
171 SuccessfulAutoUpdate The trust monitoring service automatically updated the trust of '%1' successfully with the partner's published changes.
173 SuccessfulAutoUpdateWithWarning The trust monitoring service automatically updated the trust of '%1' successfully with the partner's published changes. Additional Data Warnings: %2
174 AutoUpdateSkippedWithWarning Trust monitoring service detected changes in policy of '%1', but did not automatically apply the changes on the trust partner. Additional Data Warnings: %2
184 InvalidRelyingPartyError A token request was received for a relying party identified by the key '%1', but the request could not be fulfilled because the key does not identify any known relying party trust. Key: %1 This request failed. User Action If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.
186 PolicyDuplicateNameIdentifier The Federation Service could not fulfill the token-issuance request. More than one claim based on SamlNameIdentifierClaimResource was produced after the issuance See event 500 with the same Instance ID for claims after application of issuance transform rules. Additional Data Instance ID: %1 User Action Ensure that the issuance transform rules that are configured for the relying party do not result in multiple claims based on SamlNameIdentifierClaimResource.
193 PolicyUnknownAuthenticationTypeError The Federation Service could not satisfy a token request because the relying party requested an unknown authentication type. Comparison type: %1 Desired authentication type(s): %2 Relying party: %3 This request failed. User Action Use the AD FS PowerShell commands to configure the authentication context order property. Ensure that the relying party is configured to request the correct authentication type.
197 ConfigurationInvalidAuthenticationTypeError The Federation Service could not satisfy a token request because the accompanying credentials do not meet the authentication type requirement of '%2' for the relying party '%3'. Authentication type: %1 Desired authentication type(s): %2 Relying party: %3 This request failed.
198 FsProxyServiceStart The federation server proxy started successfully.
199 ProxyStartupException The federation server proxy could not be started. Reason: %1 Additional Data Exception details: %2
200 FsProxyServiceStop The federation server proxy stopped successfully.
201 ServiceHostOpenAddressAccessDeniedError The Federation Service %1 encountered an Access Denied error while trying to register one or more endpoint URLs. This condition typically occurs when the ACL for the endpoint URL is missing or the HTTP namespace in the ACL is not a prefix match of the endpoint URL. The %1 could not be opened. User Action Ensure that a valid ACL for each of the URLs has been configured on this computer. Additional Data Exception details: %2
202 ServiceHostOpenError The Federation Service %1 could not be opened. Additional Data Exception details: %2
203 ServiceHostAbortError The Federation Service %1 could not be shut down properly. Additional Data Exception details: %2
204 ServiceHostCloseError The Federation Service %1 could not be closed. Additional Data Exception details: %2
206 EmptyOrMissingWSFederationPassiveEndpoint The Federation Service could not fulfill the token-issuance request because the relying party '%1' is missing a WS-Federation Passive endpoint address. Relying party: %1 This request failed. User Action Use the AD FS Management snap-in to configure a WS-Federation Passive endpoint on this relying party.
207 FailureWritingToAuditLog An attempt to write to the Security event log failed. Additional Data Windows error code: %1 Exception details: %2
208 InsufficientPrivilegesWritingToAuditLogError An error occurred during an attempt to register the event source for the Security log. User Action Ensure that the Federation Service has the correct permissions to write to the Security log.
209 AuditLogEventSourceCouldNotBeRegisteredError The Security log event source for the Federation Service could not be registered. Additional Data Windows error code: %1 Exception details: %2
215 FsProxyNoEndpointsConfigured The Federation Service at '%1' did not return any WS-Trust endpoints to be published by the federation server proxy. User Action If you want to publish WS-Trust endpoints to the federation server proxy, make sure that the endpoints are enabled for proxy use on the federation server.
217 BindingConfigurationError A WS-Trust endpoint that was configured could not be opened. Additional Data Address: %1 Mode: %2 Error: %3
218 FsProxyServiceConnectionFailedServiceUnavailable The federation server proxy received error code '%2' while making a request to the Federation Service at '%1'. This could mean that the Federation Service is not started on the remote host. User Action Verify that the Federation Service is running on the remote host.
220 ServiceConfigurationInitializationError The Federation Service configuration could not be loaded correctly from the AD FS configuration database. Additional Data Error: %1
221 ServiceConfigurationReloadError A change to the token service configuration was detected, but there was an error reloading the changes to configuration. Additional Data Error: %1
222 FsProxyServiceConnectionFailedTimeout The federation server proxy was unable to complete a request to the Federation Service at address '%1' because of a time-out. This might mean that the Federation Service is currently unavailable. User Action Verify that the Federation Service is running.
223 ClaimDescriptionReloadError Claim description could not be loaded correctly from the database. Additional Data Error: %1
224 ProxyConfigurationInitializationError The federation server proxy configuration could not be loaded correctly from the configuration file '%1'. Additional Data Error: %2 User Action: A configuration element specified in the data above is misconfigured. Correct the specified error in the AD FS configuration database.
230 ProxyCongestionWindowMinimumSize The federation server proxy has detected congestion, caused by high latency response times, on the Federation Service. The load might be above the Federation Service operating capacity, or there might be network connectivity issues. Request throttling has been enforced to limit the number of concurrent requests to the following size: %1. User Action Verify that the Federation Service is operating within its operating capacity. Verify that the Federation Service is not experiencing network outages.
238 AttributeStoreFindDCFailedError The Federation Service failed to find a domain controller for the domain %1. Additional Data Domain Name: %1 Error: %2 User Action Use Nltest to determine why DC locator is failing. Nltest is part of the Windows Support Tools.
244 MetadataExchangeListenerError The Federation Service was unable to listen at '%1' for WS-MetadataExchange requests due to an unexpected error. Additional Data %Exception details: %2
245 ProxyMetadataRetrieved The federation server proxy successfully retrieved its configuration from the Federation Service '%1'.
246 LdapDCConnectionError The Federation Service encountered an error during an attempt to connect to a LDAP server at %1. Additional Data Domain Name: %1 LDAP server hostname: %2 Error from LDAP server: %3 Exception Details: %4 User Action Check the network connectivity to the LDAP server. Also, check whether the LDAP server is configured properly.
247 LdapGCConnectionError The Federation Service encountered an error while connecting to a global catalog server at %1. Additional Data Domain Name: %1 Global Catalog hostname (if available): %2 Error from server (if available): %3 Exception Details: %4 User Action Troubleshoot the network connectivity to the global catalog server. Also, verify that the global catalog server is configured properly.
248 ProxyEndpointsRetrievalError The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at %1. The error message is '%2'. User Action Make sure that the Federation Service is running. Troubleshoot network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the Federation Server Proxy Configuration Wizard again.
249 AdditionalCertificateLoadWarning The certificate identified by thumbprint '%1' could not be found in the certificate store. In certificate rollover scenarios, this can potentially cause a failure when the Federation Service is signing or decrypting using this certificate. User Action Ensure that the certificate that is identified by thumbprint '%1' has been added to the Localmachine "My" store and that it is accessible by the service account of the Federation Service.
250 ArtifactExpirationError Expiration of the artifact failed. Additional Data Exception message: %1 User Action Ensure that the artifact storage server is configured properly. Troubleshoot network connectivity to the artifact storage server.
251 AttributeStoreLoadSuccess Attribute store '%1' is loaded successfully.
252 ProxyHttpListenerStartupInfo The AD FS proxy service made changes to the endpoints it is listening on based on the configuration it retrieved from the Federation Service. Endpoints added: %1 Endpoints removed: %2
253 ProxyHttpListenerStartupError AD FS proxy service failed to start a listener for the endpoint '%1' Exceptiondetails: %2 User action: Ensure that no conflicting SSL bindings are configured for the specified endpoint.
258 ConfigurationMissingAssertionConsumerServicesError The relying party '%1' is not configured with SAML Assertion Consumer Services. Relying party: %1 This request failed. User Action Use the AD FS Management snap-in to configure one or more Assertion Consumer Services for this relying party.
259 ConfigurationAssertionConsumerServiceIndexDoesNotMatchError The request specified an Assertion Consumer Service index '%1' that is not configured on the relying party '%2'. Assertion Consumer Service index: %1 Relying party: %2 This request failed. User Action Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified index for this relying party.
260 ConfigurationAssertionConsumerServiceProtocolBindingDoesNotMatchError The request specified an Assertion Consumer Service protocol binding '%1' that is not configured on the relying party '%2'. Assertion Consumer Service protocol binding: %1 Relying party: %2 This request failed. User Action Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified protocol binding for this relying party.
261 ConfigurationAssertionConsumerServiceUrlDoesNotMatchError The request specified an Assertion Consumer Service URL '%1' that is not configured on the relying party '%2'. Assertion Consumer Service URL: %1 Relying party: %2 This request failed. User Action Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party.
262 ArtifactResolutionFailed The artifact resolution request failed. Additional Data Exception message: %1
273 ConfigurationAssertionConsumerServiceNotFoundError The request specified an assertion consumer service that is not configured or not supported on the relying party '%4'. Request parameters: '%1', '%2', '%3' Relying party: %4 This request failed. User Action Use the AD FS Management snap-in to configure an assertion consumer service with the specified parameters for this relying party. Also, check whether the artifact resolution service is enabled if the SAML artifact is requested.
274 FsProxyEndpointListenerAccessDeniedError The federation server proxy encountered an error while trying to listen on one of the proxy endpoints. The federation server proxy will not be able to start until it can listen on all required proxy endpoints. Proxy Endpoints: %1 User Action Ensure that the permissions on the URLs of the proxy endpoints allow the federation server proxy security account (the default is Network Service) to listen on them.
275 FsProxySslTrustError The federation server proxy could not establish a trust relationship for the SSL secure channel with the Federation Service %1. Error Message: %2 User Action Ensure that the SSL certificate for Federation Service '%1' is valid and trusted by the federation server proxy.
276 FsProxyServiceNotTrustedOnStsError The federation server proxy was not able to authenticate to the Federation Service. User Action Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet. Additional Data Certificate details: Subject Name: %1 Thumbprint: %2 NotBefore Time: %3 NotAfter Time: %4
277 UnhandledExceptionError The Federation Service encountered an unexpected exception and has shut down. Additional Data Exception details: %1
278 ArtifactResolutionEndpointNotConfiguredError The SAML artifact resolution endpoint is not configured or it is disabled. The artifact resolution service is not started. User Action If the artifact resolution service is required, use the AD FS Management snap-in to configure or enable the SAML artifact resolution endpoint.
279 SamlArtifactResolutionClaimsProviderNotFoundError Unable to find a claims provider trust for SAML artifact resolution in the AD FS configuration database. SAML artifact: %1 This request failed. User Action Verify that a claims provider trust exists in the AD FS configuration database. Make sure that the data for the claims provider trust is up to date.
280 ClaimsProviderMissingArtifactServiceError Unable to resolve the SAML artifact from the claims provider because the claims provider trust does not have the artifact resolution service configured. Claims provider trust: %1 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Add the artifact resolution service endpoint to the claims provider trust.
281 SamlArtifactResolutionEndpointNotFoundError Unable to resolve the SAML artifact from the claims provider because the claims provider trust does not have the required artifact resolution endpoint with the specified index configured. Claims provider trust: %1 Required endpoint index: %2 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Use the AD FS Management snap-in to configure the artifact resolution endpoint with the specified index.
282 SamlArtifactResolutionSignatureVerificationFailureAudit Unable to resolve the SAML artifact. Verification of the artifact response signature failed. Claims provider: %1 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date using AD FS Management snap-in. Verify that the claims provider trust's certificate is up to date.
283 SamlArtifactResolutionRequestError Unable to resolve the SAML artifact. The artifact resolution request to the claims provider failed. See inner exception for more details. SAML Artifact: %1 Claims provider: %2 Inner exception: %3 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Verify network connectivity. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
284 SamlArtifactResolutionResponseVerificationError Unable to resolve the SAML artifact. A malformed response was received from the claims provider. See inner exception for more details. SAML artifact: %1 Claims provider: %2 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date.
285 SamlArtifactResolutionBadResponseError The SAML artifact was resolved, but the response is empty or does not contain expected assertions. SAML artifact: %1 Claims provider: %2 This request failed. User Action For more information, contact the claims provider.
286 ArtifactStorageConnectionOpenError Cannot connect to the artifact database. Connection string: %1 Error message: %2 User Action Ensure that the artifact database is configured properly. Use the Set-ADFSProperties cmdlet with the ArtifactDbConnection parameter in the Windows PowerShell for AD FS to modify the connection string, if necessary. Troubleshoot the connectivity to the artifact storage .
287 ArtifactStorageAddError Cannot add the artifact to the artifact database. See exception message for more details. Artifact ID: %1 Inner exception details: %2 User Action Ensure that the artifact database is configured properly. Troubleshoot the connectivity to the artifact database.
288 ArtifactStorageGetError Cannot get the artifact from storage. See exception message for more details. ArtifactId: %1 Inner exception details: %2 User Action Ensure that the artifact storage in the AD FS configuration database is configured properly. Troubleshoot connectivity to the artifact storage in the AD FS configuration database.
289 ArtifactStorageRemoveError Cannot remove the artifact from storage. See inner exception message for more details. ArtifactId: %1 Inner exception details: %2 User Action Ensure that the artifact storage in the AD FS configuration database is configured properly. Troubleshoot connectivity to the artifact storage in the AD FS configuration database.
290 ArtifactStorageExpireError Cannot set expiration for the artifacts in storage. See inner exception message for more details. Inner exception details: %1 User Action Ensure that the artifact storage in the AD FS configuration database is configured properly. Troubleshoot connectivity to the artifact storage in the AD FS configuration database.
291 ArtifactServiceStartupException The artifact resolution service could not be started. Additional Data Exception details: %1 User Action Make sure artifact resolution service is properly configured.
292 ArtifactResolutionServiceSignatureVerificationFailureAudit The Artifact Resolution Service could not verify request signature. Additional Data Exception details: %1
293 ArtifactRequestedButDisabledError A SAML request for the required artifact was rejected because the artifact resolution service is not enabled. Relying party: %1 This request failed. User Action Enable the artifact resolution service. Use the AD FS Management snap-in to configure or enable the SAML artifact resolution endpoint.
294 ArtifactResolutionServiceIdentityNotFoundError The SAML artifact resolution request specified an issuer that is not configured for the relying party. Relying party: %1 Artifact resolution request issuer: %2 This artifact resolution request failed. User Action Ensure that the relying party is configured properly using the AD FS Management snap-in.
296 ArtifactResolutionServiceNoSignatureFailureAudit A SAML artifact resolution request was received without a signature. Request issuer: %1 This artifact resolution request failed.
297 ArtifactResolutionServiceBadEndpointIndexError The SAML artifact resolution request required an artifact resolution service endpoint with an index that is not configured. Endpoint index: %1 Configured endpoint index: %2 This artifact resolution request failed.
299 TokenIssuanceSuccessAudit A token was successfully issued for the relying party '%3'. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. See audit 503 with the same Instance ID for ActAs identity, if any. Instance ID: %1 Activity ID: %2 Relying party: %3
300 WSTrustRequestProcessingGeneralTokenIssuanceFailureAudit The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request. Activity ID: %1 Request type: %2 Additional Data Exception details: %3
301 ActAsAuthorizationTokenIssuanceFailureAudit The Federation Service could not authorize token issuance for the caller '%3' as the subject '%4' to the relying party '%5'. See audit 501 with the same Instance ID for caller identity. See audit 503 with the same Instance ID for ActAs identity, if any. Additional Data Instance ID: %1 Activity ID: %2 Relying party: %5
302 ActAsAuthorizationError The Federation Service could not authorize token issuance for caller '%2' as subject '%3' to the relying party '%4'. See event 501 with the same Instance ID for caller identity. See event 503 with the same Instance ID for ActAs identity, if any. Additional Data Instance ID: %1 Relying party: %4 Exception details: %5 User Action Use the AD FS Management snap-in to ensure that the caller is authorized to act as the subject to the relying party.
303 SamlRequestProcessingError The Federation Service encountered an error while processing the SAML authentication request. Additional Data Exception details: %1
304 SamlRequestProcessingGeneralTokenIssuanceFailureAudit The Federation Service failed to issue a token as a result of an error during processing of the SAML authentication request. Additional Data Activity ID: %1 Exception details: %2
305 LdapDCServerError The Federation Service encountered an error while querying a LDAP server at %1. Additional Data Domain name: %1 LDAP server hostname (if available): %2 Error from LDAP server (if available): %3 Exception Details: %4
306 LdapGCServerError The Federation Service encountered an error while querying a global catalog server at %1. Additional Data Domain name: %1 Global catalog server hostname (if available): %2 Error from server (if available): %3 Exception Details: %4
307 ConfigurationChangeSuccessAudit The Federation Service configuration was changed. Subject: Security ID: %2 Account: %3 See audit 510 with the same Instance ID for change details. Additional Data Instance ID: %1 Security ID: %2 Account: %3
308 ConfigurationChangeFailureAudit An attempt to change the Federation Service configuration failed. Error: %1 Subject: Security ID: %2 Account: %3
309 WmiConfigurationChangeSuccessAudit The Federation Service configuration was changed. Subject: Security ID: %1 Account: %2 Old Value: %3 New Value: %4
310 WmiConfigurationChangeFailureAudit An attempt to change the Federation Service configuration failed. Error : %1 Subject: Security ID: %2 Account: %3 Current Value: %4 Attempted Change: %5
311 PerformanceCounterFailure An attempt to update AD FS performance counters failed. Additional Data Exception details: %1
315 ClaimsProviderSigningCertificateCrlCheckFailure An error occurred during an attempt to build the certificate chain for the claims provider trust '%1' certificate identified by thumbprint '%2'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period. You can use Windows PowerShell commands for AD FS to configure the revocation settings for the claims provider trust's signing certificate. Claims provider trust's signing certificate revocation settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the claims provider trust's signing certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
316 RelyingPartySigningCertificateCrlCheckFailure An error occurred during an attempt to build the certificate chain for the relying party trust '%1' certificate identified by thumbprint '%2'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's signing certificate revocation settings or certificate is not within its validity period. You can use Windows PowerShell commands for AD FS to configure the revocation settings for the relying party signing certificate. Relying party trust's signing certificate revocation settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the relying party trust's signing certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
317 RelyingPartyEncryptionCertificateCrlCheckFailure An error occurred during an attempt to build the certificate chain for the relying party trust '%1' certificate identified by thumbprint '%2'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period. You can use Windows PowerShell commands for AD FS to configure the revocation settings for the relying party encryption certificate. Relying party trust's encryption certificate revocation settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the relying party trust's encryption certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
319 ClientCertificateCrlCheckFailure An error occurred while the certificate chain for the client certificate identified by thumbprint '%1' was being built. The certificate chain could not be built. The certificate has been revoked, the certificate chain could not be verified as specified by the encryption certificate revocation settings or certificate is not within its validity period. You can use the Set-ADFSProperties cmdlet with the ProxyCertRevocationCheck parameter in Windows PowerShell for AD FS to configure the client certificate revocation settings. Client Certificate Revocation Settings: %2 The following errors occurred while building the certificate chain: %3 User Action: Ensure that the client certificate is valid and has not been revoked. Ensure that the Federation Service can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
320 SamlProtocolSignatureVerificationError The verification of the SAML message signature failed. Message issuer: %1 Exception details: %2 This request failed. User Action Verify that the message issuer configuration in the AD FS configuration database is up to date. Configure the signing certificate for the specified issuer. Verify that the issuer's certificate is up to date. Verify the issuer and server message signing requirements.
321 InvalidNameIdPolicyError The SAML authentication request had a NameID Policy that could not be satisfied. Requestor: %1 Name identifier format: %2 SPNameQualifier: %3 Exception details: %4 This request failed. User Action Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.
322 OnBehalfOfAuthorizationTokenIssuanceFailureAudit The Federation Service could not authorize token issuance for the caller '%3' on behalf of the subject '%4' to the relying party '%5'. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. Additional Data Instance ID: %1 Activity ID: %2 Relying party: %5
323 OnBehalfOfAuthorizationError The Federation Service could not authorize token issuance for the caller '%2' on behalf of the subject '%3' to the relying party '%4'. See event 501 with the same Instance ID for caller identity. See event 502 with the same Instance ID for OnBehalfOf identity, if any. Additional Data Instance ID: %1 Exception details: %5 User Action Use the Windows PowerShell Get-ADFSClaimsProviderTrust or Get-ADFSRelyingPartyTrust cmdlet to ensure the caller is authorized on behalf of the subject to the relying party.
324 CallerAuthorizationTokenIssuanceFailureAudit The Federation Service could not authorize token issuance for caller '%3' to relying party '%4'. See audit 501 with the same Instance ID for caller identity. Additional Data Instance ID: %1 Activity ID: %2 Relying party: %4
325 CallerAuthorizationError The Federation Service could not authorize token issuance for caller '%2'. The caller is not authorized to request a token for the relying party '%3'. See event 501 with the same Instance ID for caller identity. Additional Data Instance ID: %1 Relying party: %3 Exception details: %4 User Action Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.
326 ClaimsPolicyInvalidPolicyTypeError Failed to load the AD FS claims policy engine using policy type '%1' User Action Make sure AD FS is installed correctly.
327 SamlSingleLogoutError An error occurred during processing of the SAML logout request. Additional Data Caller identity: %1 Logout initiator identity: %2 Error message: %3 Exception details: %4 User Action Ensure that the single logout service is configured properly for this relying party trust or claims provider trust in the AD FS configuration database.
328 SamlArtifactResolutionNoAssertion The SAML artifact resolution request was resolved, but the response does not contain the expected assertions. Additional Data: SAML artifact: %1 Status code: %2 SubStatus code: %3 Status message: %4 This request failed. User Action Contact the claims provider for more information.
329 AdditionalBlobCertificateLoadWarning The certificate that is identified by thumbprint '%1' could not be decrypted using the keys for X.509 certificate private key sharing. Additional Data: X.509 certificate private key sharing diagnosis: %2 User Action You may have to restore all Active Directory objects underneath the specified distinguished name in the diagnostic information above for X.509 certificate private key sharing.
331 CertificateManagementDecryptionError The certificate management service encountered an error during decryption of the keys. storeName: %2 storeLocation: %1 x509FindType: %4 findValue: %3 Additional Data: X.509 certificate private key sharing diagnosis: %5 User Action You may have to restore all Active Directory objects underneath the distinguished name that is specified in the diagnosis for X.509 certificate private key sharing above.
332 CertificateManagementEncryptionError The certificate management service encountered an error during encryption of the keys. Subject: %1 Diagnosis: %2 User Action You may have to restore all Active Directory objects underneath the distinguished name that is specified in the diagnosis above for X.509 certificate private key sharing.
333 CertificateManagementConfigurationError The certificate management service encountered an error during database access. Additional Data: Diagnosis: %1 User Action Confirm that the SQL store is online.
334 CertificateManagementWarning Certificate rollover service needs to rollover %1 certificates urgently. Partners will not be able to apply the update in time.
335 CertificateManagementInfo %1
336 CertificateManagementInitiated The certificate management cycle was initiated.
337 CertificateManagementComplete The certificate management cycle was completed.
338 CertificateManagementGenericError An error was encountered during certificate rollover. The monitoring cycle was shut down. Additional Data Exception details: %1 Additional details: %2
339 CertificateManagementInitiationError An error occurred during initialization of certificate rollover. Certificates will not be rolled over. Additional Data Exception details: %1
340 ArtifactResolutionSuccessAudit An SAML artifact resolution request was successfully resolved for the relying party '%1'. Relying party: %1 SAML artifact: %2
341 SecurityTokenNotYetValidError The NotBefore attribute for the token has a value that is set to a future time. See inner exception for more details. Additional Data Token Type: %1 Exception details: %2 This request failed. User Action Verify that system clock is synchronized.
342 SecurityTokenValidationError Token validation failed. Additional Data Token Type: %1 %Error message: %2 Exception details: %3
343 ConfigurationDatabaseSynchronizationInitiationError There was an error during initialization of synchronization. Synchronization of data from the primary federation server to the secondary federation server will not occur. Additional Data Exception details: %1
344 ConfigurationDatabaseSynchronizationSyncError There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. Additional data Exception details: %1 User Action Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.
345 ConfigurationDatabaseSynchronizationCommunicationError There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. Additional Data Master Name : %1 Endpoint Uri : %2 Exception details: %3
346 ConfigurationDatabaseReadOnlyTransferError There was an error during retrieving the configuration data for the secondary federation server. Additional Data Exception details: %1
348 ConfigurationDatabaseSynchronizationCompleted Synchronization of configuration data from the primary federation server '%1' is completed. %2 objects were added. %3 objects were deleted.
349 FsAdministrationServiceStart The administration service for the Federation Service started successfully. You can now use the Windows Powershell commands for AD FS to modify the Federation Service configuration. The following service hosts have been added: %1
351 PolicyStoreSynchronizationPropertiesGetError There was an error getting synchronization properties. Additional Data Exception details: %1
352 ConfigurationDatabaseSqlError A SQL operation in the AD FS configuration database with connection string %1 failed. Additional Data Exception details: %2
353 SamlArtifactResolutionSignatureVerificationError Unable to resolve the SAML artifact. Verification of the artifact response signature failed. Claims provider: %1 Exception details: %2 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Verify that the claims provider trust's signing certificate is up to date.
