Symptoms

  • An AD FS 2.0 Proxy server fails to authenticate users
  • The following is displayed on the web page:

There was a problem accessing the site. Try to browse to the site again.

If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.

  • When the AD FS 2.0 Windows Service starts on the AD FS 2.0 Proxy server, the following event is generated in the AD FS 2.0/Admin log:

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          10/1/2010 7:57:50 PM
Event ID:      248
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      M35W2K8R2
Description:
The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at adfsaccountv2.adatum.com. The error message is 'An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.'.

User Action
Make sure that the Federation Service is running. Troubleshoot network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the Federation Server Proxy Configuration Wizard again.

 

  • When AD FS 2.0 debug tracing is enabled on the AD FS 2.0 Proxy server, including WCF and WIF messages, the following event is generated on the AD FS 2.0 Proxy server in the AD FS 2.0 Tracing/Debug log:

Log Name:      AD FS 2.0 Tracing/Debug
Source:        AD FS 2.0 Tracing
Date:          10/1/2010 7:57:50 PM
Event ID:      996
Task Category: None
Level:         Error
Keywords:      ADFSDiagnostics
User:          NETWORK SERVICE
Computer:      M35W2K8R2
Description:
Data in the original trace event 'WcfErrorTraceEvent' is logged individually in this event to prevent potential loss of data.
Original Event : WcfErrorTraceEvent
 Original data index: 0
 Original data page index: 0
 See details for data value
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
    <EventID>996</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000020000</Keywords>
    <TimeCreated SystemTime="2010-10-02T00:57:50.277500000Z" />
    <EventRecordID>39</EventRecordID>
    <Correlation />
    <Execution ProcessID="696" ThreadID="2668" ProcessorID="0" KernelTime="9" UserTime="32" />
    <Channel>AD FS 2.0 Tracing/Debug</Channel>
    <Computer>M35W2K8R2</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
        <DataIndex>0</DataIndex>
        <DataPageIndex>0</DataPageIndex>
        <Data>Source : System.ServiceModel
EventId : 131075
Data :
&lt;TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"&gt;&lt;TraceIdentifier&gt;http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx&lt;/TraceIdentifier&gt;&lt;Description&gt;Throwing an exception.&lt;/Description&gt;&lt;AppDomain&gt;Microsoft.IdentityServer.ServiceHost.exe&lt;/AppDomain&gt;&lt;Exception&gt;&lt;ExceptionType&gt;System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089&lt;/ExceptionType&gt;&lt;Message&gt;Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties.   This can occur if the service is configured for security and the client is not using security.&lt;/Message&gt;&lt;StackTrace&gt;   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp;amp;amp; message, TimeSpan timeout)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp;amp;amp; message, TimeSpan timeout)
   at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp;amp;amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime ope</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

  • When AD FS 2.0 debug tracing is enabled on the AD FS 2.0 Federation Server, including WCF and WIF messages, the following event is generated on the AD FS 2.0 Federation Server in the AD FS 2.0 Tracing/Debug log:

Log Name:      AD FS 2.0 Tracing/Debug
Source:        AD FS 2.0 Tracing
Date:          10/1/2010 7:57:49 PM
Event ID:      996
Task Category: None
Level:         Error
Keywords:      ADFSDiagnostics
User:          NETWORK SERVICE
Computer:      DC32.root.w2k8
Description:
Data in the original trace event 'WcfErrorTraceEvent' is logged individually in this event to prevent potential loss of data.
Original Event : WcfErrorTraceEvent
 Original data index: 0
 Original data page index: 0
 See details for data value
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="AD FS 2.0 Tracing" Guid="{f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd}" />
    <EventID>996</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000020000</Keywords>
    <TimeCreated SystemTime="2010-10-02T00:57:49.116194600Z" />
    <EventRecordID>11</EventRecordID>
    <Correlation />
    <Execution ProcessID="3188" ThreadID="4004" ProcessorID="0" KernelTime="0" UserTime="1" />
    <Channel>AD FS 2.0 Tracing/Debug</Channel>
    <Computer>DC32.root.w2k8</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <UserData>
    <Event xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
      <EventData>
        <OriginalEvent>WcfErrorTraceEvent</OriginalEvent>
        <DataIndex>0</DataIndex>
        <DataPageIndex>0</DataPageIndex>
        <Data>Source : System.ServiceModel
EventId : 131075
Data :
&lt;TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"&gt;&lt;TraceIdentifier&gt;http://msdn.microsoft.com/en-US/library/System.ServiceModel.Diagnostics.ThrowingException.aspx&lt;/TraceIdentifier&gt;&lt;Description&gt;Throwing an exception.&lt;/Description&gt;&lt;AppDomain&gt;Microsoft.IdentityServer.ServiceHost.exe&lt;/AppDomain&gt;&lt;Exception&gt;&lt;ExceptionType&gt;System.ServiceModel.Security.MessageSecurityException, System.ServiceModel, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089&lt;/ExceptionType&gt;&lt;Message&gt;Cannot find a token authenticator for the 'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.&lt;/Message&gt;&lt;StackTrace&gt;   at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver, IList`1 allowedTokenAuthenticators, SecurityTokenAuthenticator&amp;amp;amp; usedTokenAuthenticator)
   at System.ServiceModel.Security.ReceiveSecurityHeader.ReadToken(XmlDictionaryReader reader, Int32 position, Byte[] decryptedBuffer, SecurityToken encryptionToken, String idInEncryptedForm, TimeSpan timeout)
   at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader reader)
   at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp;amp;amp; message, TimeSpan timeout)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp;amp;amp; message, TimeSpan timeout)
   at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp;amp;amp; message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMess</Data>
      </EventData>
    </Event>
  </UserData>
</Event>

Cause

The Federation Service Identifier is set to https://{federation_service_name}/adfs/services/trust

This manifests a bug in AD FS 2.0 where the Federation Server incorrectly sees the requests from the proxy as login requests rather than proxy requests

Having a Federation Service Identifier which begins with https:// is fine, but the combination of having https:// and /adfs/services/trust causes the issue to manifest.

The default Federation Service Identifier is: http://{federation_service_name}/adfs/services/trust

 

Resolution

  1. Change the Federation Service Identifier to begin with http:// or change the /adfs/services/trust portion of the URI to something else
  2. Revoke all proxies - In the AD FS 2.0 management console, select the Service node, right-click the Service node, and select the option to revoke the proxies
  3. On the AD FS 2.0 Proxy servers, execute the AD FS 2.0 Federation Server Proxy Configuration Wizard to re-establish trust between the AD FS 2.0 Proxy servers and the AD FS 2.0 Federation Servers


                Note: After changing your Federation Service Identifier, all Claims Provider and Relying Party trust partners will need to be notified of the update either by Federation Metadata monitoring or manual update.

 

More Information

To enable AD FS 2.0 debug tracing:

Configuring Computers for Troubleshooting AD FS 2.0
 
See section "Configure debug tracing for AD FS 2.0"