locked
AD FS Event ID 315 RRS feed

  • Question

  • I am receiving the following error on my Internal AD FS server, the adfs.exterior.local cert in this case is valid and when I open the certificate from within the Claims Provider Trusts it shows as being valid. I generated the exterior.local cert with a CA in the exterior.local domain. I have imported the root cert for that domain into the internal AD FS server. The certificate revocation check is set to "CheckChainExcludeRoot". There is only the root cert and the adfs.exterior.local certificate. 

    My thinking is that the ADFS server is trying to reach out to the other CA to perform a Revocation check and can't and generating this error, but I'm not sure if that's how it works or not.

    An error occurred during an attempt to build the certificate chain for the claims provider trust 'http://adfs.exterior.local/adfs/services/trust' certificate identified by thumbprint '2BE4042F6D3589BB5431DC86BE9F2FAB513F05DD'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the claims provider trust's signing certificate revocation settings or certificate is not within its validity period. 

    You can use Windows PowerShell commands for AD FS to configure the revocation settings for the claims provider trust's signing certificate. 
    Claims provider trust's signing certificate revocation settings: CheckChainExcludeRoot 
    The following errors occurred while building the certificate chain:  
    The revocation function was unable to check revocation for the certificate.

    The revocation function was unable to check revocation because the revocation server was offline.

    User Action: 
    Ensure that the claims provider trust's signing certificate is valid and has not been revoked. 
    Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting. 
    Verify your proxy server setting. For more information about how to verify your proxy server setting, see the AD FS Troubleshooting Guide (http://go.microsoft.com/fwlink/?LinkId=182180).


    Vincent Sprague

    Thursday, July 20, 2017 7:16 PM

Answers

  • I ended up turning off Certificate Revocation Checking using these commands.

    Set-AdfsClaimsProviderTrust -TargetName "adfs.exterior.local" -SigningCertificateRevocationCheck "None" -EncryptionCertificateRevocationCheck "None"

    Set-AdfsRelyingPartyTrust -TargetName "gateway.internal.local" -SigningCertificateRevocationCheck "None" -EncryptionCertificateRevocationCheck "None"


    Vincent Sprague

    • Marked as answer by Baron164 Tuesday, July 25, 2017 2:08 PM
    Tuesday, July 25, 2017 2:08 PM

All replies

  • Copy the cert on ADFS server and run following command

    certutil -urlfetch -verify cert.cer

    Saturday, July 22, 2017 10:59 AM
  • I ended up turning off Certificate Revocation Checking using these commands.

    Set-AdfsClaimsProviderTrust -TargetName "adfs.exterior.local" -SigningCertificateRevocationCheck "None" -EncryptionCertificateRevocationCheck "None"

    Set-AdfsRelyingPartyTrust -TargetName "gateway.internal.local" -SigningCertificateRevocationCheck "None" -EncryptionCertificateRevocationCheck "None"


    Vincent Sprague

    • Marked as answer by Baron164 Tuesday, July 25, 2017 2:08 PM
    Tuesday, July 25, 2017 2:08 PM