354 ArtifactResolutionServiceSignatureVerificationError The artifact resolution service could not verify the request signature. Additional Data Exception details: %1 User action: Verify that the relying party trust in the AD FS configuration database is up to date. Configure the relying party certificate for request signing. Verify that relying party certificate is up to date.
356 SqlNotificationRegistrationError Failed to register notification to the SQL database with the connection string %1 for cache type '%2'. Changes to settings may not take effect until the Federation Service restarts. Additional Data Exception details: %3
357 SqlNotificationRegistrationResumption Successfully registered notification to the SQL database with the connection string %1.
358 ServiceHostRestart Restarting %1. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart.
359 ServiceHostRestartError An error occurred during an attempt to restart %1. Additional Data Exception details: %2 User Action Restart the Federation Service to recover from the error.
360 ClientCertificateNotPresentOnProxyEndpointError A request was made to a certificate transport endpoint, but the request did not include a client certificate. This could be because the root CA certificate that issued the client certificate is not in the Trust CA certificate store or because the client certificate is expired. User Action: Ensure that the CA that issued the client certificate in this request has its certificate in the Trusted Root Certificate Authority store on the Local Computer. Ensure that the client certificate is not expired.
362 WSFederationPassiveSignOutError Encountered error during federation passive sign-out. Additional Data Exception details: %1
363 WSFederationPassiveServiceCommunicationError A communication error occurred during an attempt to get a token from the Federation Service. Make sure that the Federation Service is running. Additional Data Exception details: %1
364 WSFederationPassiveRequestFailedError Encountered error during federation passive request. Additional Data Protocol Name: %1 Relying Party: %2 Exception details: %3
365 RelyingPartyNotEnabled A token request was received for the relying party '%1', but the request could not be fulfilled because the relying party trust is not enabled. Relying party: %1 This request failed. User Action If this relying party trust should be enabled, enable it by using the AD FS Management snap-in or Windows PowerShell for AD FS.
366 ClaimsProviderNotEnabled A token was received from claims provider '%1', but the token could not be validated because the claims provider trust is not enabled. Claims provider: %1 This request failed. User Action If this claims provider trust should be enabled, enable it by using the AD FS Management snap-in or Windows PowerShell for AD FS.
367 AudienceUriValidationFailed The audience restriction was not valid because the specified audience identifier is not present in the acceptable identifiers list of this Federation Service. User Action See the exception details for the audience identifier that failed validation. If the audience identifier identifies this Federation Service, add the audience identifier to the acceptable identifiers list by using Windows PowerShell for AD FS. Note that the audience identifier is used to verify whether the token was sent to this Federation Service. If you think that the audience identifier does not identify your Federation Service, adding it to the acceptable identifiers list may open a security vulnerability in your system. Additional Data Token Type: %1 Exception details: %2
368 SamlLogoutNameIdentifierNotFoundError The SAML Single Logout request does not correspond to the logged-in session participant. Requestor: %1 Request name identifier: %2 Logged-in session participants: %3 This request failed. User Action Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.
369 WSFederationPassiveTtpRequestError Processing TTP request failed with the following exception. Additional Data Exception details: %1 User Action Ensure that user has enabled cookies in browser settings.
370 WSFederationPassiveTtpResponseError Incoming TTP response is not valid. Processing response failed with following exception. Additional Data Exception details: %1 User Action Ensure that partner federation provider is configured properly to send valid TTP response.
371 AuthorityCertificateResolveError Cannot find certificate to validate message/token signature obtained from claims provider. Claims provider: %1 This request failed. User Action Check that Claim Provider Trust configuration is up to date.
372 WeakSignatureAlgorithmError Authentication Failed. The token used to authenticate the user is signed using a weaker signature algorithm than expected. Additional Data Token Type: %1 Issuer: %2 Actual token signature algorithm: %3 Expected token signature algorithm: %4 User Action Check that Claim Provider is configured to accept tokens with expected signature algorithm. Use the AD FS PowerShell commands to configure the signature algorithm property.
373 ArtifactResolutionServiceWeakSignatureAlgorithmError The artifact request from the replying party is signed with a weaker signature algorithm. Additional Data Relying party identity: %1 Actual message signature algorithm: %2 Expected message signature algorithm: %3 User action: Check that relying party is configured to accept artifact resolution request with expected signature algorithm. Use the AD FS PowerShell commands to configure the signature algorithm property.
374 AuthorityEncryptionCertificateCrlCheckFailure An error occurred while building the certificate chain for the claims provider trust '%1' certificate identified by thumbprint '%2'. The certificate chain could not be built, the certificate has been revoked, or the certificate chain could not be verified as specified by the claims provider trust's encryption certificate revocation settings. AD FS powershell commands can be used to configure the claims provider trust encryption certificate revocation settings. Claims Provider Trust Encryption Certificate Revocation Settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the claims provider trust's encryption certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
375 PolicyStoreSynchronizationInitiated Policy store synchronization initiated.
376 SqlAttributeStoreQueryExecutionError An Error occurred while executing a query in SQL attribute store. Additional Data Connection information: %1 Query: %2 Parameters: %3 User Action Examine the exception details to take one or more of the following actions if applicable. Verify that the connection string to the SQL attribute store is valid. Make sure that the SQL attribute store can be reached by the connection string and the SQL attribute store exists. Verify that the SQL query and parameters are valid. Exception details: %4
377 AttributeStoreError A processing error occurred in an attribute store. User Action Exception details: %1
378 SAMLRequestUnsupportedSignatureAlgorithm SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm %1 . Expected signature algorithm is %2 User Action: Verify that signature algorithm for the partner is configured as expected.
379 InvalidIssuanceInstantError A security token was rejected as the specified IssueInstant was before the allowed time frame. Token Type: %1 User Action: To allow tokens for a larger timeframe, use the AD FS PowerShell commands to adjust the value of the ReplayCacheExpirationInterval.
380 BadConfigurationIdentityCertificateNotValid During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was configured could not be used. The certificate has been revoked, the certificate chain could not be verified or certificate is not within its validity period. The following are the values of the certificate: Element: %1 Subject: %2 Thumbprint: %3 The Federation Service will not be able to start until this configuration element is corrected. User Action Verify whether the certificate chain for the certificate configured has been revoked by its certificate authority. If the certificate has been revoked or expired, the AD FS service must be issued a new certificate.
381 AdditionalCertificateValidationFailure An error occurred during an attempt to build the certificate chain for configuration certificate identified by thumbprint '%1'. Possible causes are that the certificate has been revoked or certificate is not within its validity period. The following errors occurred while building the certificate chain: %2 User Action: Ensure that the certificate is valid and has not been revoked or expired.
382 SynchronizationThresholdViolation AD FS detected that the Federation Service has more than %1 %2 trusts configured and that the data in the AD FS configuration database for this Federation Service is stored and synchronized using Windows Internal Database technology. The overall performance of data synchronization between configuration databases that are stored locally on federation servers across the farm will degrade as you add more than %1 trusts when you use the Windows Internal Database to store the AD FS configuration database. User Action: To improve synchronization performance across your federation server farm, we recommend that you migrate the data in the AD FS configuration database to SQL server. For more information about how to do this, see AD FS Operations Guide (http://go.microsoft.com/fwlink/?LinkId=181189).
383 WSFederationPassiveWebConfigMalformedError The Web request failed because the web.config file is malformed. User Action: Fix the malformed data in the web.config file. Exception details: %1
384 WSFederationPassiveInvalidValueInWebConfigError The request to the Federation Service failed because the web.config file has an invalid configuration for '%1' that the Federation Service does not support. User Action: Ensure that the configuration of the property '%1' is supported by the Federation Service.
385 ConfigurationHasExpiredCertsWarning AD FS detected that one or more certificates in AD FS configuration database need to be updated manually because they are expired, or will expire soon. See additional details for more information Additional Details: %1
386 ConfigurationHealthyCertsInfo AD FS detected that none of the service certificates that are configured to be managed by the administrator are due to expire.
387 CertPrivateKeyInaccessibleError AD FS detected that one or more of the certificates specified in the Federation Service were not accessible to the service account used by the AD FS Windows Service. User Action: Ensure that the AD FS service account has read permissions on the certificate private keys. Additional Details: %1
388 CertPrivateKeyAccessibleInfo AD FS detected that all the service certificates have appropriate access given to the AD FS service account.
389 TrustsHaveExpiredCertsWarning AD FS detected that one or more of your trusts require their certificates to be updated manually because they are expired, or will expire soon. See additional details for more information Additional Details: %1
390 TrustsHaveHealthyCertsInfo AD FS detected that none of the partner certificates that are configured to be managed by the administrator are due to expire.
391 FsProxyTrustTokenRetrievalSuccess The federation server proxy was able to successfully establish a trust with the Federation Service.
392 FsProxyTrustTokenRenewalSuccess The federation server proxy was able to renew its trust with the Federation Service.
393 FsProxyTrustTokenRetrievalError The federation server proxy could not establish a trust with the Federation Service. Additional Data Exception details: %1 User Action Ensure that the credentials being used to establish a trust between the federation server proxy and the Federation Service are valid and that the Federation Service can be reached.
394 FsProxyTrustTokenRenewalError The federation server proxy could not renew its trust with the Federation Service. Additional Data Exception details: %1 User Action Ensure that the federation server proxy is trusted by the Federation Service. If the trust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard by logging on to the proxy computer.
395 ProxyTrustTokenIssuanceSuccess The trust between the federation server proxy and the Federation Service was established successfully using the account '%1'. Proxy trust id: %2.
396 ProxyTrustTokenRenewalSuccess The trust between the federation server proxy and the Federation Service was renewed successfully.
397 HttpProxyConfigurationInfo The federation server loaded the HTTP proxy configuration from WinHTTP settings. HTTP Proxy: %1 HTTPS Proxy: %2 Bypass proxy for local addresses: %3 Bypass proxy for addresses: %4 To learn more about how to set the HTTP proxy settings for the federation server, see http://go.microsoft.com/fwlink/?LinkId=182180.
398 ConfigurationHasArchivedCertsWarning AD FS detected that one or more certificates in the AD FS configuration database need to be updated manually because they are archived. Additional Details: %1
399 ConfigurationHealthyUnarchivedCertsInfo AD FS detected that none of the service certificates that are configured to be managed by the administrator are archived.
400 GiveUserVSSAccess VSS writer permissions have been granted to user %1.
401 RevokeUserVSSAccess VSS writer permissions have been revoked from user %1.
402 CertificateClaimUnknownError Failed to add some of the certificate claims.
403 RequestReceivedSuccessAudit An HTTP request was received. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 HTTP Method: %4 Url Absolute Path: %5 Query string: %6 Local Port: %7 Local IP: %8 User Agent: %9 Content Length: %10 Caller Identity: %11 Certificate Identity (if any): %12 Targeted relying party: %13 Through proxy: %14 Proxy DNS name: %15
404 ResponseSentSuccessAudit An HTTP response was dispatched with: Activity ID: %1 Response Details: Date And Time: %2 Status Code: %3 Status Description: %4
405 PasswordChangeSuccessAudit Password change succeeded for following user: Activity ID: %1 User: %2 Device Certificate: %3 Device ID: %4 Device Name: %5 Server on which password change was attempted: %6
406 PasswordChangeFailureAudit Password change failed for following user: Additional Data Activity ID: %1 User: %2 Device Certificate: %3 Server on which password change was attempted: %4 Client IP: %6 Error details: %5
407 PasswordChangeError Password change failed for following user: Additional Data User: %1 Device Certificate: %2 Server on which password change was attempted: %3 Error details: %4
408 DeviceAuthenticationFailureAudit Device authentication failed for following device: Additional Data Activity ID: %1 User: %2 Client IP: %3 Target Application: %4 Device Certificate: %5 Device ID: %6 Device Name: %7 Error Message: %8
409 DeviceAuthenticationSuccessAudit Device authentication successful for following device: Additional Data Activity ID: %1 User: %2 Client IP: %3 Target Application: %4 Device Certificate: %5 Device ID: %6 Device Name: %7 Registered owner's sid: %8 Is current User registered: %9
410 RequestContextHeadersSuccessAudit Following request context headers present : Activity ID: %1 %2: %3 %4: %5 %6: %7 %8: %9 %10: %11 %12: %13
411 SecurityTokenValidationFailureAudit Token validation failed. See inner exception for more details. Additional Data Activity ID: %1 Token Type: %2 Client IP: %5 Error message: %3 Exception details: %4
412 AuthenticationSuccessAudit A token of type '%3' for relying party '%4' was successfully authenticated. See audit 501 with the same Instance ID for caller identity. Instance ID: %1 Activity ID: %2
413 CallerIdFailureAudit An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Activity ID: %1 Caller: %2 OnBehalfOf user: %3 ActAs user: %4 Target Relying Party: %5 Device identity: %6 Client IP: %7 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
414 InvalidMsisHttpRequestAudit An error occurred during processing of a token request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Activity ID: %1 Target Relying Party: %2 Is Application Proxy Configured: %3 Is Request From the Extranet: %4 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
415 UnregisteredDrsUpnSuffixes %1
416 WebConfigurationError Web configuration error: %1
417 CertificateClaimError Unable to add the certificate claim %1.
420 StsProxyTrustTokenEstablishmentAuditSuccess The trust between the federation server proxy and the Federation Service was successfully established. Additional Data User: %1 Server from which request was made: %2 Certificate Thumbprint: %3
421 StsProxyTrustTokenEstablishmentAuditFailure The trust between the federation server proxy and the Federation Service could not be established. Additional Data User: %1 Server from which request was made: %2
422 FsProxyConfigurationRetrievalFailure Unable to retrieve proxy configuration data from the Federation Service. Additional Data Trust Certificate Thumbprint: %1 Status Code: %2 Exception details: %3
423 FsProxyConfigurationRetrievalSuccess Successfully retrieved proxy configuration data from the Federation Service
424 ClientCertNotTrustedOnStsAuditFailure The federation server proxy was not able to authenticate the client certificate presented in the request. Activity ID: %1 Client certificate thumbprint: %2 Client certificate subject name: %3 Inner exception: %4 User Action Ensure that the request is using the certificate used to establish the trust between the Federation Server Proxy and the Federation Service.
425 ApplicationProxyConfigurationStoreChangeAuditSuccess The following update was successful to the application proxy store on the federation server. Activity ID: %1 Authentication information: %2 HTTP method: %3 Key: %4 Value: %5 Version: %6
426 ApplicationProxyConfigurationStoreChangeAuditFailure The following update attempt to the application proxy store on the federation server failed. Activity ID: %1 Authentication information: %2 HTTP method: %3 Key: %4 Value: %5 Version: %6 Error information: %7
427 ApplicationProxyTrustUpdateAuditSuccess The following update attempt to the application proxy relying party trust on the federation server succeeded. Activity ID: %1 Authentication information: %2 HTTP method: %3 Identifier: %4
428 ApplicationProxyTrustUpdateAuditFailure The following update attempt to the application proxy relying party trust on the federation server failed. Activity ID: %1 Authentication information: %2 HTTP method: %3 Identifier: %4 Error information: %5
429 RelyingPartyTrustUpdateAuditSuccess The following update attempt to the relying party trust on the federation server succeeded. Activity ID: %1 Authentication information: %2 HTTP method: %3 Relying party trust identifier: %4 Internal Url: %5 External Url: %6 Published identifier: %7
430 RelyingPartyTrustUpdateAuditFailure The following update attempt to the relying party trust on the federation server failed. Activity ID: %1 Authentication information: %2 HTTP method: %3 Relying party trust identifier: %4 Internal url: %5 External url: %6 Published identifier: %7 Error information: %8
431 ActiveRequestRSTSuccessAudit An active request was received at STS with RST containing: Activity ID: %1 RST Details: KeySize: %2 KeyType: %3 RequestType: %4 TokenType: %5 SignatureAlgorithm: %6
432 ProxyConfigurationEndpointError Error handling request from proxy at %1 Additional Data Exception details: %2
500 IssuedIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 Issued identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
501 CallerIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 Caller identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
502 OnBehalfOfUserIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 OnBehalfOf identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
503 ActAsUserIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 ActAs identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
504 ApplicationProxyConfigurationStoreChangeSuccess The following update was successful to the application proxy store on the federation server. Authentication information: %1 HTTP method: %2 Key: %3 Value: %4 Version: %5
505 ApplicationProxyConfigurationStoreChangeFailure The following update attempt to the application proxy store on the federation server failed. Authentication information: %1 HTTP method: %2 Key: %3 Value: %4 Version: %5 Error information: %6
506 ApplicationProxyTrustUpdateSuccess The following update attempt to the application proxy relying party trust on the federation server succeeded. Authentication information: %1 HTTP method: %2 Identifier: %3
507 ApplicationProxyTrustUpdateFailure The following update attempt to the application proxy relying party trust on the federation server failed. Authentication information: %1 HTTP method: %2 Identifier: %3 Error information: %4
508 RelyingPartyTrustUpdateSuccess The following update attempt to the relying party trust on the federation server succeeded. Authentication information: %1 HTTP method: %2 Relying party trust identifier: %3 Internal Url: %4 External Url: %5 Published identifier: %6
509 RelyingPartyTrustUpdateFailure The following update attempt to the relying party trust on the federation server failed. Authentication information: %1 HTTP method: %2 Relying party trust identifier: %3 Internal url: %4 External url: %5 Published identifier: %6 Error information: %7
510 LongText More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 Details: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
511 InvalidMsisHttpSigninRequestFailure The incoming sign-in request is not allowed due to an invalid Federation Service configuration. Request url: %1 User Action: Examine the Federation Service configuration and take the following actions: Verify that the sign-in request has all the required parameters and is formatted correctly. Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters. Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.
512 ExtranetLockoutAccountThrottledAudit The account for the following user is locked out. A login attempt is being allowed due to the system configuration. Additional Data Activity ID: %1 User: %2 Client IP: %3 Bad Password Count: %4 nLast Bad Password Attempt: %5
513 ArtifactRestEndpointRequestFailureAudit The Artifact REST service failed to return an artifact as a result of an error during processing. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3 Exception details: %4
514 ArtifactRestEndpointRequestSuccessAudit The Artifact REST service successfully returned an artifact. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3
515 ExtranetLockoutUserThrottleTransitionAudit The following user account was in a locked out state and the correct password was just provided. This account may be compromised. Additional Data Activity ID: %1 User: %2 Device Certificate: %3 Client IP: %4
516 ExtranetLockoutAccountRestrictedAudit The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: %1 User: %2 Client IP: %3 nBad Password Count: %4 nLast Bad Password Attempt: %5
517 TargetRelyingPartyPublishedButAppProxyDisabledFailure The incoming sign-in request is not allowed due to an invalid Federation Service configuration. Request url: %1 User Action: Verify that either an enabled web application proxy relying party trust exists in your Federation Service configuration or that the target relying party trust object is not published through a web application proxy.
518 TargetRelyingPartyPublishedButAppProxyDisabledFailureAudit An error occurred during processing of a token request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Activity ID: %1 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
519 PrimayServerRequestHandlerResponseSuccessAudit A successful response status code was received from the primary server. The data includes an Activity ID that you can cross-reference to the events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 Raw URL of the incoming request: %3 Response status code: %4 IP address from which the request originated: %5
520 PrimayServerRequestHandlerResponseFailureAudit An error response status code was received from the primary server. The data includes an Activity ID that you can cross-reference to error or warning events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 Raw URL of the incoming request: %3 Response status code: %4 WebException response code: %5 IP address from which the request originated: %6
1000 CallerId An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Caller: %1 OnBehalfOf user: %2 ActAs user: %3 Target Relying Party: %4 Device identity: %5 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
1020 OAuthAuthorizationRequestFailedError Encountered error during OAuth authorization request. Additional Data Exception details: %1
1021 OAuthTokenRequestFailedError Encountered error during OAuth token request. Additional Data Exception details: %1
1022 OAuthAuthorizationCodeIssuanceSuccessAudit An OAuth authorization code was successfully issued to client '%5'. Activity ID: %1 Authorization Code ID: %2 Request Details: Date And Time: %3 Client IP: %4 Client Identifier: %5 Client Redirect URI: %6 Resource: %7 User Identity: %8 Device Identity: %9
1023 OAuthAccessTokenIssuanceSuccessAudit An OAuth access token was successfully issued to client '%6' for the relying party '%8'. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. Instance ID: %1 Activity ID: %2 Authorization Code ID (if authorization code request): %3 Request Details: Date And Time: %4 Client IP: %5 Client Identifier: %6 Client Redirect URI: %7 Resource: %8 User Identity: %9 Device Identity: %10
1024 OAuthRefreshTokenIssuanceSuccessAudit An OAuth refresh token was successfully issued to client '%6' for the relying party '%8'. See audit 500 with the same Instance ID for issued claims. Instance ID: %1 Activity ID: %2 Authorization Code ID (if authorization code request): %3 Request Details: Date And Time: %4 Client IP: %5 Client Identifier: %6 Client Redirect URI: %7 Resource: %8 User Identity: %9 Device Identity: %10
1025 OAuthAuthorizationCodeIssuanceFailureAudit The Federation Service failed to issue an OAuth authorization code as a result of an error during processing of the OAuth authorization code request. Additional Data Activity ID: %1 Request Details: Client IP: %2 Client Identifier: %3 Client Redirect URI: %4 Resource: %5 User Identity: %6 Device Identity: %7 Exception details: %8
1026 OAuthAccessTokenIssuanceFailureAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth access token request. Additional Data Activity ID: %1 Request Details: Client IP: %2 Client Identifier: %3 Client Redirect URI: %4 Resource: %5 User Identity: %6 Device Identity: %7 Exception details: %8
1027 OAuthAccessTokenResponseIssuanceSuccessAudit An OAuth access token response was successfully issued to client '%5' for the relying party '%7'. See audit 1023 with the same authorization code ID for issued access token. In an AD FS farm setup, this audit may be found on another farm node. See audit 1024 with the same authorization code ID for the refresh token if it is issued. In an AD FS farm setup, this audit may be found on another farm node. Activity ID: %1 Authorization Code ID: %2 Request Details: Date And Time: %3 Client IP: %4 Client Identifier: %5 Client Redirect URI: %6 Resource: %7
1100 RestEndpointAuthorizationFailureError The Federation Service could not authorize a request to one of the REST endpoints. Additional Data Exception details: %1
1101 RestEndpointAuthorizationFailureAudit The Federation Service could not authorize a request to one of the REST endpoints. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested URI: %3 Exception details: %4
1102 RestEndpointAuthorizationSuccessAudit The Federation Service authorized a request to one of the REST endpoints. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested URI: %3 Additional details: %4
ID Event Name Event Description
100 FsServiceStart The Federation Service started successfully. The following service hosts have been added: %1
102 StartupException There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. Additional Data Exception details: %1
103 FsServiceStop The Federation Service stopped successfully.
104 ArtifactServiceNotRunningForReplayDetectionCheck The artifact resolution service is not running. The service must be running to perform token replay detection. User Action Make sure that the artifact resolution service is configured properly. Or disable token replay detection by using the Set-ADFSProperties cmdlet with the PreventTokenReplays parameter in Windows PowerShell for AD FS.
105 AuthMethodLoadError An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. Identifier: %1 Context: %2 Additional Data Exception details: %3
106 AuthMethodLoadSuccess An authentication provider was successfully loaded: Identifier: '%1', Context: '%2'
111 WsTrustRequestProcessingError The Federation Service encountered an error while processing the WS-Trust request. Request type: %1 Additional Data Exception details: %2
131 BadConfigurationFormatError During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The configured value '%2' could not be parsed as type '%3'. Element: %1 Value: %2 Type: %3 The Federation Service will not be able to start until this configuration element is corrected. User Action Correct the specified configuration element to conform to the given type.
132 BadConfigurationValueMissing During processing of the Federation Service configuration, the required element '%1' was missing. Element: %1 The Federation Service will not be able to start until this configuration element is configured. User Action Configure the specified configuration element using the AD FS Management snap-in.
133 BadConfigurationIdentityCertificateHasNoPrivateKey During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The private key for the certificate that was configured could not be accessed. The following are the values of the certificate: Element: %1 Subject: %2 Thumbprint: %3 storeName: %4 storeLocation: %5 Federation Service identity: %6 The Federation Service will not be able to start until this configuration element is corrected. This condition can occur when the certificate is found in the specified store but there is a problem accessing the certificate's private key. Common causes for this condition include the following: (1) The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file. (2) The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store specified above. (3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option. (4) The Federation Service identity '%6' has not been granted read access to the certificate's private key. User Action If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file). If the certificate was imported in a user context, verify that the store specified above matches the store the certificate was imported into. If the certificate was generated by a certificate request that did not specify the "Machine Key" option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file and import it again directly into the store specified in the configuration file. If the key is not marked as exportable, request a new certificate using the "Machine Key" option. If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition using the Certificates snap-in.
