Event ID 602 — Trust Policy and Configuration

Applies To: Windows Server 2008

The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.

Event Details

Product: Windows Operating System
ID: 602
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: BadConfigurationCertificateNotFound
Message: During processing of web.config section '%1', the parameter '%2' was found to have invalid data. The certificate that was identified by the thumbprint '%3' could not be found.
Section: %1
Parameter: %2
Thumbprint: %3

The Federation Service or the Federation Service Proxy will not be able to start until this configuration parameter is corrected.

This condition occurs when the thumbprint that is specified does not match the thumbprint of any certificate in the Local Computer Personal store. Common causes for this condition include the following:
(1) The web.config was edited by hand and the thumbprint string contains a typographical error.
(2) The certificate with the specified thumbprint is from a user store instead of the Local Computer store.

User Action
If the web.config contains a typographical error, correct the thumbprint string. To correct the thumbprint string, open the Certificates snap-in. On the Details tab in the certificate property page, select the Thumbprint field. The thumbprint in the web.config should match the string - with the spaces removed - that appears in the property page.

If a certificate with a matching thumbprint exists in a user store and a .pfx file for the certificate is available, import the .pfx file directly into the Local Computer Personal store. If no .pfx file is available and the key is exportable, you can create a .pfx file by exporting the certificate with private key. If the key is not exportable and no .pfx file is available, request a new certificate and ensure that the request is for a machine certificate instead of a user certificate.

Resolve

Correct the thumbprint string in the web.config file

If the web.config file contains a typographical error, you can either correct the thumbprint string or select another certificate from the Local Computer Personal store.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To check whether the certificate thumbprint string matches the same value as the web.config file:

  1. On a federation server, click Start, click Run, type mmc, and then click OK.
  2. Click File, and then click Add/Remove Snap-in.
  3. Select Certificates, click Add, click Computer account, and then click Next.
  4. Click Local computer (the computer this console is running on), click Finish, and then click OK.
  5. Double-click the Certificates (Local Computer) folder, double-click the Personal folder, click the Certificates folder, and then double-click the token-signing certificate.
  6. On the Details tab in the Certificate dialog box, record the value in the Thumbprint field. The thumbprint value that is specified in the web.config file (in %systemdrive%/windows/adfs/sts) should match the string (with the spaces removed) that appears in the Certificate dialog box.

If a certificate with a matching thumbprint exists in a user store and a .pfx file for the certificate is available, import the .pfx file directly into the Local Computer Personal store.

If no .pfx file is available and the key is exportable, you can create a .pfx file by exporting the certificate with a private key. If the key is not exportable and no .pfx file is available, request a new certificate and ensure that the request is for a machine certificate instead of a user certificate.

To select another token-signing certificate:

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.

  2. Right-click Federation Service, and then click Properties.

  3. Click the General tab, click the Select button for Token-signing certificate, and then select a certificate.

    If there is no certificate to select, install a certificate, import it into the Local Computer Personal store, and then select it.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.

Trust Policy and Configuration

Active Directory Federation Services