Share via


Windows NT Token-Based Application Configuration

Applies To: Windows Server 2008

Web Agent for Windows NT token-based application configuration contains information about the AD FS Web Agent Authentication Service, creation of Windows NT tokens, and Windows token-based agent authentication requests.

Events

Event ID Source Message

100

Microsoft-Windows-ADFS

The AD FS Web Agent for Windows NT token-based applications could not contact the Federation Service during startup.
Federation Service URL: %1

The Web agent will not be able to authenticate users until it can retrieve trust information from the Federation Service.

User Action
Ensure that the Uniform Resource Locator (URL) for the Federation Service is properly configured and that the Federation Service can be contacted from this Web server.

Ensure that this Web server is joined to an Active Directory Domain Services domain.

Ensure that the ADFS Web Agent Authentication Service is started.

101

Microsoft-Windows-ADFS

The AD FS Web Agent for Windows NT token-based applications successfully retrieved trust information from the Federation Service.

106

Microsoft-Windows-ADFS

The AD FS Web Agent Internet Server Application Programming Interface (ISAPI) Extension encountered a serious error. The AD FS configuration information could not be retrieved from the Internet Information Services (IIS) configuration.

The Web agent will not be able to authenticate users until it can retrieve configuration information from the IIS metabase.

This condition can occur if the IIS metabase schema extension fails during AD FS setup.

107

Microsoft-Windows-ADFS

The AD FS Web Agent Internet Server Application Programming Interface (ISAPI) Extension was unable to obtain a Windows NT token from the authentication service.

An anonymous token will be generated for this request.

User Action
Ensure that this application is configured as a Windows NT token-based application in the Federation Service trust policy.

If the user comes from an account partner where Windows Trust may be applicable, ensure that Windows Trust is enabled for the account partner and that the account partner has enabled Windows Trust for this resource partner.

If you are using shadow accounts:
- Ensure that a shadow account exists for this user.
- Ensure that user principal name (UPN) claims or e-mail claims are enabled for this application.
- Ensure that UPN claims or e-mail claims are being produced for this user by the account store or the account partner.

Additional Data
Look for additional events in the security log that may contain more details. Consider enabling failure auditing on this Web server if auditing is not already enabled.

121

Microsoft-Windows-ADFS

The ADFS Web Agent Authentication Service encountered a serious error. The ADFS configuration information could not be retrieved from the Internet Information Services (IIS) metabase. The metabase could not be opened.

The Web agent will not be able to authenticate users until it can retrieve configuration information from the IIS metabase.

User Action
Ensure that IIS is installed and enabled on this server.
Ensure that the IIS Admin Service is started.

122

Microsoft-Windows-ADFS

The AD FS Web Agent for Windows NT token-based applications did not find the Uniform Resource Locator (URL) for the Federation Service in the Internet Information Services (IIS) configuration.

The Web agent will not be able to generate Windows NT tokens for users until it can find the Federation Service URL. Claims-aware applications are not affected by this condition.

User Action
Ensure that the Federation Service URL is configured in the IIS Manager Web Sites property page.

123

Microsoft-Windows-ADFS

The AD FS Web Agent for Windows NT token-based applications did not find the Uniform Resource Locator (URL) for the application return in the Internet Information Services (IIS) configuration.

The Web agent will not be able to generate Windows NT tokens for users until it can find the application return URL. Claims-aware applications are not affected by this condition.

User Action
Ensure that the return URL is configured in the IIS Manager Virtual Directory property page.

124

Microsoft-Windows-ADFS

The AD FS Web Agent for Windows NT token-based applications encountered a serious error. Registration for change notification in the Internet Information Services (IIS) configuration failed.

This condition prevents the Web agent authentication service from starting. Users will not be able to access protected resources until the authentication service can be restarted.

Additional Data
The data field contains an HRESULT error code.

127

Microsoft-Windows-ADFS

The AD FS Web Agent Authentication Service was not able to start. The authentication service has not been configured to run as a principal that has been granted the "Act as part of the operating system" privilege (SeTcbPrivilege).

Users will not be able to access protected resources until the authentication service can be restarted.

User Action
Either grant the AD FS authentication service principal the "Act as part of the operating system" privilege or configure the service to run as a principal that has already been granted the "Act as part of the operating system" privilege. (For example, configure the authentication service to run as LocalSystem.)

128

Microsoft-Windows-ADFS

The AD FS Web Agent Authentication Service was not able to start. The authentication service has not been configured to run as a principal that has been granted the "Impersonate a client after authentication" privilege (SeImpersonatePrivilege).

Users will not be able to access protected resources until the authentication service can be restarted.

User Action
Either grant the AD FS authentication service principal the "Impersonate a client after authentication" privilege or configure the service to run as a principal that has already been granted the "Impersonate a client after authentication" privilege. (For example, configure the authentication service to run as LocalSystem.) This privilege is granted by default to the SERVICE group, but on a hardened server it may be necessary to grant the privilege explicitly.

129

Microsoft-Windows-ADFS

The AD FS Web Agent Authentication Service received a remote procedure call (RPC) from a user who is not in the IIS_IUSRS group.

This request will be denied.

User Action
If this error results in failed AD FS authentications, ensure that the failing Internet Information Services (IIS) application pool's identity is a member of the IIS_IUSRS group.

130

Microsoft-Windows-ADFS

The AD FS Web Agent Authentication Service encountered an invalid configuration value for a parameter in the registry.
Registry value: %1

The authentication service will default to the minimum allowed value for this parameter until the parameter is changed to a valid value.

User Action
Increase the parameter value to a value that is within the valid range.

Additional Data
The data field contains the current (too-small) value of the parameter.

131

Microsoft-Windows-ADFS

The AD FS Web Agent for Windows token-based applications could not contact the Federation Service during startup.
Federation Service URL: could not be obtained

The Web agent will not be able to authenticate users until it can retrieve trust information from the Federation Service.

User Action
Ensure that the Uniform Resource Locator (URL) for the Federation Service is properly configured and that the Federation Service can be contacted from this Web server.

Ensure that this Web server is joined to an Active Directory Domain Services domain.

622

Microsoft-Windows-ADFS

The AD FS Web Agent for Windows NT token-based applications successfully retrieved trust information from the Federation Service.
GUID: %1
Version: %2
Federation Service Uniform Resource Locator (URL): %3
Federation Service Uniform Resource Identifier (URI): %4
Federation Service Endpoint URL: %5
Federation Service Domain Account: %6

Web Agent for Windows NT Token-Based Applications

Active Directory Federation Services