134 BadConfigurationCertificateNotFound During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was identified by the findValue '%2' could not be found. Element: %1 storeName: %3 storeLocation: %4 x509FindType: %5 findValue: %2 The Federation Service will not be able to start until this configuration element is corrected. This condition occurs when the findValue that is specified does not match any certificate in the specified store. Common causes for this condition include the following: (1) The certificate with the specified findValue is from a store that is different from the configured store. (2) The certificate was deleted from the store after configuration. User Action If the certificate exists in a different store, find the location using the certificates snap-in and correct the configuration appropriately. If the certificate has been deleted, configure a different certificate.
135 BadConfigurationMultipleCertificatesMatch During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was identified by the findValue '%2' was not unique. Element: %1 storeName: %3 storeLocation: %4 x509FindType: %5 findValue: %2 The Federation Service will not be able to start until this configuration element is corrected. This condition can occur when the certificate is found in the specified store but there is more than one certificate that matches the findValue. User Action If the certificate was identified by name and there are multiple certificates of the same name, configure the certificate using the certificate thumbprint.
136 ConfigurationErrorsException During processing of the Federation Service configuration, the Federation Service encountered a configuration error. %1 Additional Data %2 The Federation Service will not be able to start until this error has been corrected. User Action Correct the specified configuration error using the AD FS Management snap-in.
143 UnableToCreateFederationMetadataDocument The Federation Service was unable to create the federation metadata document as a result of an error. Document Path: %1 Additional Data Exception details: %2
144 RequestBlocked The Federation Service Proxy blocked an illegitimate request made by a client, as there was no matching endpoint registered at the proxy. This could point to a DNS misconfiguration, a partially configured application published through the proxy, or a malicious request. Url Path: %1
147 InvalidClaimsProviderError A token was received from a claims provider identified by the key '%1', but the token could not be validated because the key does not identify any known claims provider trust. Key: %1 This request failed. User Action If this key represents the certificate thumbprint of a claims provider trust, verify that it matches the signing certificate of the claims provider trust in the AD FS configuration database.
149 AttributeStoreLoadFailure During processing of the Federation Service configuration, the attribute store '%1' could not be loaded. Attribute store type: %2 User Action If you are using a custom attribute store, verify that the custom attribute store is configured using AD FS Management snap-in. Additional Data %3
155 MetadataListenerError The Federation Service was unable to listen at '%1' for metadata document requests due to an unexpected error. Additional Data %Exception details: %2
156 TrustMonitoringInitiated Trust monitoring cycle initiated.
157 TrustMonitoringComplete Trust monitoring cycle completed.
159 TrustMonitoringConfigurationDatabaseWriteError The Federation Service encountered an error while writing to the following object in the configuration database. Object Type: %1 Name: %2 Metadata document URL: %3 Additional Data Exception details: %4 Additional details: %5
163 TrustMonitoringInitiationError An error occurred during initialization of trust monitoring. Trust monitoring against the published partner configuration will be disabled for the lifetime of this service. Additional Data Exception details: %1 User Action If you want to try to start the trust monitoring service again, restart the Federation Service.
164 TrustMonitoringConfigurationDatabaseError An error occurred during a read operation from the configuration database. Trust monitoring was shut down and will be tried again after an amount of time that corresponds to the trust monitoring interval. Additional Data Exception details: %1 Additional details: %2
165 TrustMonitoringGenericError An error occurred during trust monitoring. The trust monitoring cycle was shut down. Additional Data Exception details: %1 Additional details: %2
166 TrustMonitoringMetadataFormatError Trust monitoring service encountered an error while parsing the metadata document from '%1'. Trust monitoring failed for: Object Type: %2 Name: %3 Additional Data Exception details: %4 Additional details: %5
167 TrustMonitoringMetadataProcessingError Trust monitoring service encountered an error while applying the data in the metadata document from '%1'. Trust monitoring failed for: Object Type: %2 Name: %3 Additional Data Exception details: %4 Additional details: %5
168 TrustManagementMetadataRequestError The Federation Service encountered an error while retrieving the federation metadata document from '%1'. The monitoring for the following trusts failed: Claims providers: %2 Relying parties: %3 Additional Data Exception details: %4 Additional details: %5 User Action Make sure federation metadata URL is accessible. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
171 SuccessfulAutoUpdate The trust monitoring service automatically updated the trust of '%1' successfully with the partner's published changes.
173 SuccessfulAutoUpdateWithWarning The trust monitoring service automatically updated the trust of '%1' successfully with the partner's published changes. Additional Data Warnings: %2
174 AutoUpdateSkippedWithWarning Trust monitoring service detected changes in policy of '%1', but did not automatically apply the changes on the trust partner. Additional Data Warnings: %2
180 MinorVersionUpgradeError An error occurred while upgrading FarmBehaviorLevel '%1' from Minor Version '%2' to Minor Version '%3'. Additional Data Exception details: %4
184 InvalidRelyingPartyError A token request was received for a relying party identified by the key '%1', but the request could not be fulfilled because the key does not identify any known relying party trust. Key: %1 This request failed. User Action If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.
186 PolicyDuplicateNameIdentifier The Federation Service could not fulfill the token-issuance request. More than one claim based on SamlNameIdentifierClaimResource was produced after the issuance See event 500 with the same Instance ID for claims after application of issuance transform rules. Additional Data Instance ID: %1 User Action Ensure that the issuance transform rules that are configured for the relying party do not result in multiple claims based on SamlNameIdentifierClaimResource.
193 PolicyUnknownAuthenticationTypeError The Federation Service could not satisfy a token request because the relying party requested an unknown authentication type. Comparison type: %1 Desired authentication type(s): %2 Relying party: %3 This request failed. User Action Use the AD FS PowerShell commands to configure the authentication context order property. Ensure that the relying party is configured to request the correct authentication type.
197 ConfigurationInvalidAuthenticationTypeError The Federation Service could not satisfy a token request because the accompanying credentials do not meet the authentication type requirement of '%2' for the relying party '%3'. Authentication type: %1 Desired authentication type(s): %2 Relying party: %3 This request failed.
198 FsProxyServiceStart The federation server proxy started successfully.
199 ProxyStartupException The federation server proxy could not be started. Reason: %1 Additional Data Exception details: %2
200 FsProxyServiceStop The federation server proxy stopped successfully.
201 ServiceHostOpenAddressAccessDeniedError The Federation Service %1 encountered an Access Denied error while trying to register one or more endpoint URLs. This condition typically occurs when the ACL for the endpoint URL is missing or the HTTP namespace in the ACL is not a prefix match of the endpoint URL. The %1 could not be opened. User Action Ensure that a valid ACL for each of the URLs has been configured on this computer. Additional Data Exception details: %2
202 ServiceHostOpenError The Federation Service %1 could not be opened. Additional Data Exception details: %2
203 ServiceHostAbortError The Federation Service %1 could not be shut down properly. Additional Data Exception details: %2
204 ServiceHostCloseError The Federation Service %1 could not be closed. Additional Data Exception details: %2
206 EmptyOrMissingWSFederationPassiveEndpoint The Federation Service could not fulfill the token-issuance request because the relying party '%1' is missing a WS-Federation Passive endpoint address. Relying party: %1 This request failed. User Action Use the AD FS Management snap-in to configure a WS-Federation Passive endpoint on this relying party.
207 FailureWritingToAuditLog An attempt to write to the Security event log failed. Additional Data Windows error code: %1 Exception details: %2
208 InsufficientPrivilegesWritingToAuditLogError An error occurred during an attempt to register the event source for the Security log. User Action Ensure that the Federation Service has the correct permissions to write to the Security log.
209 AuditLogEventSourceCouldNotBeRegisteredError The Security log event source for the Federation Service could not be registered. Additional Data Windows error code: %1 Exception details: %2
215 FsProxyNoEndpointsConfigured The Federation Service at '%1' did not return any WS-Trust endpoints to be published by the federation server proxy. User Action If you want to publish WS-Trust endpoints to the federation server proxy, make sure that the endpoints are enabled for proxy use on the federation server.
217 BindingConfigurationError A WS-Trust endpoint that was configured could not be opened. Additional Data Address: %1 Mode: %2 Error: %3
218 FsProxyServiceConnectionFailedServiceUnavailable The federation server proxy received error code '%2' while making a request to the Federation Service at '%1'. This could mean that the Federation Service is not started on the remote host. User Action Verify that the Federation Service is running on the remote host.
220 ServiceConfigurationInitializationError The Federation Service configuration could not be loaded correctly from the AD FS configuration database. Additional Data Error: %1
221 ServiceConfigurationReloadError A change to the token service configuration was detected, but there was an error reloading the changes to configuration. Additional Data Error: %1
222 FsProxyServiceConnectionFailedTimeout The federation server proxy was unable to complete a request to the Federation Service at address '%1' because of a time-out. This might mean that the Federation Service is currently unavailable. User Action Verify that the Federation Service is running.
223 ClaimDescriptionReloadError Claim description could not be loaded correctly from the database. Additional Data Error: %1
224 ProxyConfigurationRefreshError The federation server proxy configuration could not be updated with the latest configuration on the federation service. Additional Data Error: %1
230 ProxyCongestionWindowMinimumSize The federation server proxy has detected congestion, caused by high latency response times, on the Federation Service. The load might be above the Federation Service operating capacity, or there might be network connectivity issues. Request throttling has been enforced to limit the number of concurrent requests to the following size: %1. User Action Verify that the Federation Service is operating within its operating capacity. Verify that the Federation Service is not experiencing network outages.
238 AttributeStoreFindDCFailedError The Federation Service failed to find a domain controller for the domain %1. Additional Data Domain Name: %1 Error: %2 User Action Use Nltest to determine why DC locator is failing. Nltest is part of the Windows Support Tools.
244 MetadataExchangeListenerError The Federation Service was unable to listen at '%1' for WS-MetadataExchange requests due to an unexpected error. Additional Data %Exception details: %2
245 ProxyConfigurationRefreshSuccess The federation server proxy successfully retrieved and updated its configuration from the Federation Service '%1'.
246 LdapDCConnectionError The Federation Service encountered an error during an attempt to connect to a LDAP server at %1. Additional Data Domain Name: %1 LDAP server hostname (if available): %2 Authentication type: %3 SSL mode: %4 Username (if available): %5 Error code (if available): %6 Error from LDAP server (if available): %7 Exception Details: %8 User Action Check the network connectivity to the LDAP server. Also, check whether the LDAP server is configured properly.
247 LdapGCConnectionError The Federation Service encountered an error while connecting to a global catalog server at %1. Additional Data Domain Name: %1 Global Catalog hostname (if available): %2 Authentication type: %3 SSL mode: %4 Username (if available): %5 Error code (if available): %6 Error from server (if available): %7 Exception Details: %8 User Action Troubleshoot the network connectivity to the global catalog server. Also, verify that the global catalog server is configured properly.
248 ProxyEndpointsRetrievalError The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at %1. The error message is '%2'. User Action Make sure that the Federation Service is running. Troubleshoot network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the Federation Server Proxy Configuration Wizard again.
249 AdditionalCertificateLoadWarning The certificate identified by thumbprint '%1' could not be found in the certificate store. In certificate rollover scenarios, this can potentially cause a failure when the Federation Service is signing or decrypting using this certificate. User Action Ensure that the certificate that is identified by thumbprint '%1' has been added to the Localmachine "My" store and that it is accessible by the service account of the Federation Service.
250 ArtifactExpirationError Expiration of the artifact failed. Additional Data Exception message: %1 User Action Ensure that the artifact storage server is configured properly. Troubleshoot network connectivity to the artifact storage server.
251 AttributeStoreLoadSuccess Attribute store '%1' is loaded successfully.
252 ProxyHttpListenerStartupInfo The AD FS proxy service made changes to the endpoints it is listening on based on the configuration it retrieved from the Federation Service. Endpoints added: %1 Endpoints removed: %2
253 ProxyHttpListenerStartupError AD FS proxy service failed to start a listener for the endpoint '%1' Exceptiondetails: %2 User action: Ensure that no conflicting SSL bindings are configured for the specified endpoint.
258 ConfigurationMissingAssertionConsumerServicesError The relying party '%1' is not configured with SAML Assertion Consumer Services. Relying party: %1 This request failed. User Action Use the AD FS Management snap-in to configure one or more Assertion Consumer Services for this relying party.
259 ConfigurationAssertionConsumerServiceIndexDoesNotMatchError The request specified an Assertion Consumer Service index '%1' that is not configured on the relying party '%2'. Assertion Consumer Service index: %1 Relying party: %2 This request failed. User Action Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified index for this relying party.
260 ConfigurationAssertionConsumerServiceProtocolBindingDoesNotMatchError The request specified an Assertion Consumer Service protocol binding '%1' that is not configured on the relying party '%2'. Assertion Consumer Service protocol binding: %1 Relying party: %2 This request failed. User Action Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified protocol binding for this relying party.
261 ConfigurationAssertionConsumerServiceUrlDoesNotMatchError The request specified an Assertion Consumer Service URL '%1' that is not configured on the relying party '%2'. Assertion Consumer Service URL: %1 Relying party: %2 This request failed. User Action Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party.
262 ArtifactResolutionFailed The artifact resolution request failed. Additional Data Exception message: %1
273 ConfigurationAssertionConsumerServiceNotFoundError The request specified an assertion consumer service that is not configured or not supported on the relying party '%4'. Request parameters: '%1', '%2', '%3' Relying party: %4 This request failed. User Action Use the AD FS Management snap-in to configure an assertion consumer service with the specified parameters for this relying party. Also, check whether the artifact resolution service is enabled if the SAML artifact is requested.
274 FsProxyEndpointListenerAccessDeniedError The federation server proxy encountered an error while trying to listen on one of the proxy endpoints. The federation server proxy will not be able to start until it can listen on all required proxy endpoints. Proxy Endpoints: %1 User Action Ensure that the permissions on the URLs of the proxy endpoints allow the federation server proxy security account (the default is Network Service) to listen on them.
275 FsProxySslTrustError The federation server proxy could not establish a trust relationship for the SSL secure channel with the Federation Service %1. Error Message: %2 User Action Ensure that the SSL certificate for Federation Service '%1' is valid and trusted by the federation server proxy.
276 FsProxyServiceNotTrustedOnStsError The federation server proxy was not able to authenticate to the Federation Service. User Action Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet. Additional Data Certificate details: Subject Name: %1 Thumbprint: %2 NotBefore Time: %3 NotAfter Time: %4 Client endpoint: %5
277 UnhandledExceptionError The Federation Service encountered an unexpected exception and has shut down. Additional Data Exception details: %1
278 ArtifactResolutionEndpointNotConfiguredError The SAML artifact resolution endpoint is not configured or it is disabled. User Action If SAML artifact resolution is required, use the AD FS Management snap-in to configure or enable the SAML artifact resolution endpoint.
279 SamlArtifactResolutionClaimsProviderNotFoundError Unable to find a claims provider trust for SAML artifact resolution in the AD FS configuration database. SAML artifact: %1 This request failed. User Action Verify that a claims provider trust exists in the AD FS configuration database. Make sure that the data for the claims provider trust is up to date.
280 ClaimsProviderMissingArtifactServiceError Unable to resolve the SAML artifact from the claims provider because the claims provider trust does not have the artifact resolution service configured. Claims provider trust: %1 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Add the artifact resolution service endpoint to the claims provider trust.
281 SamlArtifactResolutionEndpointNotFoundError Unable to resolve the SAML artifact from the claims provider because the claims provider trust does not have the required artifact resolution endpoint with the specified index configured. Claims provider trust: %1 Required endpoint index: %2 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Use the AD FS Management snap-in to configure the artifact resolution endpoint with the specified index.
282 SamlArtifactResolutionSignatureVerificationFailureAudit Unable to resolve the SAML artifact. Verification of the artifact response signature failed. Claims provider: %1 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date using AD FS Management snap-in. Verify that the claims provider trust's certificate is up to date.
283 SamlArtifactResolutionRequestError Unable to resolve the SAML artifact. The artifact resolution request to the claims provider failed. See inner exception for more details. SAML Artifact: %1 Claims provider: %2 Inner exception: %3 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Verify network connectivity. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
284 SamlArtifactResolutionResponseVerificationError Unable to resolve the SAML artifact. A malformed response was received from the claims provider. See inner exception for more details. SAML artifact: %1 Claims provider: %2 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date.
285 SamlArtifactResolutionBadResponseError The SAML artifact was resolved, but the response is empty or does not contain expected assertions. SAML artifact: %1 Claims provider: %2 This request failed. User Action For more information, contact the claims provider.
286 ArtifactStorageConnectionOpenError Cannot connect to the artifact database. Connection string: %1 Error message: %2 User Action Ensure that the artifact database is configured properly. Use the Set-ADFSProperties cmdlet with the ArtifactDbConnection parameter in the Windows PowerShell for AD FS to modify the connection string, if necessary. Troubleshoot the connectivity to the artifact storage .
287 ArtifactStorageAddError Cannot add the artifact to the artifact database. See exception message for more details. Artifact ID: %1 Inner exception details: %2 User Action Ensure that the artifact database is configured properly. Troubleshoot the connectivity to the artifact database.
288 ArtifactStorageGetError Cannot get the artifact from storage. See exception message for more details. ArtifactId: %1 Inner exception details: %2 User Action Ensure that the artifact storage in the AD FS configuration database is configured properly. Troubleshoot connectivity to the artifact storage in the AD FS configuration database.
289 ArtifactStorageRemoveError Cannot remove the artifact from storage. See inner exception message for more details. ArtifactId: %1 Inner exception details: %2 User Action Ensure that the artifact storage in the AD FS configuration database is configured properly. Troubleshoot connectivity to the artifact storage in the AD FS configuration database.
290 ArtifactStorageExpireError Cannot set expiration for the artifacts in storage. See inner exception message for more details. Inner exception details: %1 User Action Ensure that the artifact storage in the AD FS configuration database is configured properly. Troubleshoot connectivity to the artifact storage in the AD FS configuration database.
291 ArtifactServiceStartupException The artifact resolution service could not be started. Additional Data Exception details: %1 User Action Make sure artifact resolution service is properly configured.
292 ArtifactResolutionServiceSignatureVerificationFailureAudit The Artifact Resolution Service could not verify request signature. Additional Data Exception details: %1
293 ArtifactRequestedButDisabledError A SAML request for the required artifact was rejected because the artifact resolution service is not enabled. Relying party: %1 This request failed. User Action Enable the artifact resolution service. Use the AD FS Management snap-in to configure or enable the SAML artifact resolution endpoint.
294 ArtifactResolutionServiceIdentityNotFoundError The SAML artifact resolution request specified an issuer that is not configured for the relying party. Relying party: %1 Artifact resolution request issuer: %2 This artifact resolution request failed. User Action Ensure that the relying party is configured properly using the AD FS Management snap-in.
296 ArtifactResolutionServiceNoSignatureFailureAudit A SAML artifact resolution request was received without a signature. Request issuer: %1 This artifact resolution request failed.
297 ArtifactResolutionServiceBadEndpointIndexError The SAML artifact resolution request required an artifact resolution service endpoint with an index that is not configured. Endpoint index: %1 Configured endpoint index: %2 This artifact resolution request failed.
299 TokenIssuanceSuccessAudit A token was successfully issued for the relying party '%3'. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. See audit 503 with the same Instance ID for ActAs identity, if any. Instance ID: %1 Activity ID: %2 Relying party: %3
300 WSTrustRequestProcessingGeneralTokenIssuanceFailureAudit The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request. Activity ID: %1 Request type: %2 Additional Data Exception details: %3
301 ActAsAuthorizationTokenIssuanceFailureAudit The Federation Service could not authorize token issuance for the caller '%3' as the subject '%4' to the relying party '%5'. See audit 501 with the same Instance ID for caller identity. See audit 503 with the same Instance ID for ActAs identity, if any. Additional Data Instance ID: %1 Activity ID: %2 Relying party: %5
302 ActAsAuthorizationError The Federation Service could not authorize token issuance for caller '%2' as subject '%3' to the relying party '%4'. See event 501 with the same Instance ID for caller identity. See event 503 with the same Instance ID for ActAs identity, if any. Additional Data Instance ID: %1 Relying party: %4 Exception details: %5 User Action Use the AD FS Management snap-in to ensure that the caller is authorized to act as the subject to the relying party.
303 SamlRequestProcessingError The Federation Service encountered an error while processing the SAML authentication request. Additional Data Exception details: %1
304 SamlRequestProcessingGeneralTokenIssuanceFailureAudit The Federation Service failed to issue a token as a result of an error during processing of the SAML authentication request. Additional Data Activity ID: %1 Exception details: %2
305 LdapDCServerError The Federation Service encountered an error while querying a LDAP server at %1. Additional Data Domain name: %1 LDAP server hostname (if available): %2 Authentication type: %3 SSL mode: %4 Username (if available): %5 Error code (if available): %6 Error from LDAP server (if available): %7 Exception Details: %8
306 LdapGCServerError The Federation Service encountered an error while querying a global catalog server at %1. Additional Data Domain name: %1 Global catalog server hostname (if available): %2 Authentication type: %3 SSL mode: %4 Username (if available): %5 Error code (if available): %6 Error from server (if available): %7 Exception Details: %8
307 ConfigurationChangeSuccessAudit The Federation Service configuration was changed. Subject: Security ID: %2 Account: %3 See audit 510 with the same Instance ID for change details. Additional Data Instance ID: %1 Security ID: %2 Account: %3
308 ConfigurationChangeFailureAudit An attempt to change the Federation Service configuration failed. Error: %1 Subject: Security ID: %2 Account: %3
309 WmiConfigurationChangeSuccessAudit The Federation Service configuration was changed. Subject: Security ID: %1 Account: %2 Old Value: %3 New Value: %4
310 WmiConfigurationChangeFailureAudit An attempt to change the Federation Service configuration failed. Error : %1 Subject: Security ID: %2 Account: %3 Current Value: %4 Attempted Change: %5
311 PerformanceCounterFailure An attempt to update AD FS performance counters failed. Additional Data Exception details: %1
315 ClaimsProviderSigningCertificateCrlCheckFailure An error occurred during an attempt to build the certificate chain for the claims provider trust '%1' certificate identified by thumbprint '%2'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period. You can use Windows PowerShell commands for AD FS to configure the revocation settings for the claims provider trust's signing certificate. Claims provider trust's signing certificate revocation settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the claims provider trust's signing certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
316 RelyingPartySigningCertificateCrlCheckFailure An error occurred during an attempt to build the certificate chain for the relying party trust '%1' certificate identified by thumbprint '%2'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's signing certificate revocation settings or certificate is not within its validity period. You can use Windows PowerShell commands for AD FS to configure the revocation settings for the relying party signing certificate. Relying party trust's signing certificate revocation settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the relying party trust's signing certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
317 RelyingPartyEncryptionCertificateCrlCheckFailure An error occurred during an attempt to build the certificate chain for the relying party trust '%1' certificate identified by thumbprint '%2'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period. You can use Windows PowerShell commands for AD FS to configure the revocation settings for the relying party encryption certificate. Relying party trust's encryption certificate revocation settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the relying party trust's encryption certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
319 ClientCertificateCrlCheckFailure An error occurred while the certificate chain for the client certificate identified by thumbprint '%1' was being built. The certificate chain could not be built. The certificate has been revoked, the certificate chain could not be verified as specified by the encryption certificate revocation settings or certificate is not within its validity period. You can use the Set-ADFSProperties cmdlet with the ProxyCertRevocationCheck parameter in Windows PowerShell for AD FS to configure the client certificate revocation settings. Client Certificate Revocation Settings: %2 The following errors occurred while building the certificate chain: %3 User Action: Ensure that the client certificate is valid and has not been revoked. Ensure that the Federation Service can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
320 SamlProtocolSignatureVerificationError The verification of the SAML message signature failed. Message issuer: %1 Exception details: %2 This request failed. User Action Verify that the message issuer configuration in the AD FS configuration database is up to date. Configure the signing certificate for the specified issuer. Verify that the issuer's certificate is up to date. Verify the issuer and server message signing requirements.
321 InvalidNameIdPolicyError The SAML authentication request had a NameID Policy that could not be satisfied. Requestor: %1 Name identifier format: %2 SPNameQualifier: %3 Exception details: %4 This request failed. User Action Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.
322 OnBehalfOfAuthorizationTokenIssuanceFailureAudit The Federation Service could not authorize token issuance for the caller '%3' on behalf of the subject '%4' to the relying party '%5'. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. Additional Data Instance ID: %1 Activity ID: %2 Relying party: %5
323 OnBehalfOfAuthorizationError The Federation Service could not authorize token issuance for the caller '%2' on behalf of the subject '%3' to the relying party '%4'. See event 501 with the same Instance ID for caller identity. See event 502 with the same Instance ID for OnBehalfOf identity, if any. Additional Data Instance ID: %1 Exception details: %5 User Action Use the Windows PowerShell Get-ADFSClaimsProviderTrust or Get-ADFSRelyingPartyTrust cmdlet to ensure the caller is authorized on behalf of the subject to the relying party.
