Event ID 661 — AD FS Access Over Windows Trusts
Applies To: Windows Server 2008
When a Windows trust exists between two Active Directory forests, the user accounts in one forest can access a Windows NT token-based application in another forest, which eliminates the need for resource accounts. Windows trusts enable service administrators to create or extend collaborative relationships between two or more domains or forests.
Event Details
Product: | Windows Operating System |
ID: | 661 |
Source: | Microsoft-Windows-ADFS |
Version: | 6.0 |
Symbolic Name: | SidFilteringCacheUpdateFailure |
Message: | The Federation Service encountered an error while attempting to update the Windows trust cache. The Federation Service will continue to use previously cached Windows trust data until the update completes successfully. The next attempt at a cache update will occur in %1 minutes. Retry period: %1 User Action If this error persists, verify that your Windows trust relationships are functional. Additional Data Domain last processed: %2 Native error code: %3 |
Resolve
Test Windows trust relationships
If this error persists, verify that the Windows trust relationships are functional. To verify that the Windows trust is working as designed or that communications over the trust are working, you can use either the Windows interface or the command line.
To complete these procedures, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory Domain Services (AD DS).
To check that the Windows trust relationships are functional using the Windows interface:
- Open Active Directory Domains and Trusts.
- In the console tree, right-click the domain that contains the trust that you want to validate, and then click Properties.
- On the Trusts tab, under either Domains trusted by this domain (outgoing trusts) or Domains that trust this domain (incoming trusts), click the trust to be validated, and then click Properties.
- Click Validate.
- Do one of the following, and then click OK:
- Click No, do not validate the incoming trust. If you click this option, we recommend that you repeat this procedure for the reciprocal domain.
- Click Yes, validate the incoming trust. If you click this option, you must type a user account and password with administrative credentials for the reciprocal domain.
To check that the Windows trust relationships are functional using the command line:
Open a command prompt.
Type the following command, and then press ENTER:
netdom trustTrustingDomainName**/d:TrustedDomainName/verify**
Where
- TrustingDomainName is the Domain Name System (DNS) name (or NetBIOS name) of the trusting domain in the trust that is being created.
- TrustedDomainName is the DNS name (or NetBIOS name) of the domain that will be trusted in the trust that is being created.
Verify
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To verify that Active Directory Federation Services (AD FS) can communicate successfully over a Windows trust, do the following:
Make sure that the federation server can access a domain controller. To test this, at a command prompt on the federation server, type the following command:
nltest /dsgetdc:
If this command completes successfully, you see the message The command completed successfully, and you see the name of the domain controller, its IP address, and other related information.
Use the Active Directory Domains and Trusts snap-in to validate that the Windows trust is operational:
- Open Active Directory Domains and Trusts.
- Right-click the domain name, and then click Properties.
- Click the Trusts tab, highlight the trust that you want to validate, and then click Properties.
- Click Validate.
Use the Active Directory Federation Services snap-in to check that both the federation servers that are involved in the federation trust relationship have been configured to use the Windows trust:
- Open Active Directory Federation Services on both the account federation server and the resource federation server.
- Under Partner Organizations, find the account or resource partner, right-click the partner name, and then click Properties.
- If you selected a resource partner, on the General tab, select the Use Windows trust relationship for this partner check box.
- If you selected an account partner, on the Windows Trust tab, select the Use Windows trust relationship check box, and then verify that the appropriate trusted domains are specified.