locked
ADFS 2.0 "Attribute Store Rule Processing Error" RRS feed

  • Question

  • We are a multi domain, multi forest environment and are seeing a weird error at times. All our domain controllers are Global Catalog, not sure why it keeps saying "Global Catalogue: false". Any suggestion would be appreciated.

    The error repeats for sometime and then stops.. 

    it stops once server reboot or ADFS reset is done.

    ADFS 2.0

    Event ID : 111

    The Federation Service encountered an error while processing the WS-Trust request. 
    Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue 

    Additional Data 
    Exception details: 
    Microsoft.IdentityServer.ClaimsPolicy.Language.PolicyEvaluationException: POLICY0018: Query 'samAccountName={0};userPrincipalName,employeeNumber;{1}' to attribute store 'Active Directory' failed: 'POLICY3813: LdapConnectionCache could not create a connection because the AD FS 2.0 is busy creating other connections. ( Server: <domain name, same where ADFS Environment is configured>. Global Catalogue: false).'. ---> Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreException: POLICY3813: LdapConnectionCache could not create a connection because the AD FS 2.0 is busy creating other connections. ( Server: <domain name>. Global Catalogue: false).
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnection(String server, Boolean isGC)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.GetConnection(String server, Boolean isGC)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.GetConnectionToServer()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.BeginGetAttributes(Collection`1 attributes, String filter, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Language.AttributeLookupIssuanceStatement.BeginEvaluate(IEnumerable`1 matchedClaims, PolicyContext policyContext, AsyncCallback callback, Object state)
       --- End of inner exception stack trace ---
       at Microsoft.IdentityModel.Threading.AsyncResult.End(IAsyncResult result)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult.End(IAsyncResult ar)
       at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.EndProcessCore(IAsyncResult ar, String requestAction, String responseAction, String trustNamespace)

    Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreException: POLICY3813: LdapConnectionCache could not create a connection because the AD FS 2.0 is busy creating other connections. ( Server: <domain name, same where ADFS Environment is configured>. Global Catalogue: false).
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnection(String server, Boolean isGC)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.GetConnection(String server, Boolean isGC)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.GetConnectionToServer()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.BeginGetAttributes(Collection`1 attributes, String filter, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Language.AttributeLookupIssuanceStatement.BeginEvaluate(IEnumerable`1 matchedClaims, PolicyContext policyContext, AsyncCallback callback, Object state)

    ADFS 2.0

    Event ID 377

    A processing error occurred in an attribute store. 

    User Action 

    Exception details: 
    Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreException: POLICY3813: LdapConnectionCache could not create a connection because the AD FS 2.0 is busy creating other connections. ( Server: <domain name>. Global Catalogue: false).
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.CacheEntry.CreateConnection(String server, Boolean isGC)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapConnectionCache.GetConnection(String server, Boolean isGC)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.GetConnectionToServer()
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStoreReader.BeginGetAttributes(Collection`1 attributes, String filter, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Engine.AttributeStore.Ldap.LdapAttributeStore.BeginExecuteQuery(String query, String[] parameters, AsyncCallback callback, Object state)
       at Microsoft.IdentityServer.ClaimsPolicy.Language.AttributeLookupIssuanceStatement.BeginEvaluate(IEnumerable`1 matchedClaims, PolicyContext policyContext, AsyncCallback callback, Object state)
    Wednesday, January 11, 2017 5:34 PM

All replies

  • Can you copy/paste the actual rule here?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, January 16, 2017 12:09 AM
  • What's the LDAP server you are using as an attribute store? Do you have LDAP pooling enabled?

    http://blog.auth360.net

    Tuesday, January 17, 2017 6:46 PM