324 CallerAuthorizationTokenIssuanceFailureAudit The Federation Service could not authorize token issuance for caller '%3' to relying party '%4'. See audit 501 with the same Instance ID for caller identity. Additional Data Instance ID: %1 Activity ID: %2 Relying party: %4
325 CallerAuthorizationError The Federation Service could not authorize token issuance for caller '%2'. The caller is not authorized to request a token for the relying party '%3'. See event 501 with the same Instance ID for caller identity. Additional Data Instance ID: %1 Relying party: %3 Exception details: %4 User Action Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.
326 ClaimsPolicyInvalidPolicyTypeError Failed to load the AD FS claims policy engine using policy type '%1' User Action Make sure AD FS is installed correctly.
327 SamlSingleLogoutError An error occurred during processing of the SAML logout request. Additional Data Caller identity: %1 Logout initiator identity: %2 Error message: %3 Exception details: %4 User Action Ensure that the single logout service is configured properly for this relying party trust or claims provider trust in the AD FS configuration database.
328 SamlArtifactResolutionNoAssertion The SAML artifact resolution request was resolved, but the response does not contain the expected assertions. Additional Data: SAML artifact: %1 Status code: %2 SubStatus code: %3 Status message: %4 This request failed. User Action Contact the claims provider for more information.
329 AdditionalBlobCertificateLoadWarning The certificate that is identified by thumbprint '%1' could not be decrypted using the keys for X.509 certificate private key sharing. Additional Data: X.509 certificate private key sharing diagnosis: %2 User Action You may have to restore all Active Directory objects underneath the specified distinguished name in the diagnostic information above for X.509 certificate private key sharing.
331 CertificateManagementDecryptionError The certificate management service encountered an error during decryption of the keys. storeName: %2 storeLocation: %1 x509FindType: %4 findValue: %3 Additional Data: X.509 certificate private key sharing diagnosis: %5 User Action You may have to restore all Active Directory objects underneath the distinguished name that is specified in the diagnosis for X.509 certificate private key sharing above.
332 CertificateManagementEncryptionError The certificate management service encountered an error during encryption of the keys. Subject: %1 Diagnosis: %2 User Action You may have to restore all Active Directory objects underneath the distinguished name that is specified in the diagnosis above for X.509 certificate private key sharing.
333 CertificateManagementConfigurationError The certificate management service encountered an error during database access. Additional Data: Diagnosis: %1 User Action Confirm that the SQL store is online.
334 CertificateManagementWarning Certificate rollover service needs to rollover %1 certificates urgently. Partners will not be able to apply the update in time.
335 CertificateManagementInfo %1
336 CertificateManagementInitiated The certificate management cycle was initiated.
337 CertificateManagementComplete The certificate management cycle was completed.
338 CertificateManagementGenericError An error was encountered during certificate rollover. The monitoring cycle was shut down. Additional Data Exception details: %1 Additional details: %2
339 CertificateManagementInitiationError An error occurred during initialization of certificate rollover. Certificates will not be rolled over. Additional Data Exception details: %1
340 ArtifactResolutionSuccessAudit An SAML artifact resolution request was successfully resolved for the relying party '%1'. Relying party: %1 SAML artifact: %2
341 SecurityTokenNotYetValidError The NotBefore attribute for the token has a value that is set to a future time. See inner exception for more details. Additional Data Token Type: %1 Exception details: %2 This request failed. User Action Verify that system clock is synchronized.
342 SecurityTokenValidationError Token validation failed. Additional Data Token Type: %1 %Error message: %2 Exception details: %3
343 ConfigurationDatabaseSynchronizationInitiationError There was an error during initialization of synchronization. Synchronization of data from the primary federation server to the secondary federation server will not occur. Additional Data Exception details: %1
344 ConfigurationDatabaseSynchronizationSyncError There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. Additional data Exception details: %1 User Action Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.
345 ConfigurationDatabaseSynchronizationCommunicationError There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. Additional Data Master Name : %1 Endpoint Uri : %2 Exception details: %3
346 ConfigurationDatabaseReadOnlyTransferError There was an error during retrieving the configuration data for the secondary federation server. Additional Data Exception details: %1
348 ConfigurationDatabaseSynchronizationCompleted Synchronization of configuration data from the primary federation server '%1' is completed. %2 objects were added. %3 objects were deleted.
349 FsAdministrationServiceStart The administration service for the Federation Service started successfully. You can now use the Windows Powershell commands for AD FS to modify the Federation Service configuration. The following service hosts have been added: %1
351 PolicyStoreSynchronizationPropertiesGetError There was an error getting synchronization properties. Additional Data Exception details: %1
352 ConfigurationDatabaseSqlError A SQL operation in the AD FS configuration database with connection string %1 failed. Additional Data Exception details: %2
353 SamlArtifactResolutionSignatureVerificationError Unable to resolve the SAML artifact. Verification of the artifact response signature failed. Claims provider: %1 Exception details: %2 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Verify that the claims provider trust's signing certificate is up to date.
354 ArtifactResolutionServiceSignatureVerificationError The artifact resolution service could not verify the request signature. Additional Data Exception details: %1 User action: Verify that the relying party trust in the AD FS configuration database is up to date. Configure the relying party certificate for request signing. Verify that relying party certificate is up to date.
356 SqlNotificationRegistrationError Failed to register notification to the SQL database with the connection string %1 for cache type '%2'. Changes to settings may not take effect until the Federation Service restarts. Additional Data Exception details: %3
357 SqlNotificationRegistrationResumption Successfully registered notification to the SQL database with the connection string %1.
358 ServiceHostRestart Restarting %1. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart.
359 ServiceHostRestartError An error occurred during an attempt to restart %1. Additional Data Exception details: %2 User Action Restart the Federation Service to recover from the error.
360 ClientCertificateNotPresentOnProxyEndpointError A request was made to a certificate transport endpoint, but the request did not include a client certificate. This could be because the root CA certificate that issued the client certificate is not in the Trust CA certificate store or because the client certificate is expired. User Action: Ensure that the CA that issued the client certificate in this request has its certificate in the Trusted Root Certificate Authority store on the Local Computer. Ensure that the client certificate is not expired.
362 WSFederationPassiveSignOutError Encountered error during federation passive sign-out. Additional Data Exception details: %1
363 WSFederationPassiveServiceCommunicationError A communication error occurred during an attempt to get a token from the Federation Service. Make sure that the Federation Service is running. Additional Data Exception details: %1
364 WSFederationPassiveRequestFailedError Encountered error during federation passive request. Additional Data Protocol Name: %1 Relying Party: %2 Exception details: %3
365 RelyingPartyNotEnabled A token request was received for the relying party '%1', but the request could not be fulfilled because the relying party trust is not enabled. Relying party: %1 This request failed. User Action If this relying party trust should be enabled, enable it by using the AD FS Management snap-in or Windows PowerShell for AD FS.
366 ClaimsProviderNotEnabled A token was received from claims provider '%1', but the token could not be validated because the claims provider trust is not enabled. Claims provider: %1 This request failed. User Action If this claims provider trust should be enabled, enable it by using the AD FS Management snap-in or Windows PowerShell for AD FS.
367 AudienceUriValidationFailed The audience restriction was not valid because the specified audience identifier is not present in the acceptable identifiers list of this Federation Service. User Action See the exception details for the audience identifier that failed validation. If the audience identifier identifies this Federation Service, add the audience identifier to the acceptable identifiers list by using Windows PowerShell for AD FS. Note that the audience identifier is used to verify whether the token was sent to this Federation Service. If you think that the audience identifier does not identify your Federation Service, adding it to the acceptable identifiers list may open a security vulnerability in your system. Additional Data Token Type: %1 Exception details: %2
368 SamlLogoutNameIdentifierNotFoundError The SAML Single Logout request does not correspond to the logged-in session participant. Requestor: %1 Request name identifier: %2 Logged-in session participants: %3 This request failed. User Action Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.
369 WSFederationPassiveTtpRequestError Processing TTP request failed with the following exception. Additional Data Exception details: %1 User Action Ensure that user has enabled cookies in browser settings.
370 WSFederationPassiveTtpResponseError Incoming TTP response is not valid. Processing response failed with following exception. Additional Data Exception details: %1 User Action Ensure that partner federation provider is configured properly to send valid TTP response.
371 AuthorityCertificateResolveError Cannot find certificate to validate message/token signature obtained from claims provider. Claims provider: %1 This request failed. User Action Check that Claim Provider Trust configuration is up to date.
372 WeakSignatureAlgorithmError Authentication Failed. The token used to authenticate the user is signed using a weaker signature algorithm than expected. Additional Data Token Type: %1 Issuer: %2 Actual token signature algorithm: %3 Expected token signature algorithm: %4 User Action Check that Claim Provider is configured to accept tokens with expected signature algorithm. Use the AD FS PowerShell commands to configure the signature algorithm property.
373 ArtifactResolutionServiceWeakSignatureAlgorithmError The artifact request from the replying party is signed with a weaker signature algorithm. Additional Data Relying party identity: %1 Actual message signature algorithm: %2 Expected message signature algorithm: %3 User action: Check that relying party is configured to accept artifact resolution request with expected signature algorithm. Use the AD FS PowerShell commands to configure the signature algorithm property.
374 AuthorityEncryptionCertificateCrlCheckFailure An error occurred while building the certificate chain for the claims provider trust '%1' certificate identified by thumbprint '%2'. The certificate chain could not be built, the certificate has been revoked, or the certificate chain could not be verified as specified by the claims provider trust's encryption certificate revocation settings. AD FS powershell commands can be used to configure the claims provider trust encryption certificate revocation settings. Claims Provider Trust Encryption Certificate Revocation Settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the claims provider trust's encryption certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
375 PolicyStoreSynchronizationInitiated Policy store synchronization initiated.
376 SqlAttributeStoreQueryExecutionError An Error occurred while executing a query in SQL attribute store. Additional Data Connection information: %1 Query: %2 Parameters: %3 User Action Examine the exception details to take one or more of the following actions if applicable. Verify that the connection string to the SQL attribute store is valid. Make sure that the SQL attribute store can be reached by the connection string and the SQL attribute store exists. Verify that the SQL query and parameters are valid. Exception details: %4
377 AttributeStoreError A processing error occurred in an attribute store. User Action Exception details: %1
378 SAMLRequestUnsupportedSignatureAlgorithm SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm %1 . Expected signature algorithm is %2 User Action: Verify that signature algorithm for the partner is configured as expected.
379 InvalidIssuanceInstantError A security token was rejected as the specified IssueInstant was before the allowed time frame. Token Type: %1 User Action: To allow tokens for a larger timeframe, use the AD FS PowerShell commands to adjust the value of the ReplayCacheExpirationInterval.
380 BadConfigurationIdentityCertificateNotValid During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was configured could not be used. The certificate has been revoked, the certificate chain could not be verified or certificate is not within its validity period. The following are the values of the certificate: Element: %1 Subject: %2 Thumbprint: %3 The Federation Service will not be able to start until this configuration element is corrected. User Action Verify whether the certificate chain for the certificate configured has been revoked by its certificate authority. If the certificate has been revoked or expired, the AD FS service must be issued a new certificate.
381 AdditionalCertificateValidationFailure An error occurred during an attempt to build the certificate chain for configuration certificate identified by thumbprint '%1'. Possible causes are that the certificate has been revoked or certificate is not within its validity period. The following errors occurred while building the certificate chain: %2 User Action: Ensure that the certificate is valid and has not been revoked or expired.
382 SynchronizationThresholdViolation AD FS detected that the Federation Service has more than %1 %2 trusts configured and that the data in the AD FS configuration database for this Federation Service is stored and synchronized using Windows Internal Database technology. The overall performance of data synchronization between configuration databases that are stored locally on federation servers across the farm will degrade as you add more than %1 trusts when you use the Windows Internal Database to store the AD FS configuration database. User Action: To improve synchronization performance across your federation server farm, we recommend that you migrate the data in the AD FS configuration database to SQL server. For more information about how to do this, see AD FS Operations Guide (http://go.microsoft.com/fwlink/?LinkId=181189).
383 WSFederationPassiveWebConfigMalformedError The Web request failed because the web.config file is malformed. User Action: Fix the malformed data in the web.config file. Exception details: %1
384 WSFederationPassiveInvalidValueInWebConfigError The request to the Federation Service failed because the web.config file has an invalid configuration for '%1' that the Federation Service does not support. User Action: Ensure that the configuration of the property '%1' is supported by the Federation Service.
385 ConfigurationHasExpiredCertsWarning AD FS detected that one or more certificates in AD FS configuration database need to be updated manually because they are expired, or will expire soon. See additional details for more information Additional Details: %1
386 ConfigurationHealthyCertsInfo AD FS detected that none of the service certificates that are configured to be managed by the administrator are due to expire.
387 CertPrivateKeyInaccessibleError AD FS detected that one or more of the certificates specified in the Federation Service were not accessible to the service account used by the AD FS Windows Service. User Action: Ensure that the AD FS service account has read permissions on the certificate private keys. Additional Details: %1
388 CertPrivateKeyAccessibleInfo AD FS detected that all the service certificates have appropriate access given to the AD FS service account.
389 TrustsHaveExpiredCertsWarning AD FS detected that one or more of your trusts require their certificates to be updated manually because they are expired, or will expire soon. See additional details for more information Additional Details: %1
390 TrustsHaveHealthyCertsInfo AD FS detected that none of the partner certificates that are configured to be managed by the administrator are due to expire.
392 FsProxyTrustTokenRenewalSuccess The federation server proxy was able to successfully renew its trust with the Federation Service. Proxy trust certificate subject: %1. Proxy trust certificate old thumbprint: %2. Proxy trust certificate new thumbprint: %3.
393 ProxyTrustTokenIssuanceFailure The federation server proxy could not establish a trust with the Federation Service. Additional Data Exception details: %1 User Action Ensure that the credentials being used to establish a trust between the federation server proxy and the Federation Service are valid and that the Federation Service can be reached.
394 FsProxyTrustTokenRenewalError The federation server proxy could not renew its trust with the Federation Service. Additional Data Exception details: %1 User Action Ensure that the federation server proxy is trusted by the Federation Service. If the trust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard by logging on to the proxy computer.
395 ProxyTrustTokenIssuanceSuccess The trust between the federation server proxy and the Federation Service was established successfully using the account '%1'. Proxy trust certificate subject: %2. Proxy trust certificate thumbprint: %3.
396 ProxyTrustTokenRenewalSuccess The trust between the federation server proxy and the Federation Service was renewed successfully. Proxy trust certificate subject: %1. Proxy trust certificate old thumbprint: %2. Proxy trust certificate new thumbprint: %3.
397 HttpProxyConfigurationInfo The federation server loaded the HTTP proxy configuration from WinHTTP settings. HTTP Proxy: %1 HTTPS Proxy: %2 Bypass proxy for local addresses: %3 Bypass proxy for addresses: %4 To learn more about how to set the HTTP proxy settings for the federation server, see http://go.microsoft.com/fwlink/?LinkId=182180.
398 ConfigurationHasArchivedCertsWarning AD FS detected that one or more certificates in the AD FS configuration database need to be updated manually because they are archived. Additional Details: %1
399 ConfigurationHealthyUnarchivedCertsInfo AD FS detected that none of the service certificates that are configured to be managed by the administrator are archived.
400 GiveUserVSSAccess VSS writer permissions have been granted to user %1.
401 RevokeUserVSSAccess VSS writer permissions have been revoked from user %1.
402 CertificateClaimUnknownError Failed to add some of the certificate claims.
403 RequestReceivedSuccessAudit An HTTP request was received. See audit 510 with the same Instance ID for headers. Instance ID: %1 Activity ID: %2 Request Details: Date And Time: %3 Client IP: %4 HTTP Method: %5 Url Absolute Path: %6 Query string: %7 Local Port: %8 Local IP: %9 User Agent: %10 Content Length: %11 Caller Identity: %12 Certificate Identity (if any): %13 Targeted relying party: %14 Through proxy: %15 Proxy DNS name: %16
404 ResponseSentSuccessAudit An HTTP response was dispatched. See audit 510 with the same Instance ID for headers. Instance ID: %1 Activity ID: %2 Response Details: Date And Time: %3 Status Code: %4 Status Description: %5
405 PasswordChangeSuccessAudit Password change succeeded for following user: Activity ID: %1 User: %2 Server on which password change was attempted: %3
406 PasswordChangeFailureAudit Password change failed for following user: Additional Data Activity ID: %1 User: %2 Server on which password change was attempted: %3 Error details: %4
407 PasswordChangeError Password change failed for following user: Additional Data User: %1 Server on which password change was attempted: %2 Error details: %3
408 DeviceAuthenticationFailureAudit Device authentication failed for following device: Additional Data Activity ID: %1 User: %2 Client IP: %3 Target Application: %4 Device Certificate: %5 Device ID: %6 Device Name: %7 Error Message: %8
409 DeviceAuthenticationSuccessAudit Device authentication successful for following device: Additional Data Activity ID: %1 User: %2 Client IP: %3 Target Application: %4 Device Certificate: %5 Device ID: %6 Device Name: %7 Registered owner's sid: %8 Is current User registered: %9
410 RequestContextHeadersSuccessAudit Following request context headers present : Activity ID: %1 %2: %3 %4: %5 %6: %7 %8: %9 %10: %11 %12: %13 %14: %15
411 SecurityTokenValidationFailureAudit Token validation failed. See inner exception for more details. Additional Data Activity ID: %1 Token Type: %2 Error message: %3 Exception details: %4
412 AuthenticationSuccessAudit A token of type '%3' for relying party '%4' was successfully authenticated. See audit 501 with the same Instance ID for caller identity. Instance ID: %1 Activity ID: %2
413 CallerIdFailureAudit An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Activity ID: %1 Caller: %2 OnBehalfOf user: %3 ActAs user: %4 Target Relying Party: %5 Device identity: %6 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
414 InvalidMsisHttpRequestAudit An error occurred during processing of a token request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Activity ID: %1 Target Relying Party: %2 Is Application Proxy Configured: %3 Is Request From the Extranet: %4 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
415 UnregisteredDrsUpnSuffixes %1
416 WebConfigurationError Web configuration error: %1
417 CertificateClaimError Unable to add the certificate claim %1.
418 StsProxyTrustRenewalAuditSuccess The trust between the federation server proxy and the Federation Service was successfully renewed. Additional Data Server from which request was made: %1 Certificate Subject: %2 Old Certificate Thumbprint: %3 New Certificate Thumbprint: %4
419 StsProxyTrustRenewalAuditFailure Unable to renew the trust between the federation server proxy and the Federation Service. Additional Data Server from which request was made: %1 Exception details: %2
420 StsProxyTrustTokenEstablishmentAuditSuccess The trust between the federation server proxy and the Federation Service was successfully established. Additional Data User: %1 Server from which request was made: %2 Certificate Subject: %3 Certificate Thumbprint: %4
421 StsProxyTrustTokenEstablishmentAuditFailure The trust between the federation server proxy and the Federation Service could not be established. Additional Data User: %1 Server from which request was made: %2
424 ClientCertNotTrustedOnStsAuditFailure The federation server proxy was not able to authenticate the client certificate presented in the request. Activity ID: %1 Client certificate thumbprint: %2 Client certificate subject name: %3 Client endpoint: %4 Inner exception: %5 User Action Ensure that the request is using the certificate used to establish the trust between the Federation Server Proxy and the Federation Service.
425 ApplicationProxyConfigurationStoreChangeAuditSuccess The following update was successful to the application proxy store on the federation server. Activity ID: %1 Authentication information: %2 HTTP method: %3 Key: %4 Value: %5 Version: %6
426 ApplicationProxyConfigurationStoreChangeAuditFailure The following update attempt to the application proxy store on the federation server failed. Activity ID: %1 Authentication information: %2 HTTP method: %3 Key: %4 Value: %5 Version: %6 Error information: %7
427 ApplicationProxyTrustUpdateAuditSuccess The following update attempt to the application proxy relying party trust on the federation server succeeded. Activity ID: %1 Authentication information: %2 HTTP method: %3 Identifier: %4
428 ApplicationProxyTrustUpdateAuditFailure The following update attempt to the application proxy relying party trust on the federation server failed. Activity ID: %1 Authentication information: %2 HTTP method: %3 Identifier: %4 Error information: %5
429 RelyingPartyTrustUpdateAuditSuccess The following update attempt to the relying party trust on the federation server succeeded. Activity ID: %1 Authentication information: %2 HTTP method: %3 Relying party trust identifier: %4 Internal Url: %5 External Url: %6 Published identifier: %7
430 RelyingPartyTrustUpdateAuditFailure The following update attempt to the relying party trust on the federation server failed. Activity ID: %1 Authentication information: %2 HTTP method: %3 Relying party trust identifier: %4 Internal url: %5 External url: %6 Published identifier: %7 Error information: %8
431 ActiveRequestRSTSuccessAudit An active request was received at STS with RST containing: Activity ID: %1 RST Details: KeySize: %2 KeyType: %3 RequestType: %4 TokenType: %5 SignatureAlgorithm: %6
432 ProxyConfigurationEndpointError Error handling request from proxy at %1 Additional Data Exception details: %2
433 ProxyTrustTokenRenewalError Error encountered while renewing trust with the federation server proxy. Additional Data Exception details: %1
434 CertificateAuthorityExpirationCheckWarning The primary AD FS certificate authority issuer certificate ( thumbprint %1 ) will expire at %2 UTC. The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC. To avoid certificate issuance service interruption, ensure that the current secondary certificate ( thumbprint %3 ) is installed in Active Directory before the rollover occurs at %4 UTC.
435 PrimarySigningCertificateRolloverCheckWarning The primary AD FS token signing certificate ( thumbprint %1 ) will expire at %2 UTC. The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC. Relying parties that rely on federation metadata will be notified automatically; any relying parties that do not rely on federation metadata must be informed of the new certificate before the rollover at %4 UTC.
436 PrimaryDecryptionCertificateRolloverCheckWarning The primary AD FS token decryption certificate ( thumbprint %1 ) will expire at %2 UTC. The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC. Identity providers that rely on federation metadata will be notified automatically; any identity providers that send encrypted tokens to AD FS and do not rely on federation metadata must be informed of the new certificate before the expiration at %2 UTC.
437 CertificateRolloverCheckExceptionWarning Error encountered while checking for pending certificate rollovers. This check will be attempted again every %1 minutes; the next run is expected at %2 UTC. If this issue persists, AD FS will not be able to advise of pending certificate rollover events. Additional Data Exception details: %3 Additional details: %4
438 CertificateAuthorityRolloverExceptionWarning Error encountered while checking rollover status of the AD FS certificate authority issuer certificate. This check will be attempted again every %1 minutes; the next run is expected at %2 UTC. Future runs may occur on other farm nodes if AD FS is running in a farm configuration. If this issue persists, the AD FS certificate authority issuer certificate cannot be rolled over successfully when it nears expiry. Additional Data Exception details: %3 Additional details: %4
439 EnrollmentCertificateReadFromTemplateError Error encountered while attempting to read an enrollment certificate from a template. Additional Data Exception details: %1 Additional details: %2
440 EnrollmentCertificateSetInfo A Certificate Authority Enrollment Certificate was found. Additional Data Certificate Thumbprint: %1
441 TokenBindingKeyInvalid A token with a bad token binding key was found. Additional Data User: %1 Target RP: %2 Client IP: %3 Token Binding ID: %4 Request Provided ID: %5 Request Referred ID: %6
442 ExternalCAEnrollmentCertificateManagementInitiated The CA enrollment certificate management cycle was initiated.
443 ExternalCAEnrollmentCertificateManagementComplete The CA enrollment certificate management cycle was completed.
444 ExternalCAEnrollmentCertificateExceptionError Error encountered while checking status of the AD FS enrollment certificate. This check will be attempted again every %1 minutes; the next run is expected at %2 UTC. If this issue persists, the AD FS will not be able to enroll certificate. Additional Data Exception details: %3 Additional details: %4
500 IssuedIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 Issued identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
501 CallerIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 Caller identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
502 OnBehalfOfUserIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 OnBehalfOf identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
503 ActAsUserIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 ActAs identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
504 ApplicationProxyConfigurationStoreChangeSuccess The following update was successful to the application proxy store on the federation server. Authentication information: %1 HTTP method: %2 Key: %3 Value: %4 Version: %5
505 ApplicationProxyConfigurationStoreChangeFailure The following update attempt to the application proxy store on the federation server failed. Authentication information: %1 HTTP method: %2 Key: %3 Value: %4 Version: %5 Error information: %6
506 ApplicationProxyTrustUpdateSuccess The following update attempt to the application proxy relying party trust on the federation server succeeded. Authentication information: %1 HTTP method: %2 Identifier: %3
507 ApplicationProxyTrustUpdateFailure The following update attempt to the application proxy relying party trust on the federation server failed. Authentication information: %1 HTTP method: %2 Identifier: %3 Error information: %4
508 RelyingPartyTrustUpdateSuccess The following update attempt to the relying party trust on the federation server succeeded. Authentication information: %1 HTTP method: %2 Relying party trust identifier: %3 Internal Url: %4 External Url: %5 Published identifier: %6
509 RelyingPartyTrustUpdateFailure The following update attempt to the relying party trust on the federation server failed. Authentication information: %1 HTTP method: %2 Relying party trust identifier: %3 Internal url: %4 External url: %5 Published identifier: %6 Error information: %7
510 LongText More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 Details: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
511 InvalidMsisHttpSigninRequestFailure The incoming sign-in request is not allowed due to an invalid Federation Service configuration. Request url: %1 User Action: Examine the Federation Service configuration and take the following actions: Verify that the sign-in request has all the required parameters and is formatted correctly. Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters. Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.
512 ExtranetLockoutAccountThrottledAudit The account for the following user is locked out. A login attempt is being allowed due to the system configuration. Additional Data Activity ID: %1 User: %2 Client IP: %3 Bad Password Count: %4 nLast Bad Password Attempt: %5
513 ArtifactRestEndpointRequestFailureAudit The Artifact REST service failed to return an artifact as a result of an error during processing. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3 Exception details: %4
514 ArtifactRestEndpointRequestSuccessAudit The Artifact REST service successfully returned an artifact. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3
515 ExtranetLockoutUserThrottleTransitionAudit The following user account was in a locked out state and the correct password was just provided. This account may be compromised. Additional Data Activity ID: %1 User: %2 Client IP: %3
516 ExtranetLockoutAccountRestrictedAudit The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: %1 User: %2 Client IP: %3 nBad Password Count: %4 nLast Bad Password Attempt: %5
517 TargetRelyingPartyPublishedButAppProxyDisabledFailure The incoming sign-in request is not allowed due to an invalid Federation Service configuration. Request url: %1 User Action: Verify that either an enabled web application proxy relying party trust exists in your Federation Service configuration or that the target relying party trust object is not published through a web application proxy.
518 TargetRelyingPartyPublishedButAppProxyDisabledFailureAudit An error occurred during processing of a token request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Activity ID: %1 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
519 PrimayServerRequestHandlerResponseSuccessAudit A successful response status code was received from the primary server. The data includes an Activity ID that you can cross-reference to the events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 Raw URL of the incoming request: %3 Response status code: %4 IP address from which the request originated: %5
520 PrimayServerRequestHandlerResponseFailureAudit An error response status code was received from the primary server. The data includes an Activity ID that you can cross-reference to error or warning events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 Raw URL of the incoming request: %3 Response status code: %4 WebException response code: %5 IP address from which the request originated: %6
521 RelyingPartyTokenRequestFailure The request for the relying party token resulted in a failure. Authentication information: %1 HTTP method: %2 Username: %3 Password presented: %4 Realm: %5 Application realm: %6 Device registration certificate thumbprint: %7 User certificate thumbprint: %8 Error information: %9 User action: Examine the request and verify that at least one of the following parameter sets are present. Username and password Username, password, and device registration certificate User certificate
522 RelyingPartyTokenRequestAuditFailure The request for the relying party token resulted in a failure. The data includes an Activity ID that you can cross-reference to error or warning events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 HTTP method: %3 Username: %4 Password presented: %5 Realm: %6 Application realm: %7 Device registration certificate thumbprint: %8 User certificate thumbprint: %9 Error information: %10 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer.
523 RelyingPartyTokenRequestAuditSuccess The request for the relying party token succeeded. The data includes an Activity ID that you can cross-reference to the events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 HTTP method: %3 Username: %4 Password presented: %5 Realm: %6 Application realm: %7 Device registration certificate thumbprint: %8 User certificate thumbprint: %9
530 LocalCPTrustReadWarning AD FS could not read the local claims provider trusts from the AD FS configuration. AD FS will continue to operating from cached configuration. Exception details: %1
531 LocalCPTrustFirstReadError AD FS could not read the local claims provider trusts from the AD FS configuration. AD FS will not function until this configuration can be read for the first time. Exception details: %1
540 UnableToCreateOAuthDiscoveryDocument The Federation Service was was unable to return the OAuth discovery document as a result of an error. Document Path: %1 Additional Data Exception details: %2
541 ProxyConfigDataFarmBehaviorMalformedError An invalid value was found during processing of the proxy configuration data from the AD FS server. The value will be ignored, and the rest of the proxy configuration data will be processed. Additional Data FarmBehavior: '%1' User action: This may point to an interoperability issue between the proxy and the AD FS server. Contact the vendor for your AD FS server.
542 HeartbeatError There was an error during heartbeat. Additional data Exception details: %1
543 HeartbeatCommunicationError There was an error during heartbeat communicating to primary federation server. Primary server: '%1' Endpoint: '%2' Additional data Exception details: %3 User Action Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.
544 HeartbeatWarning Heartbeat is not performed because primary server does not support heartbeat. Primary server: '%1'
545 HeartbeatInformation Heartbeat is performed at primary server. Primary server: '%1'
546 AzureMfaCertificateNotFound A current tenant certificate for Azure MFA was not found. TenantId: %1.
547 AzureMfaCertificateRenewed The tenant certificate for Azure MFA has been renewed. TenantId: %1. Old thumbprint: %2. Old expiration date: %3. New thumbprint: %4. New expiration date: %5.
548 AzureMfaCertificateExpirationWarning The tenant certificate for Azure MFA will expire soon. TenantId: %1. Thumbprint: %2. Expiration date: %3.
549 AzureMfaCertificateExpired The tenant certificate for Azure MFA has expired. TenantId: %1. Thumbprint: %2. Expiration date: %3.
550 CertKeySpecMissing The %1 primary certificate cannot be used because the KeySpec must have a value of AT_KEYEXCHANGE (1). User Action: This value can be changed by reimporting the certificate from a pfx file. From an elevated command prompt, use the command "certutil -importpfx filename.pfx AT_KEYEXCHANGE". For more information, see http://go.microsoft.com/fwlink/?LinkId=798501
1000 CallerId An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Caller: %1 OnBehalfOf user: %2 ActAs user: %3 Target Relying Party: %4 Device identity: %5 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
1020 OAuthAuthorizationRequestFailedError Encountered error during OAuth authorization request. Additional Data Exception details: %1
1021 OAuthTokenRequestFailedError Encountered error during OAuth token request. Additional Data Exception details: %1
1022 OAuthAuthorizationCodeIssuanceSuccessAudit An OAuth authorization code was successfully issued to client '%5'. Activity ID: %1 Authorization Code ID: %2 Request Details: Date And Time: %3 Client IP: %4 Client Identifier: %5 Client Redirect URI: %6 Resource: %7 User Identity: %8 Device Identity: %9
1023 OAuthAccessTokenIssuanceSuccessAudit An OAuth access token was successfully issued to client '%6' for the relying party '%8'. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. Instance ID: %1 Activity ID: %2 Authorization Code ID (if authorization code request): %3 Request Details: Date And Time: %4 Client IP: %5 Client Identifier: %6 Client Redirect URI: %7 Resource: %8 User Identity: %9 Device Identity: %10
1024 OAuthRefreshTokenIssuanceSuccessAudit An OAuth refresh token was successfully issued to client '%6' for the relying party '%8'. See audit 500 with the same Instance ID for issued claims. Instance ID: %1 Activity ID: %2 Authorization Code ID (if authorization code request): %3 Request Details: Date And Time: %4 Client IP: %5 Client Identifier: %6 Client Redirect URI: %7 Resource: %8 User Identity: %9 Device Identity: %10
1025 OAuthAuthorizationCodeIssuanceFailureAudit The Federation Service failed to issue an OAuth authorization code as a result of an error during processing of the OAuth authorization code request. Additional Data Activity ID: %1 Request Details: Client IP: %2 Client Identifier: %3 Client Redirect URI: %4 Resource: %5 User Identity: %6 Device Identity: %7 Exception details: %8
1026 OAuthAccessTokenIssuanceFailureAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth access token request. Additional Data Activity ID: %1 Request Details: Client IP: %2 Client Identifier: %3 Client Redirect URI: %4 Resource: %5 User Identity: %6 Device Identity: %7 Exception details: %8
1027 OAuthAccessTokenResponseIssuanceSuccessAudit An OAuth access token response was successfully issued to client '%5' for the relying party '%7'. See audit 1023 with the same authorization code ID for issued access token. In an AD FS farm setup, this audit may be found on another farm node. See audit 1024 with the same authorization code ID for the refresh token if it is issued. In an AD FS farm setup, this audit may be found on another farm node. Activity ID: %1 Authorization Code ID: %2 Request Details: Date And Time: %3 Client IP: %4 Client Identifier: %5 Client Redirect URI: %6 Resource: %7
1028 OAuthClientAuthenticationSuccessAudit OAuth Confidential Client '%6' was successfully authenticated using tokentype '%3'. See audit 501 with the same Instance ID for claims generated during client authentication. Instance ID: %1 Activity ID: %2 Request Details: TokenType: %3 Date And Time: %4 Client IP: %5 Client Identifier: %6
1029 OAuthClientAuthenticationFaultAudit OAuth Client Authentication failed for client '%4' with tokentype '%2'. Activity ID: %1 Request Details: TokenType: %2 Client IP: %3 Client Identifier: %4 Exception details: %5
1030 OAuthClientCredentialsFaultAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth Client Credentials token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 Exception details: %5
1031 OAuthClientCredentialsIssuanceSuccessAudit An OAuth access token response using Client Credentials flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5
1032 OAuthIdTokenIssuanceFailureAudit The Federation Service failed to issue an ID token as a result of an error during processing of request. Activity ID: %1 Request Details: Client IP: %2 Client Identifier: %3 Exception details: %4
1033 OAuthIdTokenIssuanceSuccessAudit An ID token was successfully issued to client '%4'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Id Token Subject: %5
1034 OAuthOnBehalfOfFaultAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth On Behalf Of token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 User: %5 Exception details: %6
1035 OAuthOnBehalfOfIssuanceSuccessAudit An OAuth access token response using On Behalf Of flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5 User: %6
1036 OAuthLogonCertificateFaultAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth Logon Certificate token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 User: %5 Exception details: %6
1037 OAuthLogonCertificateIssuanceSuccessAudit An OAuth access token response using the Logon Certificate flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5 User: %6
1038 OAuthVPNCertificateFaultAudit The Federation Service failed to issue an OAuth VPN Certificate as a result of an error during processing of the OAuth VPN Certificate token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 User: %5 Exception details: %6
1039 OAuthAuthCodeVPNCertificateIssuanceSuccessAudit An OAuth VPN Certificate response was successfully issued to client '%5' for the relying party '%7'. See audit 1023 with the same authorization code ID for issued access token. In an AD FS farm setup, this audit may be found on another farm node. See audit 1024 with the same authorization code ID for the refresh token if it is issued. In an AD FS farm setup, this audit may be found on another farm node. Activity ID: %1 Authorization Code ID: %2 Request Details: Date And Time: %3 Client IP: %4 Client Identifier: %5 Client Redirect URI: %6 Resource: %7
1040 OAuthRefreshTokenVPNCertificateIssuanceSuccessAudit An OAuth access token response using the VPN Certificate flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5 User: %6
1041 OAuthPrimaryRefreshTokenIssuanceSuccessAudit An OAuth primary refresh token was successfully issued to client '%6'. See audit 500 with the same Instance ID for issued claims. Instance ID: %1 Activity ID: %2 Authorization Code ID (if authorization code request): %3 Request Details: Date And Time: %4 Client IP: %5 Client Identifier: %6 Client Redirect URI: %7 User Identity: %8 Device Identity: %9
1042 OAuthNextGenCredsIssuanceSuccessAudit An OAuth access token response using Next Generation Credentials flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5
1043 OAuthNextGenCredsIssuanceFailureAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth Next Generation Credentials token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 Exception details: %5
1044 OAuthWinHelloCertIssuanceSuccessAudit An OAuth Win Hello Certificate response was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5 User: %6 Certificate Thumbprint: %7 Certificate Expiry: %8
1045 OAuthWinHelloCertIssuanceFailureAudit The Federation Service failed to issue an OAuth Win Hello Certificate as a result of an error during processing of the request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 User Identifier: %5 Exception details: %6
1080 WebFingerRequestError An error occurred while processing WebFinger request. Additional Data Request url: %1 User Action Examine the exception details to take one or more of the following actions if applicable. Verify that the resource query parameter exists and is valid representing an authorization server's URL. Verify that all federation partners (RP-STSs) that this ADFS issues tokens to (including any chains) have been configured using powershell cmdlet Add-ADFSTrustedFederationPartner. Exception details: %2
1090 UserInfoEndpointRequestFailureAudit The UserInfo endpoint failed to return a success response as a result of an error during processing. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3 Exception details: %4
1091 UserInfoEndpointRequestSuccessAudit The UserInfo endpoint successfully returned a JSON response. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3
1100 RestEndpointAuthorizationFailureError The Federation Service could not authorize a request to one of the REST endpoints. Additional Data Exception details: %1
1101 RestEndpointAuthorizationFailureAudit The Federation Service could not authorize a request to one of the REST endpoints. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested URI: %3 Exception details: %4
1102 RestEndpointAuthorizationSuccessAudit The Federation Service authorized a request to one of the REST endpoints. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested URI: %3 Additional details: %4
1103 LdapStoreQueryUserDnFailureAudit The Federation Service failed to query the LDAP account store for the DN of user %2. Activity ID: %1 Request Details: User name: %2 LDAP query: %3 Local CP trust identifier: %4 Ldap server: %5 SSL: %6 Authentication method: %7 Exception details: %8
1104 LdapStoreQueryUserDnSuccessAudit The Federation Service queried the LDAP account store for the DN of user %2. Activity ID: %1 Request Details: User name: %2 LDAP query: %3 Local CP trust identifier: %4 Ldap server: %5 SSL: %6 Authentication method: %7
1105 LdapStoreBindFailureAudit The Federation Service failed to bind to the LDAP server with user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 Ldap server: %4 SSL: %5 Authentication method: %6 Exception details: %7
1106 LdapStoreBindSuccessAudit The Federation Service bound to the LDAP account store with user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 Ldap server: %4 SSL: %5 Authentication method: %6
1107 LdapStoreQueryUserAttrFailureAudit The Federation Service failed to query the LDAP account store for the attributes of user %2. Activity ID: %1 Request Details: User DN: %2 LDAP query: %3 Local CP trust identifier: %4 Ldap server: %5 SSL: %6 Authentication method: %7 Exception details: %8
1108 LdapStoreQueryUserAttrSuccessAudit The Federation Service queried the LDAP account store for the attributes of user %2. Activity ID: %1 Request Details: User DN: %2 LDAP query: %3 Local CP trust identifier: %4 Ldap server: %5 SSL: %6 Authentication method: %7
1109 LdapAccountStoreConnectionFailure The Federation Service failed to connect to the LDAP account store to authenticate user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 LDAP server: %4 SSL: %5 Authentication method: %6 Exception details: %7
1110 LdapAttributeStorePrimaryConnectionFailure The Federation Service failed to connect to the primary LDAP account store to authenticate user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 Ldap server: %4 SSL: %5 Authentication method: %6 Exception details: %7
1111 LdapAttributeStoreCompleteConnectionFailure The Federation Service failed to connect to all LDAP account stores to authenticate user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 Ldap server: %4 SSL: %5 Authentication method: %6 Exception details: %7
1112 LdapAttributeStoreConnectionFailure The Federation Service failed to connect to the Ldap server. Activity ID: %1 Request Details: Local CP trust identifier: %2 Ldap ErrorCode: %3 Exception details: %4
1113 ClientJWKSyncingInitiated Client Json Web Key Set (JWKS) synchronization initiated.
1114 ClientJWKSyncingComplete Client Json Web Key Set (JWKS) synchronization completed.
1115 ClientJWKSyncingError The Federation Service encountered an error while retrieving the Json Web Key Set (JWKS) document from '%1'. The key synchronization for the following client failed: Client: %2 Additional Data Exception details: %3 Additional details: %4 User Action Make sure the JWKS URI '%1' is accessible.
1116 ClientJWKSyncingDatabaseError An error occurred during a read operation from the configuration database. Monitoring of clients' Json Web Key Set (JWKS) was shut down and will be tried again after an amount of time that corresponds to the monitoring interval. Additional Data Exception details: %1 Additional details: %2
1117 ClientJWKSyncingClientError An error occurred during monitoring of the following client's Json Web Key Set (JWKS). Client: %1 Additional Data Exception details: %2 Additional details: %3
1118 ClientJWKSyncingGenericError An error occurred during monitoring of clients'Json Web Key Set (JWKS). The monitoring cycle was shut down. Additional Data Exception details: %1 Additional details: %2
1119 JWTSigningKeysDownloadedSuccessAudit The Json Web Token (JWT) signing keys configuration was successfully downloaded. Client: %1 Subject: Security ID: %2 Account: %3 Additional Data Keys imported: %6 JWKS uri: %4 JWKS uri content: %5
1120 JWTSigningKeysDownloadFailureAudit An attempt to change the Json Web Token (JWT) signing keys failed. Client: %1 Subject: Security ID: %2 Account: %3 Additional Data JWKS uri: %4 Exception details: %5
1121 TokenBindingKeyFailureAudit An attempt to use a token with an invalid token binding key was made. Activity ID: %1 Additional Data User: %2 %Target RP: %3 Client IP: %4 Token Binding ID: %5 Request Provided ID: %6 Request Referred ID: %7
1200 AppTokenSuccessAudit The Federation Service issued a valid token. See XML for details. Activity ID: %1 Additional Data XML: %2
1201 AppTokenFailureAudit The Federation Service failed to issue a valid token. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1202 FreshCredentialSuccessAudit The Federation Service validated a new credential. See XML for details. Activity ID: %1 Additional Data XML: %2
1203 FreshCredentialFailureAudit The Federation Service failed to validate a new credential. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1204 PasswordChangeBasicSuccessAudit A password was changed. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1205 PasswordChangeBasicFailureAudit A password change was attempted, but failed. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1206 SignOutSuccessAudit A SignOut request was successfully processed. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1207 SignOutFailureAudit A SignOut request was attempted, but failed. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1210 ExtranetLockoutAudit An extranet lockout event has occurred. See XML for failure details. Activity ID: %1 Additional Data XML: %2
ID Event Name Event Description
100 FsServiceStart The Federation Service started successfully. The following service hosts have been added: %1
102 StartupException There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. Additional Data Exception details: %1
103 FsServiceStop The Federation Service stopped successfully.
104 ArtifactServiceNotRunningForReplayDetectionCheck The artifact resolution service is not running. The service must be running to perform token replay detection. User Action Make sure that the artifact resolution service is configured properly. Or disable token replay detection by using the Set-ADFSProperties cmdlet with the PreventTokenReplays parameter in Windows PowerShell for AD FS.
105 AuthMethodLoadError An error occurred loading an authentication provider. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. Identifier: %1 Context: %2 Additional Data Exception details: %3
106 AuthMethodLoadSuccess An authentication provider was successfully loaded: Identifier: '%1', Context: '%2'
111 WsTrustRequestProcessingError The Federation Service encountered an error while processing the WS-Trust request. Request type: %1 Additional Data Exception details: %2
131 BadConfigurationFormatError During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The configured value '%2' could not be parsed as type '%3'. Element: %1 Value: %2 Type: %3 The Federation Service will not be able to start until this configuration element is corrected. User Action Correct the specified configuration element to conform to the given type.
132 BadConfigurationValueMissing During processing of the Federation Service configuration, the required element '%1' was missing. Element: %1 The Federation Service will not be able to start until this configuration element is configured. User Action Configure the specified configuration element using the AD FS Management snap-in.
133 BadConfigurationIdentityCertificateHasNoPrivateKey During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The private key for the certificate that was configured could not be accessed. The following are the values of the certificate: Element: %1 Subject: %2 Thumbprint: %3 storeName: %4 storeLocation: %5 Federation Service identity: %6 The Federation Service will not be able to start until this configuration element is corrected. This condition can occur when the certificate is found in the specified store but there is a problem accessing the certificate's private key. Common causes for this condition include the following: (1) The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file. (2) The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store specified above. (3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option. (4) The Federation Service identity '%6' has not been granted read access to the certificate's private key. User Action If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file). If the certificate was imported in a user context, verify that the store specified above matches the store the certificate was imported into. If the certificate was generated by a certificate request that did not specify the "Machine Key" option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file and import it again directly into the store specified in the configuration file. If the key is not marked as exportable, request a new certificate using the "Machine Key" option. If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition using the Certificates snap-in.
134 BadConfigurationCertificateNotFound During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was identified by the findValue '%2' could not be found. Element: %1 storeName: %3 storeLocation: %4 x509FindType: %5 findValue: %2 The Federation Service will not be able to start until this configuration element is corrected. This condition occurs when the findValue that is specified does not match any certificate in the specified store. Common causes for this condition include the following: (1) The certificate with the specified findValue is from a store that is different from the configured store. (2) The certificate was deleted from the store after configuration. User Action If the certificate exists in a different store, find the location using the certificates snap-in and correct the configuration appropriately. If the certificate has been deleted, configure a different certificate.
135 BadConfigurationMultipleCertificatesMatch During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was identified by the findValue '%2' was not unique. Element: %1 storeName: %3 storeLocation: %4 x509FindType: %5 findValue: %2 The Federation Service will not be able to start until this configuration element is corrected. This condition can occur when the certificate is found in the specified store but there is more than one certificate that matches the findValue. User Action If the certificate was identified by name and there are multiple certificates of the same name, configure the certificate using the certificate thumbprint.
136 ConfigurationErrorsException During processing of the Federation Service configuration, the Federation Service encountered a configuration error. %1 Additional Data %2 The Federation Service will not be able to start until this error has been corrected. User Action Correct the specified configuration error using the AD FS Management snap-in.
143 UnableToCreateFederationMetadataDocument The Federation Service was unable to create the federation metadata document as a result of an error. Document Path: %1 Additional Data Exception details: %2
144 RequestBlocked The Federation Service Proxy blocked an illegitimate request made by a client, as there was no matching endpoint registered at the proxy. This could point to a DNS misconfiguration, a partially configured application published through the proxy, or a malicious request. Url Path: %1
147 InvalidClaimsProviderError A token was received from a claims provider identified by the key '%1', but the token could not be validated because the key does not identify any known claims provider trust. Key: %1 This request failed. User Action If this key represents the certificate thumbprint of a claims provider trust, verify that it matches the signing certificate of the claims provider trust in the AD FS configuration database.
149 AttributeStoreLoadFailure During processing of the Federation Service configuration, the attribute store '%1' could not be loaded. Attribute store type: %2 User Action If you are using a custom attribute store, verify that the custom attribute store is configured using AD FS Management snap-in. Additional Data %3
155 MetadataListenerError The Federation Service was unable to listen at '%1' for metadata document requests due to an unexpected error. Additional Data Exception details: %2
156 TrustMonitoringInitiated Trust monitoring cycle initiated.
157 TrustMonitoringComplete Trust monitoring cycle completed.
159 TrustMonitoringConfigurationDatabaseWriteError The Federation Service encountered an error while writing to the following object in the configuration database. Object Type: %1 Name: %2 Metadata document URL: %3 Additional Data Exception details: %4 Additional details: %5
163 TrustMonitoringInitiationError An error occurred during initialization of trust monitoring. Trust monitoring against the published partner configuration will be disabled for the lifetime of this service. Additional Data Exception details: %1 User Action If you want to try to start the trust monitoring service again, restart the Federation Service.
164 TrustMonitoringConfigurationDatabaseError An error occurred during a read operation from the configuration database. Trust monitoring was shut down and will be tried again after an amount of time that corresponds to the trust monitoring interval. Additional Data Exception details: %1 Additional details: %2
165 TrustMonitoringGenericError An error occurred during trust monitoring. The trust monitoring cycle was shut down. Additional Data Exception details: %1 Additional details: %2
166 TrustMonitoringMetadataFormatError Trust monitoring service encountered an error while parsing the metadata document from '%1'. Trust monitoring failed for: Object Type: %2 Name: %3 Additional Data Exception details: %4 Additional details: %5
167 TrustMonitoringMetadataProcessingError Trust monitoring service encountered an error while applying the data in the metadata document from '%1'. Trust monitoring failed for: Object Type: %2 Name: %3 Additional Data Exception details: %4 Additional details: %5
168 TrustManagementMetadataRequestError The Federation Service encountered an error while retrieving the federation metadata document from '%1'. The monitoring for the following trusts failed: Claims providers: %2 Relying parties: %3 Additional Data Exception details: %4 Additional details: %5 User Action Make sure federation metadata URL is accessible. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
171 SuccessfulAutoUpdate The trust monitoring service automatically updated the trust of '%1' successfully with the partner's published changes.
173 SuccessfulAutoUpdateWithWarning The trust monitoring service automatically updated the trust of '%1' successfully with the partner's published changes. Additional Data Warnings: %2
174 AutoUpdateSkippedWithWarning Trust monitoring service detected changes in policy of '%1', but did not automatically apply the changes on the trust partner. Additional Data Warnings: %2
180 MinorVersionUpgradeError An error occurred while upgrading FarmBehaviorLevel '%1' from Minor Version '%2' to Minor Version '%3'. Additional Data Exception details: %4
184 InvalidRelyingPartyError A token request was received for a relying party identified by the key '%1', but the request could not be fulfilled because the key does not identify any known relying party trust. Key: %1 This request failed. User Action If this key represents a URI for which a token should be issued, verify that its prefix matches the relying party trust that is configured in the AD FS configuration database.
186 PolicyDuplicateNameIdentifier The Federation Service could not fulfill the token-issuance request. More than one claim based on SamlNameIdentifierClaimResource was produced after the issuance See event 500 with the same Instance ID for claims after application of issuance transform rules. Additional Data Instance ID: %1 User Action Ensure that the issuance transform rules that are configured for the relying party do not result in multiple claims based on SamlNameIdentifierClaimResource.
193 PolicyUnknownAuthenticationTypeError The Federation Service could not satisfy a token request because the relying party requested an unknown authentication type. Comparison type: %1 Desired authentication type(s): %2 Relying party: %3 This request failed. User Action Use the AD FS PowerShell commands to configure the authentication context order property. Ensure that the relying party is configured to request the correct authentication type.
197 ConfigurationInvalidAuthenticationTypeError The Federation Service could not satisfy a token request because the accompanying credentials do not meet the authentication type requirement of '%2' for the relying party '%3'. Authentication type: %1 Desired authentication type(s): %2 Relying party: %3 This request failed.
198 FsProxyServiceStart The federation server proxy started successfully.
199 ProxyStartupException The federation server proxy could not be started. Reason: %1 Additional Data Exception details: %2
200 FsProxyServiceStop The federation server proxy stopped successfully.
201 ServiceHostOpenAddressAccessDeniedError The Federation Service %1 encountered an Access Denied error while trying to register one or more endpoint URLs. This condition typically occurs when the ACL for the endpoint URL is missing or the HTTP namespace in the ACL is not a prefix match of the endpoint URL. The %1 could not be opened. User Action Ensure that a valid ACL for each of the URLs has been configured on this computer. Additional Data Exception details: %2
202 ServiceHostOpenError The Federation Service %1 could not be opened. Additional Data Exception details: %2
203 ServiceHostAbortError The Federation Service %1 could not be shut down properly. Additional Data Exception details: %2
204 ServiceHostCloseError The Federation Service %1 could not be closed. Additional Data Exception details: %2
206 EmptyOrMissingWSFederationPassiveEndpoint The Federation Service could not fulfill the token-issuance request because the relying party '%1' is missing a WS-Federation Passive endpoint address. Relying party: %1 This request failed. User Action Use the AD FS Management snap-in to configure a WS-Federation Passive endpoint on this relying party.
207 FailureWritingToAuditLog An attempt to write to the Security event log failed. Additional Data Windows error code: %1 Exception details: %2
208 InsufficientPrivilegesWritingToAuditLogError An error occurred during an attempt to register the event source for the Security log. User Action Ensure that the Federation Service has the correct permissions to write to the Security log.
209 AuditLogEventSourceCouldNotBeRegisteredError The Security log event source for the Federation Service could not be registered. Additional Data Windows error code: %1 Exception details: %2
215 FsProxyNoEndpointsConfigured The Federation Service at '%1' did not return any WS-Trust endpoints to be published by the federation server proxy. User Action If you want to publish WS-Trust endpoints to the federation server proxy, make sure that the endpoints are enabled for proxy use on the federation server.
217 BindingConfigurationError A WS-Trust endpoint that was configured could not be opened. Additional Data Address: %1 Mode: %2 Error: %3
218 FsProxyServiceConnectionFailedServiceUnavailable The federation server proxy received error code '%2' while making a request to the Federation Service at '%1'. This could mean that the Federation Service is not started on the remote host. User Action Verify that the Federation Service is running on the remote host.
220 ServiceConfigurationInitializationError The Federation Service configuration could not be loaded correctly from the AD FS configuration database. Additional Data Error: %1
221 ServiceConfigurationReloadError A change to the token service configuration was detected, but there was an error reloading the changes to configuration. Additional Data Error: %1
222 FsProxyServiceConnectionFailedTimeout The federation server proxy was unable to complete a request to the Federation Service at address '%1' because of a time-out. This might mean that the Federation Service is currently unavailable. User Action Verify that the Federation Service is running.
223 ClaimDescriptionReloadError Claim description could not be loaded correctly from the database. Additional Data Error: %1
224 ProxyConfigurationRefreshError The federation server proxy configuration could not be updated with the latest configuration on the federation service. Additional Data Error: %1
230 ProxyCongestionWindowMinimumSize The federation server proxy has detected congestion, caused by high latency response times, on the Federation Service. The load might be above the Federation Service operating capacity, or there might be network connectivity issues. Request throttling has been enforced to limit the number of concurrent requests to the following size: %1. User Action Verify that the Federation Service is operating within its operating capacity. Verify that the Federation Service is not experiencing network outages.
238 AttributeStoreFindDCFailedError The Federation Service failed to find a domain controller for the domain %1. Additional Data Domain Name: %1 Error: %2 User Action Use Nltest to determine why DC locator is failing. Nltest is part of the Windows Support Tools.
244 MetadataExchangeListenerError The Federation Service was unable to listen at '%1' for WS-MetadataExchange requests due to an unexpected error. Additional Data Exception details: %2
245 ProxyConfigurationRefreshSuccess The federation server proxy successfully retrieved and updated its configuration from the Federation Service '%1'.
246 LdapDCConnectionError The Federation Service encountered an error during an attempt to connect to a LDAP server at %1. Additional Data Domain Name: %1 LDAP server hostname (if available): %2 Authentication type: %3 SSL mode: %4 Username (if available): %5 Error code (if available): %6 Error from LDAP server (if available): %7 Exception Details: %8 User Action Check the network connectivity to the LDAP server. Also, check whether the LDAP server is configured properly.
247 LdapGCConnectionError The Federation Service encountered an error while connecting to a global catalog server at %1. Additional Data Domain Name: %1 Global Catalog hostname (if available): %2 Authentication type: %3 SSL mode: %4 Username (if available): %5 Error code (if available): %6 Error from server (if available): %7 Exception Details: %8 User Action Troubleshoot the network connectivity to the global catalog server. Also, verify that the global catalog server is configured properly.
248 ProxyEndpointsRetrievalError The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at %1. The error message is '%2'. User Action Make sure that the Federation Service is running. Troubleshoot network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the Federation Server Proxy Configuration Wizard again.
249 AdditionalCertificateLoadWarning The certificate identified by thumbprint '%1' could not be found in the certificate store. In certificate rollover scenarios, this can potentially cause a failure when the Federation Service is signing or decrypting using this certificate. User Action Ensure that the certificate that is identified by thumbprint '%1' has been added to the Localmachine "My" store and that it is accessible by the service account of the Federation Service.
250 ArtifactExpirationError Expiration of the artifact failed. Additional Data Exception message: %1 User Action Ensure that the artifact storage server is configured properly. Troubleshoot network connectivity to the artifact storage server.
251 AttributeStoreLoadSuccess Attribute store '%1' is loaded successfully.
252 ProxyHttpListenerStartupInfo The AD FS proxy service made changes to the endpoints it is listening on based on the configuration it retrieved from the Federation Service. Endpoints added: %1 Endpoints removed: %2
253 ProxyHttpListenerStartupError AD FS proxy service failed to start a listener for the endpoint '%1' Exceptiondetails: %2 User action: Ensure that no conflicting SSL bindings are configured for the specified endpoint.
258 ConfigurationMissingAssertionConsumerServicesError The relying party '%1' is not configured with SAML Assertion Consumer Services. Relying party: %1 This request failed. User Action Use the AD FS Management snap-in to configure one or more Assertion Consumer Services for this relying party.
259 ConfigurationAssertionConsumerServiceIndexDoesNotMatchError The request specified an Assertion Consumer Service index '%1' that is not configured on the relying party '%2'. Assertion Consumer Service index: %1 Relying party: %2 This request failed. User Action Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified index for this relying party.
260 ConfigurationAssertionConsumerServiceProtocolBindingDoesNotMatchError The request specified an Assertion Consumer Service protocol binding '%1' that is not configured on the relying party '%2'. Assertion Consumer Service protocol binding: %1 Relying party: %2 This request failed. User Action Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified protocol binding for this relying party.
261 ConfigurationAssertionConsumerServiceUrlDoesNotMatchError The request specified an Assertion Consumer Service URL '%1' that is not configured on the relying party '%2'. Assertion Consumer Service URL: %1 Relying party: %2 This request failed. User Action Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party.
262 ArtifactResolutionFailed The artifact resolution request failed. Additional Data Exception message: %1
273 ConfigurationAssertionConsumerServiceNotFoundError The request specified an assertion consumer service that is not configured or not supported on the relying party '%4'. Request parameters: '%1', '%2', '%3' Relying party: %4 This request failed. User Action Use the AD FS Management snap-in to configure an assertion consumer service with the specified parameters for this relying party. Also, check whether the artifact resolution service is enabled if the SAML artifact is requested.
274 FsProxyEndpointListenerAccessDeniedError The federation server proxy encountered an error while trying to listen on one of the proxy endpoints. The federation server proxy will not be able to start until it can listen on all required proxy endpoints. Proxy Endpoints: %1 User Action Ensure that the permissions on the URLs of the proxy endpoints allow the federation server proxy security account (the default is Network Service) to listen on them.
275 FsProxySslTrustError The federation server proxy could not establish a trust relationship for the SSL secure channel with the Federation Service %1. Error Message: %2 User Action Ensure that the SSL certificate for Federation Service '%1' is valid and trusted by the federation server proxy.
276 FsProxyServiceNotTrustedOnStsError The federation server proxy was not able to authenticate to the Federation Service. User Action Ensure that the proxy is trusted by the Federation Service. To do this, log on to the proxy computer with the host name that is identified in the certificate subject name and re-establish trust between the proxy and the Federation Service using the Install-WebApplicationProxy cmdlet. Additional Data Certificate details: Subject Name: %1 Thumbprint: %2 NotBefore Time: %3 NotAfter Time: %4 Client endpoint: %5
277 UnhandledExceptionError The Federation Service encountered an unexpected exception and has shut down. Additional Data Exception details: %1
278 ArtifactResolutionEndpointNotConfiguredError The SAML artifact resolution endpoint is not configured or it is disabled. User Action If SAML artifact resolution is required, use the AD FS Management snap-in to configure or enable the SAML artifact resolution endpoint.
279 SamlArtifactResolutionClaimsProviderNotFoundError Unable to find a claims provider trust for SAML artifact resolution in the AD FS configuration database. SAML artifact: %1 This request failed. User Action Verify that a claims provider trust exists in the AD FS configuration database. Make sure that the data for the claims provider trust is up to date.
280 ClaimsProviderMissingArtifactServiceError Unable to resolve the SAML artifact from the claims provider because the claims provider trust does not have the artifact resolution service configured. Claims provider trust: %1 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Add the artifact resolution service endpoint to the claims provider trust.
281 SamlArtifactResolutionEndpointNotFoundError Unable to resolve the SAML artifact from the claims provider because the claims provider trust does not have the required artifact resolution endpoint with the specified index configured. Claims provider trust: %1 Required endpoint index: %2 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Use the AD FS Management snap-in to configure the artifact resolution endpoint with the specified index.
282 SamlArtifactResolutionSignatureVerificationFailureAudit Unable to resolve the SAML artifact. Verification of the artifact response signature failed. Claims provider: %1 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date using AD FS Management snap-in. Verify that the claims provider trust's certificate is up to date.
283 SamlArtifactResolutionRequestError Unable to resolve the SAML artifact. The artifact resolution request to the claims provider failed. See inner exception for more details. SAML Artifact: %1 Claims provider: %2 Inner exception: %3 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Verify network connectivity. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
284 SamlArtifactResolutionResponseVerificationError Unable to resolve the SAML artifact. A malformed response was received from the claims provider. See inner exception for more details. SAML artifact: %1 Claims provider: %2 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date.
285 SamlArtifactResolutionBadResponseError The SAML artifact was resolved, but the response is empty or does not contain expected assertions. SAML artifact: %1 Claims provider: %2 This request failed. User Action For more information, contact the claims provider.
286 ArtifactStorageConnectionOpenError Cannot connect to the artifact database. Connection string: %1 Error message: %2 User Action Ensure that the artifact database is configured properly. Use the Set-ADFSProperties cmdlet with the ArtifactDbConnection parameter in the Windows PowerShell for AD FS to modify the connection string, if necessary. Troubleshoot the connectivity to the artifact storage .
287 ArtifactStorageAddError Cannot add the artifact to the artifact database. See exception message for more details. Artifact ID: %1 Inner exception details: %2 User Action Ensure that the artifact database is configured properly. Troubleshoot the connectivity to the artifact database.
288 ArtifactStorageGetError Cannot get the artifact from storage. See exception message for more details. ArtifactId: %1 Inner exception details: %2 User Action Ensure that the artifact storage in the AD FS configuration database is configured properly. Troubleshoot connectivity to the artifact storage in the AD FS configuration database.
289 ArtifactStorageRemoveError Cannot remove the artifact from storage. See inner exception message for more details. ArtifactId: %1 Inner exception details: %2 User Action Ensure that the artifact storage in the AD FS configuration database is configured properly. Troubleshoot connectivity to the artifact storage in the AD FS configuration database.
290 ArtifactStorageExpireError Cannot set expiration for the artifacts in storage. See inner exception message for more details. Inner exception details: %1 User Action Ensure that the artifact storage in the AD FS configuration database is configured properly. Troubleshoot connectivity to the artifact storage in the AD FS configuration database.
291 ArtifactServiceStartupException The artifact resolution service could not be started. Additional Data Exception details: %1 User Action Make sure artifact resolution service is properly configured.
292 ArtifactResolutionServiceSignatureVerificationFailureAudit The Artifact Resolution Service could not verify request signature. Additional Data Exception details: %1
293 ArtifactRequestedButDisabledError A SAML request for the required artifact was rejected because the artifact resolution service is not enabled. Relying party: %1 This request failed. User Action Enable the artifact resolution service. Use the AD FS Management snap-in to configure or enable the SAML artifact resolution endpoint.
294 ArtifactResolutionServiceIdentityNotFoundError The SAML artifact resolution request specified an issuer that is not configured for the relying party. Relying party: %1 Artifact resolution request issuer: %2 This artifact resolution request failed. User Action Ensure that the relying party is configured properly using the AD FS Management snap-in.
296 ArtifactResolutionServiceNoSignatureFailureAudit A SAML artifact resolution request was received without a signature. Request issuer: %1 This artifact resolution request failed.
297 ArtifactResolutionServiceBadEndpointIndexError The SAML artifact resolution request required an artifact resolution service endpoint with an index that is not configured. Endpoint index: %1 Configured endpoint index: %2 This artifact resolution request failed.
298 KeyReceiptBackgroundTaskNotEnabled The Windows Hello for Business key receipt certificate background task will not run. Additional Information: %1
299 TokenIssuanceSuccessAudit A token was successfully issued for the relying party '%3'. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. See audit 503 with the same Instance ID for ActAs identity, if any. Instance ID: %1 Activity ID: %2 Relying party: %3
300 WSTrustRequestProcessingGeneralTokenIssuanceFailureAudit The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request. Activity ID: %1 Request type: %2 Additional Data Exception details: %3
301 ActAsAuthorizationTokenIssuanceFailureAudit The Federation Service could not authorize token issuance for the caller '%3' as the subject '%4' to the relying party '%5'. See audit 501 with the same Instance ID for caller identity. See audit 503 with the same Instance ID for ActAs identity, if any. Additional Data Instance ID: %1 Activity ID: %2 Relying party: %5
302 ActAsAuthorizationError The Federation Service could not authorize token issuance for caller '%2' as subject '%3' to the relying party '%4'. See event 501 with the same Instance ID for caller identity. See event 503 with the same Instance ID for ActAs identity, if any. Additional Data Instance ID: %1 Relying party: %4 Exception details: %5 User Action Use the AD FS Management snap-in to ensure that the caller is authorized to act as the subject to the relying party.
303 SamlRequestProcessingError The Federation Service encountered an error while processing the SAML authentication request. Additional Data Exception details: %1
304 SamlRequestProcessingGeneralTokenIssuanceFailureAudit The Federation Service failed to issue a token as a result of an error during processing of the SAML authentication request. Additional Data Activity ID: %1 Exception details: %2
305 LdapDCServerError The Federation Service encountered an error while querying a LDAP server at %1. Additional Data Domain name: %1 LDAP server hostname (if available): %2 Authentication type: %3 SSL mode: %4 Username (if available): %5 Error code (if available): %6 Error from LDAP server (if available): %7 Exception Details: %8
306 LdapGCServerError The Federation Service encountered an error while querying a global catalog server at %1. Additional Data Domain name: %1 Global catalog server hostname (if available): %2 Authentication type: %3 SSL mode: %4 Username (if available): %5 Error code (if available): %6 Error from server (if available): %7 Exception Details: %8
307 ConfigurationChangeSuccessAudit The Federation Service configuration was changed. Subject: Security ID: %2 Account: %3 See audit 510 with the same Instance ID for change details. Additional Data Instance ID: %1 Security ID: %2 Account: %3
308 ConfigurationChangeFailureAudit An attempt to change the Federation Service configuration failed. Error: %1 Subject: Security ID: %2 Account: %3
309 WmiConfigurationChangeSuccessAudit The Federation Service configuration was changed. Subject: Security ID: %1 Account: %2 Old Value: %3 New Value: %4
310 WmiConfigurationChangeFailureAudit An attempt to change the Federation Service configuration failed. Error : %1 Subject: Security ID: %2 Account: %3 Current Value: %4 Attempted Change: %5
311 PerformanceCounterFailure An attempt to update AD FS performance counters failed. Additional Data Exception details: %1
315 ClaimsProviderSigningCertificateCrlCheckFailure An error occurred during an attempt to build the certificate chain for the claims provider trust '%1' certificate identified by thumbprint '%2'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period. You can use Windows PowerShell commands for AD FS to configure the revocation settings for the claims provider trust's signing certificate. Claims provider trust's signing certificate revocation settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the claims provider trust's signing certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
316 RelyingPartySigningCertificateCrlCheckFailure An error occurred during an attempt to build the certificate chain for the relying party trust '%1' certificate identified by thumbprint '%2'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's signing certificate revocation settings or certificate is not within its validity period. You can use Windows PowerShell commands for AD FS to configure the revocation settings for the relying party signing certificate. Relying party trust's signing certificate revocation settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the relying party trust's signing certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
317 RelyingPartyEncryptionCertificateCrlCheckFailure An error occurred during an attempt to build the certificate chain for the relying party trust '%1' certificate identified by thumbprint '%2'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's encryption certificate revocation settings or certificate is not within its validity period. You can use Windows PowerShell commands for AD FS to configure the revocation settings for the relying party encryption certificate. Relying party trust's encryption certificate revocation settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the relying party trust's encryption certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
319 ClientCertificateCrlCheckFailure An error occurred while the certificate chain for the client certificate identified by thumbprint '%1' was being built. The certificate chain could not be built. The certificate has been revoked, the certificate chain could not be verified as specified by the encryption certificate revocation settings or certificate is not within its validity period. You can use the Set-ADFSProperties cmdlet with the ProxyCertRevocationCheck parameter in Windows PowerShell for AD FS to configure the client certificate revocation settings. Client Certificate Revocation Settings: %2 The following errors occurred while building the certificate chain: %3 User Action: Ensure that the client certificate is valid and has not been revoked. Ensure that the Federation Service can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
320 SamlProtocolSignatureVerificationError The verification of the SAML message signature failed. Message issuer: %1 Exception details: %2 This request failed. User Action Verify that the message issuer configuration in the AD FS configuration database is up to date. Configure the signing certificate for the specified issuer. Verify that the issuer's certificate is up to date. Verify the issuer and server message signing requirements.
321 InvalidNameIdPolicyError The SAML authentication request had a NameID Policy that could not be satisfied. Requestor: %1 Name identifier format: %2 SPNameQualifier: %3 Exception details: %4 This request failed. User Action Use the AD FS Management snap-in to configure the configuration that emits the required name identifier.
322 OnBehalfOfAuthorizationTokenIssuanceFailureAudit The Federation Service could not authorize token issuance for the caller '%3' on behalf of the subject '%4' to the relying party '%5'. See audit 501 with the same Instance ID for caller identity. See audit 502 with the same Instance ID for OnBehalfOf identity, if any. Additional Data Instance ID: %1 Activity ID: %2 Relying party: %5
323 OnBehalfOfAuthorizationError The Federation Service could not authorize token issuance for the caller '%2' on behalf of the subject '%3' to the relying party '%4'. See event 501 with the same Instance ID for caller identity. See event 502 with the same Instance ID for OnBehalfOf identity, if any. Additional Data Instance ID: %1 Exception details: %5 User Action Use the Windows PowerShell Get-ADFSClaimsProviderTrust or Get-ADFSRelyingPartyTrust cmdlet to ensure the caller is authorized on behalf of the subject to the relying party.
324 CallerAuthorizationTokenIssuanceFailureAudit The Federation Service could not authorize token issuance for caller '%3' to relying party '%4'. See audit 501 with the same Instance ID for caller identity. Additional Data Instance ID: %1 Activity ID: %2 Relying party: %4
325 CallerAuthorizationError The Federation Service could not authorize token issuance for caller '%2'. The caller is not authorized to request a token for the relying party '%3'. See event 501 with the same Instance ID for caller identity. Additional Data Instance ID: %1 Relying party: %3 Exception details: %4 User Action Use the AD FS Management snap-in to ensure that the caller is authorized to request a token for the relying party.
326 ClaimsPolicyInvalidPolicyTypeError Failed to load the AD FS claims policy engine using policy type '%1' User Action Make sure AD FS is installed correctly.
327 SamlSingleLogoutError An error occurred during processing of the SAML logout request. Additional Data Caller identity: %1 Logout initiator identity: %2 Error message: %3 Exception details: %4 User Action Ensure that the single logout service is configured properly for this relying party trust or claims provider trust in the AD FS configuration database.
328 SamlArtifactResolutionNoAssertion The SAML artifact resolution request was resolved, but the response does not contain the expected assertions. Additional Data: SAML artifact: %1 Status code: %2 SubStatus code: %3 Status message: %4 This request failed. User Action Contact the claims provider for more information.
329 AdditionalBlobCertificateLoadWarning The certificate that is identified by thumbprint '%1' could not be decrypted using the keys for X.509 certificate private key sharing. Additional Data: X.509 certificate private key sharing diagnosis: %2 User Action You may have to restore all Active Directory objects underneath the specified distinguished name in the diagnostic information above for X.509 certificate private key sharing.
331 CertificateManagementDecryptionError The certificate management service encountered an error during decryption of the keys. storeName: %2 storeLocation: %1 x509FindType: %4 findValue: %3 Additional Data: X.509 certificate private key sharing diagnosis: %5 User Action You may have to restore all Active Directory objects underneath the distinguished name that is specified in the diagnosis for X.509 certificate private key sharing above.
332 CertificateManagementEncryptionError The certificate management service encountered an error during encryption of the keys. Subject: %1 Diagnosis: %2 User Action You may have to restore all Active Directory objects underneath the distinguished name that is specified in the diagnosis above for X.509 certificate private key sharing.
333 CertificateManagementConfigurationError The certificate management service encountered an error during database access. Additional Data: Diagnosis: %1 User Action Confirm that the SQL store is online.
334 CertificateManagementWarning Certificate rollover service needs to rollover %1 certificates urgently. Partners will not be able to apply the update in time.
335 CertificateManagementInfo %1
336 CertificateManagementInitiated The certificate management cycle was initiated.
337 CertificateManagementComplete The certificate management cycle was completed.
338 CertificateManagementGenericError An error was encountered during certificate rollover. The monitoring cycle was shut down. Additional Data Exception details: %1 Additional details: %2
339 CertificateManagementInitiationError An error occurred during initialization of certificate rollover. Certificates will not be rolled over. Additional Data Exception details: %1
340 ArtifactResolutionSuccessAudit An SAML artifact resolution request was successfully resolved for the relying party '%1'. Relying party: %1 SAML artifact: %2
341 SecurityTokenNotYetValidError The NotBefore attribute for the token has a value that is set to a future time. See inner exception for more details. Additional Data Token Type: %1 Exception details: %2 This request failed. User Action Verify that system clock is synchronized.
342 SecurityTokenValidationError Token validation failed. Additional Data Token Type: %1 %Error message: %2 Exception details: %3
343 ConfigurationDatabaseSynchronizationInitiationError There was an error during initialization of synchronization. Synchronization of data from the primary federation server to the secondary federation server will not occur. Additional Data Exception details: %1
344 ConfigurationDatabaseSynchronizationSyncError There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. Additional data Exception details: %1 User Action Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.
345 ConfigurationDatabaseSynchronizationCommunicationError There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur. Additional Data Master Name : %1 Endpoint Uri : %2 Exception details: %3
346 ConfigurationDatabaseReadOnlyTransferError There was an error during retrieving the configuration data for the secondary federation server. Additional Data Exception details: %1
348 ConfigurationDatabaseSynchronizationCompleted Synchronization of configuration data from the primary federation server '%1' is completed. %2 objects were added. %3 objects were deleted.
349 FsAdministrationServiceStart The administration service for the Federation Service started successfully. You can now use the Windows Powershell commands for AD FS to modify the Federation Service configuration. The following service hosts have been added: %1
351 PolicyStoreSynchronizationPropertiesGetError There was an error getting synchronization properties. Additional Data Exception details: %1
352 ConfigurationDatabaseSqlError A SQL operation in the AD FS configuration database with connection string %1 failed. Additional Data Exception details: %2
353 SamlArtifactResolutionSignatureVerificationError Unable to resolve the SAML artifact. Verification of the artifact response signature failed. Claims provider: %1 Exception details: %2 This request failed. User Action Verify that the claims provider trust in the AD FS configuration database is up to date. Verify that the claims provider trust's signing certificate is up to date.
354 ArtifactResolutionServiceSignatureVerificationError The artifact resolution service could not verify the request signature. Additional Data Exception details: %1 User action: Verify that the relying party trust in the AD FS configuration database is up to date. Configure the relying party certificate for request signing. Verify that relying party certificate is up to date.
356 SqlNotificationRegistrationError Failed to register notification to the SQL database with the connection string %1 for cache type '%2'. Changes to settings may not take effect until the Federation Service restarts. Additional Data Exception details: %3
357 SqlNotificationRegistrationResumption Successfully registered notification to the SQL database with the connection string %1.
358 ServiceHostRestart Restarting %1. This restart is necessary because a change was detected in the certificates that this service host uses. Requests that are served by endpoints of this service host may fail during restart.
359 ServiceHostRestartError An error occurred during an attempt to restart %1. Additional Data Exception details: %2 User Action Restart the Federation Service to recover from the error.
360 ClientCertificateNotPresentOnProxyEndpointError A request was made to a certificate transport endpoint, but the request did not include a client certificate. This could be because the root CA certificate that issued the client certificate is not in the Trust CA certificate store or because the client certificate is expired. User Action: Ensure that the CA that issued the client certificate in this request has its certificate in the Trusted Root Certificate Authority store on the Local Computer. Ensure that the client certificate is not expired.
362 WSFederationPassiveSignOutError Encountered error during federation passive sign-out. Additional Data Exception details: %1
363 WSFederationPassiveServiceCommunicationError A communication error occurred during an attempt to get a token from the Federation Service. Make sure that the Federation Service is running. Additional Data Exception details: %1
364 WSFederationPassiveRequestFailedError Encountered error during federation passive request. Additional Data Protocol Name: %1 Relying Party: %2 Exception details: %3
365 RelyingPartyNotEnabled A token request was received for the relying party '%1', but the request could not be fulfilled because the relying party trust is not enabled. Relying party: %1 This request failed. User Action If this relying party trust should be enabled, enable it by using the AD FS Management snap-in or Windows PowerShell for AD FS.
366 ClaimsProviderNotEnabled A token was received from claims provider '%1', but the token could not be validated because the claims provider trust is not enabled. Claims provider: %1 This request failed. User Action If this claims provider trust should be enabled, enable it by using the AD FS Management snap-in or Windows PowerShell for AD FS.
367 AudienceUriValidationFailed The audience restriction was not valid because the specified audience identifier is not present in the acceptable identifiers list of this Federation Service. User Action See the exception details for the audience identifier that failed validation. If the audience identifier identifies this Federation Service, add the audience identifier to the acceptable identifiers list by using Windows PowerShell for AD FS. Note that the audience identifier is used to verify whether the token was sent to this Federation Service. If you think that the audience identifier does not identify your Federation Service, adding it to the acceptable identifiers list may open a security vulnerability in your system. Additional Data Token Type: %1 Exception details: %2
368 SamlLogoutNameIdentifierNotFoundError The SAML Single Logout request does not correspond to the logged-in session participant. Requestor: %1 Request name identifier: %2 Logged-in session participants: %3 This request failed. User Action Verify that the claim provider trust or the relying party trust configuration is up to date. If the name identifier in the request is different from the name identifier in the session only by NameQualifier or SPNameQualifier, check and correct the name identifier policy issuance rule using the AD FS Management snap-in.
369 WSFederationPassiveTtpRequestError Processing TTP request failed with the following exception. Additional Data Exception details: %1 User Action Ensure that user has enabled cookies in browser settings.
370 WSFederationPassiveTtpResponseError Incoming TTP response is not valid. Processing response failed with following exception. Additional Data Exception details: %1 User Action Ensure that partner federation provider is configured properly to send valid TTP response.
371 AuthorityCertificateResolveError Cannot find certificate to validate message/token signature obtained from claims provider. Claims provider: %1 This request failed. User Action Check that Claim Provider Trust configuration is up to date.
372 WeakSignatureAlgorithmError Authentication Failed. The token used to authenticate the user is signed using a weaker signature algorithm than expected. Additional Data Token Type: %1 Issuer: %2 Actual token signature algorithm: %3 Expected token signature algorithm: %4 User Action Check that Claim Provider is configured to accept tokens with expected signature algorithm. Use the AD FS PowerShell commands to configure the signature algorithm property.
373 ArtifactResolutionServiceWeakSignatureAlgorithmError The artifact request from the replying party is signed with a weaker signature algorithm. Additional Data Relying party identity: %1 Actual message signature algorithm: %2 Expected message signature algorithm: %3 User action: Check that relying party is configured to accept artifact resolution request with expected signature algorithm. Use the AD FS PowerShell commands to configure the signature algorithm property.
374 AuthorityEncryptionCertificateCrlCheckFailure An error occurred while building the certificate chain for the claims provider trust '%1' certificate identified by thumbprint '%2'. The certificate chain could not be built, the certificate has been revoked, or the certificate chain could not be verified as specified by the claims provider trust's encryption certificate revocation settings. AD FS powershell commands can be used to configure the claims provider trust encryption certificate revocation settings. Claims Provider Trust Encryption Certificate Revocation Settings: %3 The following errors occurred while building the certificate chain: %4 User Action: Ensure that the claims provider trust's encryption certificate is valid and has not been revoked. Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).
375 PolicyStoreSynchronizationInitiated Policy store synchronization initiated.
376 SqlAttributeStoreQueryExecutionError An Error occurred while executing a query in SQL attribute store. Additional Data Connection information: %1 Query: %2 Parameters: %3 User Action Examine the exception details to take one or more of the following actions if applicable. Verify that the connection string to the SQL attribute store is valid. Make sure that the SQL attribute store can be reached by the connection string and the SQL attribute store exists. Verify that the SQL query and parameters are valid. Exception details: %4
377 AttributeStoreError A processing error occurred in an attribute store. User Action Exception details: %1
378 SAMLRequestUnsupportedSignatureAlgorithm SAML request is not signed with expected signature algorithm. SAML request is signed with signature algorithm %1 . Expected signature algorithm is %2 User Action: Verify that signature algorithm for the partner is configured as expected.
379 InvalidIssuanceInstantError A security token was rejected as the specified IssueInstant was before the allowed time frame. Token Type: %1 User Action: To allow tokens for a larger timeframe, use the AD FS PowerShell commands to adjust the value of the ReplayCacheExpirationInterval.
380 BadConfigurationIdentityCertificateNotValid During processing of the Federation Service configuration, the element '%1' was found to have invalid data. The certificate that was configured could not be used. The certificate has been revoked, the certificate chain could not be verified or certificate is not within its validity period. The following are the values of the certificate: Element: %1 Subject: %2 Thumbprint: %3 The Federation Service will not be able to start until this configuration element is corrected. User Action Verify whether the certificate chain for the certificate configured has been revoked by its certificate authority. If the certificate has been revoked or expired, the AD FS service must be issued a new certificate.
381 AdditionalCertificateValidationFailure An error occurred during an attempt to build the certificate chain for configuration certificate identified by thumbprint '%1'. Possible causes are that the certificate has been revoked or certificate is not within its validity period. The following errors occurred while building the certificate chain: %2 User Action: Ensure that the certificate is valid and has not been revoked or expired.
382 SynchronizationThresholdViolation AD FS detected that the Federation Service has more than %1 %2 trusts configured and that the data in the AD FS configuration database for this Federation Service is stored and synchronized using Windows Internal Database technology. The overall performance of data synchronization between configuration databases that are stored locally on federation servers across the farm will degrade as you add more than %1 trusts when you use the Windows Internal Database to store the AD FS configuration database. User Action: To improve synchronization performance across your federation server farm, we recommend that you migrate the data in the AD FS configuration database to SQL server. For more information about how to do this, see AD FS Operations Guide (http://go.microsoft.com/fwlink/?LinkId=181189).
383 WSFederationPassiveWebConfigMalformedError The Web request failed because the web.config file is malformed. User Action: Fix the malformed data in the web.config file. Exception details: %1
384 WSFederationPassiveInvalidValueInWebConfigError The request to the Federation Service failed because the web.config file has an invalid configuration for '%1' that the Federation Service does not support. User Action: Ensure that the configuration of the property '%1' is supported by the Federation Service.
385 ConfigurationHasExpiredCertsWarning AD FS detected that one or more certificates in AD FS configuration database need to be updated manually because they are expired, or will expire soon. See additional details for more information Additional Details: %1
386 ConfigurationHealthyCertsInfo AD FS detected that none of the service certificates that are configured to be managed by the administrator are due to expire.
387 CertPrivateKeyInaccessibleError AD FS detected that one or more of the certificates specified in the Federation Service were not accessible to the service account used by the AD FS Windows Service. User Action: Ensure that the AD FS service account has read permissions on the certificate private keys. Additional Details: %1
388 CertPrivateKeyAccessibleInfo AD FS detected that all the service certificates have appropriate access given to the AD FS service account.
389 TrustsHaveExpiredCertsWarning AD FS detected that one or more of your trusts require their certificates to be updated manually because they are expired, or will expire soon. See additional details for more information Additional Details: %1
390 TrustsHaveHealthyCertsInfo AD FS detected that none of the partner certificates that are configured to be managed by the administrator are due to expire.
392 FsProxyTrustTokenRenewalSuccess The federation server proxy was able to successfully renew its trust with the Federation Service. Proxy trust certificate subject: %1. Proxy trust certificate old thumbprint: %2. Proxy trust certificate new thumbprint: %3.
393 ProxyTrustTokenIssuanceFailure The federation server proxy could not establish a trust with the Federation Service. Additional Data Exception details: %1 User Action Ensure that the credentials being used to establish a trust between the federation server proxy and the Federation Service are valid and that the Federation Service can be reached.
394 FsProxyTrustTokenRenewalError The federation server proxy could not renew its trust with the Federation Service. Additional Data Exception details: %1 User Action Ensure that the federation server proxy is trusted by the Federation Service. If the trust does not exist or has been revoked, establish a trust between the proxy and the Federation Service using the Federation Service Proxy Configuration Wizard by logging on to the proxy computer.
395 ProxyTrustTokenIssuanceSuccess The trust between the federation server proxy and the Federation Service was established successfully using the account '%1'. Proxy trust certificate subject: %2. Proxy trust certificate thumbprint: %3.
396 ProxyTrustTokenRenewalSuccess The trust between the federation server proxy and the Federation Service was renewed successfully. Proxy trust certificate subject: %1. Proxy trust certificate old thumbprint: %2. Proxy trust certificate new thumbprint: %3.
397 HttpProxyConfigurationInfo The federation server loaded the HTTP proxy configuration from WinHTTP settings. HTTP Proxy: %1 HTTPS Proxy: %2 Bypass proxy for local addresses: %3 Bypass proxy for addresses: %4 To learn more about how to set the HTTP proxy settings for the federation server, see http://go.microsoft.com/fwlink/?LinkId=182180.
398 ConfigurationHasArchivedCertsWarning AD FS detected that one or more certificates in the AD FS configuration database need to be updated manually because they are archived. Additional Details: %1
399 ConfigurationHealthyUnarchivedCertsInfo AD FS detected that none of the service certificates that are configured to be managed by the administrator are archived.
400 GiveUserVSSAccess VSS writer permissions have been granted to user %1.
401 RevokeUserVSSAccess VSS writer permissions have been revoked from user %1.
402 CertificateClaimUnknownError Failed to add some of the certificate claims.
403 RequestReceivedSuccessAudit An HTTP request was received. See audit 510 with the same Instance ID for headers. Instance ID: %1 Activity ID: %2 Request Details: Date And Time: %3 Client IP: %4 HTTP Method: %5 Url Absolute Path: %6 Query string: %7 Local Port: %8 Local IP: %9 User Agent: %10 Content Length: %11 Caller Identity: %12 Certificate Identity (if any): %13 Targeted relying party: %14 Through proxy: %15 Proxy DNS name: %16
404 ResponseSentSuccessAudit An HTTP response was dispatched. See audit 510 with the same Instance ID for headers. Instance ID: %1 Activity ID: %2 Response Details: Date And Time: %3 Status Code: %4 Status Description: %5
405 PasswordChangeSuccessAudit Password change succeeded for following user: Activity ID: %1 User: %2 Server on which password change was attempted: %3
406 PasswordChangeFailureAudit Password change failed for following user: Additional Data Activity ID: %1 User: %2 Device Certificate: %3 Server on which password change was attempted: %4 Client IP: %6 Error details: %5
407 PasswordChangeError Password change failed for following user: Additional Data User: %1 Server on which password change was attempted: %2 Error details: %3
408 DeviceAuthenticationFailureAudit Device authentication failed for following device: Additional Data Activity ID: %1 User: %2 Client IP: %3 Target Application: %4 Device Certificate: %5 Device ID: %6 Device Name: %7 Error Message: %8
409 DeviceAuthenticationSuccessAudit Device authentication successful for following device: Additional Data Activity ID: %1 User: %2 Client IP: %3 Target Application: %4 Device Certificate: %5 Device ID: %6 Device Name: %7 Registered owner's sid: %8 Is current User registered: %9
410 RequestContextHeadersSuccessAudit Following request context headers present : Activity ID: %1 %2: %3 %4: %5 %6: %7 %8: %9 %10: %11 %12: %13 %14: %15
411 SecurityTokenValidationFailureAudit Token validation failed. See inner exception for more details. Additional Data Activity ID: %1 Token Type: %2 Client IP: %5 Error message: %3 Exception details: %4
412 AuthenticationSuccessAudit A token of type '%3' for relying party '%4' was successfully authenticated. See audit 501 with the same Instance ID for caller identity. Instance ID: %1 Activity ID: %2
413 CallerIdFailureAudit An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Activity ID: %1 Caller: %2 OnBehalfOf user: %3 ActAs user: %4 Target Relying Party: %5 Device identity: %6 Client IP: %7 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
414 InvalidMsisHttpRequestAudit An error occurred during processing of a token request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Activity ID: %1 Target Relying Party: %2 Is Application Proxy Configured: %3 Is Request From the Extranet: %4 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
415 UnregisteredDrsUpnSuffixes %1
416 WebConfigurationError Web configuration error: %1
417 CertificateClaimError Unable to add the certificate claim %1.
418 StsProxyTrustRenewalAuditSuccess The trust between the federation server proxy and the Federation Service was successfully renewed. Additional Data Server from which request was made: %1 Certificate Subject: %2 Old Certificate Thumbprint: %3 New Certificate Thumbprint: %4
419 StsProxyTrustRenewalAuditFailure Unable to renew the trust between the federation server proxy and the Federation Service. Additional Data Server from which request was made: %1 Exception details: %2
420 StsProxyTrustTokenEstablishmentAuditSuccess The trust between the federation server proxy and the Federation Service was successfully established. Additional Data User: %1 Server from which request was made: %2 Certificate Subject: %3 Certificate Thumbprint: %4
421 StsProxyTrustTokenEstablishmentAuditFailure The trust between the federation server proxy and the Federation Service could not be established. Additional Data User: %1 Server from which request was made: %2
424 ClientCertNotTrustedOnStsAuditFailure The federation server proxy was not able to authenticate the client certificate presented in the request. Activity ID: %1 Client certificate thumbprint: %2 Client certificate subject name: %3 Client endpoint: %4 Inner exception: %5 User Action Ensure that the request is using the certificate used to establish the trust between the Federation Server Proxy and the Federation Service.
425 ApplicationProxyConfigurationStoreChangeAuditSuccess The following update was successful to the application proxy store on the federation server. Activity ID: %1 Authentication information: %2 HTTP method: %3 Key: %4 Value: %5 Version: %6
426 ApplicationProxyConfigurationStoreChangeAuditFailure The following update attempt to the application proxy store on the federation server failed. Activity ID: %1 Authentication information: %2 HTTP method: %3 Key: %4 Value: %5 Version: %6 Error information: %7
427 ApplicationProxyTrustUpdateAuditSuccess The following update attempt to the application proxy relying party trust on the federation server succeeded. Activity ID: %1 Authentication information: %2 HTTP method: %3 Identifier: %4
428 ApplicationProxyTrustUpdateAuditFailure The following update attempt to the application proxy relying party trust on the federation server failed. Activity ID: %1 Authentication information: %2 HTTP method: %3 Identifier: %4 Error information: %5
429 RelyingPartyTrustUpdateAuditSuccess The following update attempt to the relying party trust on the federation server succeeded. Activity ID: %1 Authentication information: %2 HTTP method: %3 Relying party trust identifier: %4 Internal Url: %5 External Url: %6 Published identifier: %7
430 RelyingPartyTrustUpdateAuditFailure The following update attempt to the relying party trust on the federation server failed. Activity ID: %1 Authentication information: %2 HTTP method: %3 Relying party trust identifier: %4 Internal url: %5 External url: %6 Published identifier: %7 Error information: %8
431 ActiveRequestRSTSuccessAudit An active request was received at STS with RST containing: Activity ID: %1 RST Details: KeySize: %2 KeyType: %3 RequestType: %4 TokenType: %5 SignatureAlgorithm: %6
432 ProxyConfigurationEndpointError Error handling request from proxy at %1 Additional Data Exception details: %2
433 ProxyTrustTokenRenewalError Error encountered while renewing trust with the federation server proxy. Additional Data Exception details: %1
434 CertificateAuthorityExpirationCheckWarning The primary AD FS certificate authority issuer certificate ( thumbprint %1 ) will expire at %2 UTC. The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC. To avoid certificate issuance service interruption, ensure that the current secondary certificate ( thumbprint %3 ) is installed in Active Directory before the rollover occurs at %4 UTC.
435 PrimarySigningCertificateRolloverCheckWarning The primary AD FS token signing certificate ( thumbprint %1 ) will expire at %2 UTC. The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC. Relying parties that rely on federation metadata will be notified automatically; any relying parties that do not rely on federation metadata must be informed of the new certificate before the rollover at %4 UTC.
436 PrimaryDecryptionCertificateRolloverCheckWarning The primary AD FS token decryption certificate ( thumbprint %1 ) will expire at %2 UTC. The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC. Identity providers that rely on federation metadata will be notified automatically; any identity providers that send encrypted tokens to AD FS and do not rely on federation metadata must be informed of the new certificate before the expiration at %2 UTC.
437 CertificateRolloverCheckExceptionWarning Error encountered while checking for pending certificate rollovers. This check will be attempted again every %1 minutes; the next run is expected at %2 UTC. If this issue persists, AD FS will not be able to advise of pending certificate rollover events. Additional Data Exception details: %3 Additional details: %4
438 CertificateAuthorityRolloverExceptionWarning Error encountered while checking rollover status of the AD FS certificate authority issuer certificate. This check will be attempted again every %1 minutes; the next run is expected at %2 UTC. Future runs may occur on other farm nodes if AD FS is running in a farm configuration. If this issue persists, the AD FS certificate authority issuer certificate cannot be rolled over successfully when it nears expiry. Additional Data Exception details: %3 Additional details: %4
439 EnrollmentCertificateReadFromTemplateError Error encountered while attempting to read an enrollment certificate from a template. Additional Data Exception details: %1 Additional details: %2
440 EnrollmentCertificateSetInfo A Certificate Authority Enrollment Certificate was found. Additional Data Certificate Thumbprint: %1
441 TokenBindingKeyInvalid A token with a bad token binding key was found. Additional Data User: %1 Target RP: %2 Client IP: %3 Token Binding ID: %4 Request Provided ID: %5 Request Referred ID: %6
442 ExternalCAEnrollmentCertificateManagementInitiated The CA enrollment certificate management cycle was initiated.
443 ExternalCAEnrollmentCertificateManagementComplete The CA enrollment certificate management cycle was completed.
444 ExternalCAEnrollmentCertificateExceptionError Error encountered while checking status of the AD FS enrollment certificate. This check will be attempted again every %1 minutes; the next run is expected at %2 UTC. If this issue persists, the AD FS will not be able to enroll certificate. Additional Data Exception details: %3 Additional details: %4
445 TokenBindingSuscpiciousRequest A token with no binding was received on a request which is token-binding-capable. This could be evidence of a possible downgrade attack, or it could mean the token originally came from a server that doesn't support token binding. Additional Data User: %1 Target RP: %2 Client IP: %3 Request Provided ID: %4 Request Referred ID: %5
446 TokenBindingSuscpiciousSsoRequest An SSO token with no binding was received on a request which is token-binding-capable. This is evidence of a possible downgrade attack. Additional Data User: %1 Target RP: %2 Client IP: %3 Request Provided ID: %4 Request Referred ID: %5
447 CertificateTemplatePolicyConfigurationFailure Error encountered while attempting to update the configuration policy for the template %1. If the template is published under machine policy, service might not be able to read it. See https://go.microsoft.com/fwlink/?linkid=852318 for more information. Exception details: UpdateMachinePolicyConfigurationForTemplate returned error: %2
448 AddLeasedTaskFailure Error encountered while attempting to add a leased task to the database. Additional Data: Task name: %1 Error: %2
449 AddFarmNodesIdentifierBackgroundTaskFailure Error encountered while executing the The AddFarmNodesIdentifierBackgroundTask task. Additional Data: Error: %1 Additional details: %2
450 UserCodeCacheRemovedExpiredItemsTimerTaskFailure Error encountered while removing the expired items from the usercode cache. Additional Data: Error: %1
451 AddFarmNodesIdentifierBackgroundTaskDeletingNodes Following nodes have the reported heartbeat older than %1 UTC and will be deleted. %2
452 FarmUpgradeRedirectUriMismatchWarning %1
500 IssuedIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 Issued identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
501 CallerIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 Caller identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
502 OnBehalfOfUserIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 OnBehalfOf identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
503 ActAsUserIdentityClaims More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 ActAs identity: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
504 ApplicationProxyConfigurationStoreChangeSuccess The following update was successful to the application proxy store on the federation server. Authentication information: %1 HTTP method: %2 Key: %3 Value: %4 Version: %5
505 ApplicationProxyConfigurationStoreChangeFailure The following update attempt to the application proxy store on the federation server failed. Authentication information: %1 HTTP method: %2 Key: %3 Value: %4 Version: %5 Error information: %6
506 ApplicationProxyTrustUpdateSuccess The following update attempt to the application proxy relying party trust on the federation server succeeded. Authentication information: %1 HTTP method: %2 Identifier: %3
507 ApplicationProxyTrustUpdateFailure The following update attempt to the application proxy relying party trust on the federation server failed. Authentication information: %1 HTTP method: %2 Identifier: %3 Error information: %4
508 RelyingPartyTrustUpdateSuccess The following update attempt to the relying party trust on the federation server succeeded. Authentication information: %1 HTTP method: %2 Relying party trust identifier: %3 Internal Url: %4 External Url: %5 Published identifier: %6
509 RelyingPartyTrustUpdateFailure The following update attempt to the relying party trust on the federation server failed. Authentication information: %1 HTTP method: %2 Relying party trust identifier: %3 Internal url: %4 External url: %5 Published identifier: %6 Error information: %7
510 LongText More information for the event entry with Instance ID %1. There may be more events with the same Instance ID with more information. Instance ID: %1 Details: %2 %3 %4 %5 %6 %7 %8 %9 %10 %11 %12 %13 %14 %15 %16 %17 %18 %19 %20 %21
511 InvalidMsisHttpSigninRequestFailure The incoming sign-in request is not allowed due to an invalid Federation Service configuration. Request url: %1 User Action: Examine the Federation Service configuration and take the following actions: Verify that the sign-in request has all the required parameters and is formatted correctly. Verify that a web application proxy relying party trust exists, is enabled, and has identifiers which match the sign-in request parameters. Verify that the target relying party trust object exists, is published through the web application proxy, and has identifiers which match the sign-in request parameters.
512 ExtranetLockoutAccountThrottledAudit The account for the following user is locked out. A login attempt is being allowed due to the system configuration. Additional Data Activity ID: %1 User: %2 Client IP: %3 Bad Password Count: %4 nLast Bad Password Attempt: %5
513 ArtifactRestEndpointRequestFailureAudit The Artifact REST service failed to return an artifact as a result of an error during processing. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3 Exception details: %4
514 ArtifactRestEndpointRequestSuccessAudit The Artifact REST service successfully returned an artifact. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3
515 ExtranetLockoutUserThrottleTransitionAudit The following user account was in a locked out state and the correct password was just provided. This account may be compromised. Additional Data Activity ID: %1 User: %2 Client IP: %3
516 ExtranetLockoutAccountRestrictedAudit The following user account has been locked out due to too many bad password attempts. Additional Data Activity ID: %1 User: %2 Client IP: %3 nBad Password Count: %4 nLast Bad Password Attempt: %5
517 TargetRelyingPartyPublishedButAppProxyDisabledFailure The incoming sign-in request is not allowed due to an invalid Federation Service configuration. Request url: %1 User Action: Verify that either an enabled web application proxy relying party trust exists in your Federation Service configuration or that the target relying party trust object is not published through a web application proxy.
518 TargetRelyingPartyPublishedButAppProxyDisabledFailureAudit An error occurred during processing of a token request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Activity ID: %1 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
519 PrimayServerRequestHandlerResponseSuccessAudit A successful response status code was received from the primary server. The data includes an Activity ID that you can cross-reference to the events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 Raw URL of the incoming request: %3 Response status code: %4 IP address from which the request originated: %5
520 PrimayServerRequestHandlerResponseFailureAudit An error response status code was received from the primary server. The data includes an Activity ID that you can cross-reference to error or warning events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 Raw URL of the incoming request: %3 Response status code: %4 WebException response code: %5 IP address from which the request originated: %6
521 RelyingPartyTokenRequestFailure The request for the relying party token resulted in a failure. Authentication information: %1 HTTP method: %2 Username: %3 Password presented: %4 Realm: %5 Application realm: %6 Device registration certificate thumbprint: %7 User certificate thumbprint: %8 Error information: %9 User action: Examine the request and verify that at least one of the following parameter sets are present. Username and password Username, password, and device registration certificate User certificate
522 RelyingPartyTokenRequestAuditFailure The request for the relying party token resulted in a failure. The data includes an Activity ID that you can cross-reference to error or warning events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 HTTP method: %3 Username: %4 Password presented: %5 Realm: %6 Application realm: %7 Device registration certificate thumbprint: %8 User certificate thumbprint: %9 Error information: %10 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer.
523 RelyingPartyTokenRequestAuditSuccess The request for the relying party token succeeded. The data includes an Activity ID that you can cross-reference to the events on the primary server to help diagnose the problem. Activity ID: %1 Authentication information: %2 HTTP method: %3 Username: %4 Password presented: %5 Realm: %6 Application realm: %7 Device registration certificate thumbprint: %8 User certificate thumbprint: %9
530 LocalCPTrustReadWarning AD FS could not read the local claims provider trusts from the AD FS configuration. AD FS will continue to operating from cached configuration. Exception details: %1
531 LocalCPTrustFirstReadError AD FS could not read the local claims provider trusts from the AD FS configuration. AD FS will not function until this configuration can be read for the first time. Exception details: %1
540 UnableToCreateOAuthDiscoveryDocument The Federation Service was was unable to return the OAuth discovery document as a result of an error. Document Path: %1 Additional Data Exception details: %2
541 ProxyConfigDataFarmBehaviorMalformedError An invalid value was found during processing of the proxy configuration data from the AD FS server. The value will be ignored, and the rest of the proxy configuration data will be processed. Additional Data FarmBehavior: '%1' User action: This may point to an interoperability issue between the proxy and the AD FS server. Contact the vendor for your AD FS server.
542 HeartbeatError There was an error during heartbeat. Additional data Exception details: %1
543 HeartbeatCommunicationError There was an error during heartbeat communicating to primary federation server. Primary server: '%1' Endpoint: '%2' Additional data Exception details: %3 User Action Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.
544 HeartbeatWarning Heartbeat is not performed because primary server does not support heartbeat. Primary server: '%1'
545 HeartbeatInformation Heartbeat is performed at primary server. Primary server: '%1'
546 AzureMfaCertificateNotFound A current tenant certificate for Azure MFA was not found. TenantId: %1.
547 AzureMfaCertificateRenewed The tenant certificate for Azure MFA has been renewed. TenantId: %1. Old thumbprint: %2. Old expiration date: %3. New thumbprint: %4. New expiration date: %5.
548 AzureMfaCertificateExpirationWarning The tenant certificate for Azure MFA will expire soon. TenantId: %1. Thumbprint: %2. Expiration date: %3.
549 AzureMfaCertificateExpired The tenant certificate for Azure MFA has expired. TenantId: %1. Thumbprint: %2. Expiration date: %3.
550 CertKeySpecMissing The %1 primary certificate cannot be used because the KeySpec must have a value of AT_KEYEXCHANGE (1). User Action: This value can be changed by reimporting the certificate from a pfx file. From an elevated command prompt, use the command "certutil -importpfx filename.pfx AT_KEYEXCHANGE". For more information, see http://go.microsoft.com/fwlink/?LinkId=798501
551 UnableToOAuthLogout An error occurred during processing of an OAuth logout request. Path: %1 Additional Data Exception details: %2
552 OAuthDeletedSessionCookies The session cookies were successfully deleted using the OAuth logout path.
553 OAuthRedirectUrlValidationSuccess The specified redirect URL was validated successfully. URL: %1
554 OAuthRedirectUrlValidationFailure The specified redirect URL did not match any of the OAuth client's redirect URIs. The logout was successful but the client will not be redirected. URL: %1
555 KeyReceiptValidationFailed The Windows Hello for Business key receipt could not be verified. Additional Information: %1
556 UserStoreMasterBackgroundTaskExceptionWarning Error encountered while attempting to select a master node for the account store. This check will be attempted again every %1 minutes; the next run is expected at %2 UTC. Future runs may occur on other farm nodes if AD FS is running in a farm configuration. See https://go.microsoft.com/fwlink/?linkid=849965 for more information. Additional Data Exception details: %3 Additional details: %4
557 UserActivityClientServiceException An error occured while trying to communicate with the account store rest service on node %1. If this is a WID farm the primary node may be offline. If this is a SQL farm ADFS will automatically select a new node to host the User store master role. See https://go.microsoft.com/fwlink/?linkid=849965 for more information.
558 AccountActivityCacheError Syncronization of the Account Activity data failed. Additional Data Exception message: %1 User Action Ensure that the artifact storage server is configured properly. Troubleshoot network connectivity to the artifact storage server. See https://go.microsoft.com/fwlink/?linkid=849965 for more information.
559 PKeyAuthFailure Device authentication using PKeyAuth failed. Request might continue without device authentication. Additional Information: %1
560 UserActivityAccountNotFoundError User %1 could not be found in the account database.
561 UserActivityAuthorizationFailedError Authorization failed when connecting to the account store endpoint on server %1 Additional Data Exception Message: %2 See https://go.microsoft.com/fwlink/?linkid=849965 for more information.
562 UserActivityGenericClientError An error occurred when communcating with the account store endpoint on server %1. Additional Data Exception Message: %2 See https://go.microsoft.com/fwlink/?linkid=849965 for more information.
563 ExtranetSmartLockoutGenericFailure An error occurred while calculating extranet lockout status. Due to the value of the %1 setting authentication will be allowed for this user and token issuance will continue. If this is a WID farm the primary node may be offline. If this is a SQL farm ADFS will automatically select a new node to host the User store master role. See https://go.microsoft.com/fwlink/?linkid=849965 for more information. Additional Data Account store server name: %2 User Id: %3 Exception Message: %4
564 BannedIpConfigurationWarning The banned IP list found in Microsoft.IdentityServer.Servicehost.exe.config is being used instead of the banned IP list found in the ADFS configuration database. Verify that the configuration file contains the correct list. Clearing the banned IPs from the database using Set-ADFSProperties -RemoveBannedIPs will silence this warning.
565 AccountActivityFatalDatabaseError An error occurred while attemtping to update the database schema for Adfs smart lockout. See https://go.microsoft.com/fwlink/?linkid=864556 for more information. Additional Data Exception Message: %1
566 OAuthDeviceCodeEndpointFailure An error occurred during processing of an OAuth device code request. Error: %1 Additional Data Client identifier: %2 Full request: %3 Exception details: %4
568 OAuthDeviceAuthEndpointFailure An error occurred during processing of an OAuth device auth request with the provided usercode: %1. Error: %2 Additional Data User Code Data (if available): %3 Exception details: %4
570 ADEnterpriseTrustEnumerationFailure Active Directory trust enumeration was unable to enumerate one of more domains due to the following error. Enumeration will continue but the Active Directory identifier list may not be correct. Validate that all expected Active Directory identifiers are present by running Get-ADFSDirectoryProperties: Error string: %1 Exception Details: %2
571 ADEnterpriseTaskFailure Enumeration of the Active Directory domains failed. Exception Details: %1
572 ADSuffixNotTrustedWarning The Active Directory suffix from this username is not trusted by this ADFS server. If this identifier is expected it can be added to the trusted identier list by using Set-ADFSDirectoryProperties. Username: %1 Suffix: %2 Client IP: %3
573 ThreatDetectionModuleFailure The following error was generated by a threat detection module. Module Identifier: %1 Message: %2
574 ThreatDetectionModuleLoadFailure A threat detection module failed to load. Verify the module binary is correctly installed on this node. Module Name: %1 Module Identifier: %2 Type: %3 Failure Message: %4
575 ThreatDetectionModuleLoadSuccess The following threat detection module was successfully loaded Module Name: %1 Module Identifier: %2 Type: %3
576 ThreatDetectionModuleUnhandledFailure An unexpected error was returned from a threat detection module. Module Name: %1 Module Identifier: %2 Type: %3 Exception Type: %4 Error Message: %5
1000 CallerId An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error. Additional Data Caller: %1 OnBehalfOf user: %2 ActAs user: %3 Target Relying Party: %4 Device identity: %5 User action: Use the Activity ID data in this message to search and correlate the data to events in the Event log using Event Viewer. This Activity ID will also be shown as additional information in the error page when an error occurs in the federation passive Web application.
1020 OAuthAuthorizationRequestFailedError Encountered error during OAuth authorization request. Additional Data Exception details: %1
1021 OAuthTokenRequestFailedError Encountered error during OAuth token request. Additional Data Exception details: %1
1022 OAuthAuthorizationCodeIssuanceSuccessAudit An OAuth authorization code was successfully issued to client '%5'. Activity ID: %1 Authorization Code ID: %2 Request Details: Date And Time: %3 Client IP: %4 Client Identifier: %5 Client Redirect URI: %6 Resource: %7 User Identity: %8 Device Identity: %9
1023 OAuthAccessTokenIssuanceSuccessAudit An OAuth access token was successfully issued to client '%6' for the relying party '%8'. See audit 500 with the same Instance ID for issued claims. See audit 501 with the same Instance ID for caller identity. Instance ID: %1 Activity ID: %2 Authorization Code ID (if authorization code request): %3 User code (if device flow request): %11 Request Details: Date And Time: %4 Client IP: %5 Client Identifier: %6 Client Redirect URI: %7 Resource: %8 User Identity: %9 Device Identity: %10
1024 OAuthRefreshTokenIssuanceSuccessAudit An OAuth refresh token was successfully issued to client '%6' for the relying party '%8'. See audit 500 with the same Instance ID for issued claims. Instance ID: %1 Activity ID: %2 Authorization Code ID (if authorization code request): %3 User code (if device flow request): %11 Request Details: Date And Time: %4 Client IP: %5 Client Identifier: %6 Client Redirect URI: %7 Resource: %8 User Identity: %9 Device Identity: %10
1025 OAuthAuthorizationCodeIssuanceFailureAudit The Federation Service failed to issue an OAuth authorization code as a result of an error during processing of the OAuth authorization code request. Additional Data Activity ID: %1 Request Details: Client IP: %2 Client Identifier: %3 Client Redirect URI: %4 Resource: %5 User Identity: %6 Device Identity: %7 Exception details: %8
1026 OAuthAccessTokenIssuanceFailureAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth access token request. Additional Data Activity ID: %1 Request Details: Client IP: %2 Client Identifier: %3 Client Redirect URI: %4 Resource: %5 User Identity: %6 Device Identity: %7 Exception details: %8
1027 OAuthAccessTokenResponseIssuanceSuccessAudit An OAuth access token response was successfully issued to client '%5' for the relying party '%7'. See audit 1023 with the same authorization code ID for issued access token. In an AD FS farm setup, this audit may be found on another farm node. See audit 1024 with the same authorization code ID for the refresh token if it is issued. In an AD FS farm setup, this audit may be found on another farm node. Activity ID: %1 Authorization Code ID: %2 Request Details: Date And Time: %3 Client IP: %4 Client Identifier: %5 Client Redirect URI: %6 Resource: %7
1028 OAuthClientAuthenticationSuccessAudit OAuth Confidential Client '%6' was successfully authenticated using tokentype '%3'. See audit 501 with the same Instance ID for claims generated during client authentication. Instance ID: %1 Activity ID: %2 Request Details: TokenType: %3 Date And Time: %4 Client IP: %5 Client Identifier: %6
1029 OAuthClientAuthenticationFaultAudit OAuth Client Authentication failed for client '%4' with tokentype '%2'. Activity ID: %1 Request Details: TokenType: %2 Client IP: %3 Client Identifier: %4 Exception details: %5
1030 OAuthClientCredentialsFaultAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth Client Credentials token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 Exception details: %5
1031 OAuthClientCredentialsIssuanceSuccessAudit An OAuth access token response using Client Credentials flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5
1032 OAuthIdTokenIssuanceFailureAudit The Federation Service failed to issue an ID token as a result of an error during processing of request. Activity ID: %1 Request Details: Client IP: %2 Client Identifier: %3 Exception details: %4
1033 OAuthIdTokenIssuanceSuccessAudit An ID token was successfully issued to client '%4'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Id Token Subject: %5
1034 OAuthOnBehalfOfFaultAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth On Behalf Of token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 User: %5 Exception details: %6
1035 OAuthOnBehalfOfIssuanceSuccessAudit An OAuth access token response using On Behalf Of flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5 User: %6
1036 OAuthLogonCertificateFaultAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth Logon Certificate token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 User: %5 Exception details: %6
1037 OAuthLogonCertificateIssuanceSuccessAudit An OAuth access token response using the Logon Certificate flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5 User: %6
1038 OAuthVPNCertificateFaultAudit The Federation Service failed to issue an OAuth VPN Certificate as a result of an error during processing of the OAuth VPN Certificate token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 User: %5 Exception details: %6
1039 OAuthAuthCodeVPNCertificateIssuanceSuccessAudit An OAuth VPN Certificate response was successfully issued to client '%5' for the relying party '%7'. See audit 1023 with the same authorization code ID for issued access token. In an AD FS farm setup, this audit may be found on another farm node. See audit 1024 with the same authorization code ID for the refresh token if it is issued. In an AD FS farm setup, this audit may be found on another farm node. Activity ID: %1 Authorization Code ID: %2 Request Details: Date And Time: %3 Client IP: %4 Client Identifier: %5 Client Redirect URI: %6 Resource: %7
1040 OAuthRefreshTokenVPNCertificateIssuanceSuccessAudit An OAuth access token response using the VPN Certificate flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5 User: %6
1041 OAuthPrimaryRefreshTokenIssuanceSuccessAudit An OAuth primary refresh token was successfully issued to client '%6'. See audit 500 with the same Instance ID for issued claims. Instance ID: %1 Activity ID: %2 Authorization Code ID (if authorization code request): %3 Request Details: Date And Time: %4 Client IP: %5 Client Identifier: %6 Client Redirect URI: %7 User Identity: %8 Device Identity: %9
1042 OAuthNextGenCredsIssuanceSuccessAudit An OAuth access token response using Next Generation Credentials flow was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5
1043 OAuthNextGenCredsIssuanceFailureAudit The Federation Service failed to issue an OAuth access token as a result of an error during processing of the OAuth Next Generation Credentials token request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 Exception details: %5
1044 OAuthWinHelloCertIssuanceSuccessAudit An OAuth Win Hello Certificate response was successfully issued to client '%4' for the relying party '%5'. Activity ID: %1 Request Details: Date And Time: %2 Client IP: %3 Client Identifier: %4 Resource: %5 User: %6 Certificate Thumbprint: %7 Certificate Expiry: %8
1045 OAuthWinHelloCertIssuanceFailureAudit The Federation Service failed to issue an OAuth Win Hello Certificate as a result of an error during processing of the request. Activity ID: %1 Request Details: Client IP: %2 Resource: %3 Client Identifier: %4 User Identifier: %5 Exception details: %6
1080 WebFingerRequestError An error occurred while processing WebFinger request. Additional Data Request url: %1 User Action Examine the exception details to take one or more of the following actions if applicable. Verify that the resource query parameter exists and is valid representing an authorization server's URL. Verify that all federation partners (RP-STSs) that this ADFS issues tokens to (including any chains) have been configured using powershell cmdlet Add-ADFSTrustedFederationPartner. Exception details: %2
1090 UserInfoEndpointRequestFailureAudit The UserInfo endpoint failed to return a success response as a result of an error during processing. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3 Exception details: %4
1091 UserInfoEndpointRequestSuccessAudit The UserInfo endpoint successfully returned a JSON response. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested Uri: %3
1100 RestEndpointAuthorizationFailureError The Federation Service could not authorize a request to one of the REST endpoints. Additional Data Exception details: %1
1101 RestEndpointAuthorizationFailureAudit The Federation Service could not authorize a request to one of the REST endpoints. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested URI: %3 Exception details: %4
1102 RestEndpointAuthorizationSuccessAudit The Federation Service authorized a request to one of the REST endpoints. Additional Data Activity ID: %1 Request Details: Client IP: %2 Requested URI: %3 Additional details: %4
1103 LdapStoreQueryUserDnFailureAudit The Federation Service failed to query the LDAP account store for the DN of user %2. Activity ID: %1 Request Details: User name: %2 LDAP query: %3 Local CP trust identifier: %4 Ldap server: %5 SSL: %6 Authentication method: %7 Exception details: %8
1104 LdapStoreQueryUserDnSuccessAudit The Federation Service queried the LDAP account store for the DN of user %2. Activity ID: %1 Request Details: User name: %2 LDAP query: %3 Local CP trust identifier: %4 Ldap server: %5 SSL: %6 Authentication method: %7
1105 LdapStoreBindFailureAudit The Federation Service failed to bind to the LDAP server with user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 Ldap server: %4 SSL: %5 Authentication method: %6 Exception details: %7
1106 LdapStoreBindSuccessAudit The Federation Service bound to the LDAP account store with user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 Ldap server: %4 SSL: %5 Authentication method: %6
1107 LdapStoreQueryUserAttrFailureAudit The Federation Service failed to query the LDAP account store for the attributes of user %2. Activity ID: %1 Request Details: User DN: %2 LDAP query: %3 Local CP trust identifier: %4 Ldap server: %5 SSL: %6 Authentication method: %7 Exception details: %8
1108 LdapStoreQueryUserAttrSuccessAudit The Federation Service queried the LDAP account store for the attributes of user %2. Activity ID: %1 Request Details: User DN: %2 LDAP query: %3 Local CP trust identifier: %4 Ldap server: %5 SSL: %6 Authentication method: %7
1109 LdapAccountStoreConnectionFailure The Federation Service failed to connect to the LDAP account store to authenticate user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 LDAP server: %4 SSL: %5 Authentication method: %6 Exception details: %7
1110 LdapAttributeStorePrimaryConnectionFailure The Federation Service failed to connect to the primary LDAP account store to authenticate user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 Ldap server: %4 SSL: %5 Authentication method: %6 Exception details: %7
1111 LdapAttributeStoreCompleteConnectionFailure The Federation Service failed to connect to all LDAP account stores to authenticate user %2. Activity ID: %1 Request Details: User DN: %2 Local CP trust identifier: %3 Ldap server: %4 SSL: %5 Authentication method: %6 Exception details: %7
1112 LdapAttributeStoreConnectionFailure The Federation Service failed to connect to the Ldap server. Activity ID: %1 Request Details: Local CP trust identifier: %2 Ldap ErrorCode: %3 Exception details: %4
1113 ClientJWKSyncingInitiated Client Json Web Key Set (JWKS) synchronization initiated.
1114 ClientJWKSyncingComplete Client Json Web Key Set (JWKS) synchronization completed.
1115 ClientJWKSyncingError The Federation Service encountered an error while retrieving the Json Web Key Set (JWKS) document from '%1'. The key synchronization for the following client failed: Client: %2 Additional Data Exception details: %3 Additional details: %4 User Action Make sure the JWKS URI '%1' is accessible.
1116 ClientJWKSyncingDatabaseError An error occurred during a read operation from the configuration database. Monitoring of clients' Json Web Key Set (JWKS) was shut down and will be tried again after an amount of time that corresponds to the monitoring interval. Additional Data Exception details: %1 Additional details: %2
1117 ClientJWKSyncingClientError An error occurred during monitoring of the following client's Json Web Key Set (JWKS). Client: %1 Additional Data Exception details: %2 Additional details: %3
1118 ClientJWKSyncingGenericError An error occurred during monitoring of clients'Json Web Key Set (JWKS). The monitoring cycle was shut down. Additional Data Exception details: %1 Additional details: %2
1119 JWTSigningKeysDownloadedSuccessAudit The Json Web Token (JWT) signing keys configuration was successfully downloaded. Client: %1 Subject: Security ID: %2 Account: %3 Additional Data Keys imported: %6 JWKS uri: %4 JWKS uri content: %5
1120 JWTSigningKeysDownloadFailureAudit An attempt to change the Json Web Token (JWT) signing keys failed. Client: %1 Subject: Security ID: %2 Account: %3 Additional Data JWKS uri: %4 Exception details: %5
1121 TokenBindingKeyFailureAudit An attempt to use a token with an invalid token binding key was made. Activity ID: %1 Additional Data User: %2 %Target RP: %3 Client IP: %4 Token Binding ID: %5 Request Provided ID: %6 Request Referred ID: %7
1122 OAuthLogoutSuccessAudit The OAuth logout request was process successfully. Additional Data Activity ID: %1 Request Details: Client IP: %2 User Identity: %3 Device Identity: %4
1123 OAuthLogoutFailureAudit There was an error during processing of a OAuth logout request. Additional Data Activity ID: %1 Request Details: Client IP: %2 User Identity: %3 Device Identity: %4 Exception Details %5
1124 OAuthDeviceCodeSuccessAudit The OAuth device code request was process successfully. Additional Data Activity ID: %1 Request Details: Client IP: %2 User Identity: %3 Device Identity: %4 Usercode: %5 Full Request: %6
1125 OAuthDeviceCodeFailureAudit There was an error during processing of a OAuth device code request. Additional Data Activity ID: %1 Error: %2 Request Details: Client IP: %3 User Identity: %4 Device Identity: %5 Full Request: %6 Exception Details %7
1126 OAuthDeviceAuthSuccessAudit The user code request was processed successfully. Additional Data Activity ID: %1 Request Details: Client IP: %2 User Code Data: %3
1127 OAuthDeviceAuthFailureAudit There was an error during the processing of the user code request. Additional Data Activity ID: %1 Error: %2 Request Details: Client IP: %3 User Code: %4 Exception Details %5
1128 OAuthDeviceFlowRestResultSavedSuccessAudit The device flow authorization response was successfully saved to the artifact database via the REST service. Additional Data Activity ID: %1 Request Details: Client IP: %2 User Code: %3
1129 OAuthDeviceFlowRestResultSavedFailureAudit There was an error saving the device flow authorization to the artifact database via the REST service. Additional Data Activity ID: %1 Error: %2 Request Details: Client IP: %3 User Code: %4 Exception Details %5
1130 ProxyTrustTLSError There was an error establishing or renewing the proxy trust. Ensure the STS and proxy servers have the same TLS version enabled. Consult the following links for additional details: https://go.microsoft.com/fwlink/?linkid=875038 https://go.microsoft.com/fwlink/?linkid=875039 Additional Data Exception Details: %1
1131 ProxyTrustCryptoError There was an error establishing or renewing the trust between the proxy and STS. Ensure the Network Service Account has Read/Write permissions on C:\Program Data\Microsoft\Crypto\RSA\Machine Keys on the proxy server. Consult the following link for additional details: https://go.microsoft.com/fwlink/?linkid=875037 Additional Data Exception Details: %1
1200 AppTokenSuccessAudit The Federation Service issued a valid token. See XML for details. Activity ID: %1 Additional Data XML: %2
1201 AppTokenFailureAudit The Federation Service failed to issue a valid token. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1202 FreshCredentialSuccessAudit The Federation Service validated a new credential. See XML for details. Activity ID: %1 Additional Data XML: %2
1203 FreshCredentialFailureAudit The Federation Service failed to validate a new credential. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1204 PasswordChangeBasicSuccessAudit A password was changed. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1205 PasswordChangeBasicFailureAudit A password change was attempted, but failed. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1206 SignOutSuccessAudit A SignOut request was successfully processed. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1207 SignOutFailureAudit A SignOut request was attempted, but failed. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1210 ExtranetLockoutAudit An extranet lockout event has occurred. See XML for failure details. Activity ID: %1 Additional Data XML: %2
1300 HostNameErrorAudit There was an error validating the host name in the incoming request. Activity ID: %1 Error: %2