Federation Service Malformed Requests

Applies To: Windows Server 2008

Federation Service Malformed Requests logs information about incorrectly configured or missing data values that reside in the trust policy, along with information about client cookie issues and sign-on issues.

Events

Event ID Source Message

604

Microsoft-Windows-ADFS

The account partner discovery page called the RedirectToAccountFederationPartner application programming interface (API) with a Uniform Resource Identifier (URI) that does not identify any known account partner.
URI: %1

User Action
Examine the account partner discovery page for errors.

608

Microsoft-Windows-ADFS

A token request was received for an application with the Uniform Resource Locator (URL) '%1', but the request could not be fulfilled because the URL does not identify any known application.
URL: %1

This request will be failed.

User Action
If this URL should be handled, verify that it matches the URL for the application in the Federation Service trust policy. Hypertext Transfer Protocol (HTTP) URLs are matched according to a set of rules in the HTTP specification. Host names are case insensitive, but the path portion of the URL is matched in a case-sensitive manner.

Additional Data
Refer to Request for Comments (RFC) 2616 for HTTP URL matching rules.

609

Microsoft-Windows-ADFS

A token request was received for a resource partner with the Uniform Resource Identifier (URI) '%1', but the request could not be fulfilled because the URI does not identify any known resource partner.
URI: %1

This request will be failed.

User Action
If this URI should be handled, verify that it matches the URI for the resource partner in the Federation Service trust policy. URI matching rules differ according to the URI scheme, but in general URIs are case sensitive.

Additional Data
Refer to Request for Comments (RFC) 2396 for more information about URIs.

678

Microsoft-Windows-ADFS

The Federation Service rejected a token request because it appeared to duplicate a successful request that was granted to the same client browser session within the last %2 seconds.
Target: %1
Duplication period (seconds): %2

This failure generally indicates that the target is not receiving cookies that it writes. If this condition is caused by a server-side configuration error, it may indicate that all requests to the target are failing.

User Action
Ensure that the client browser is configured to accept cookies from the target site.

Ensure that the cookie path and cookie domain are correctly configured at the target Federation Service or web agent.
%Ensure that the return URL that is specified in the Web Agent matches the application URL that is specified in the Federation Service.

688

Microsoft-Windows-ADFS

Cookies that are needed to complete a passive client request were not present in the request.

When cookies that hold the state for passive client requests cannot be found, requests that are made by the passive client will be received by the Federation Service (or Federation Service Proxy), but they will not be processed.

User Action
Reconfigure the cookie path. The current cookie path is set to '%1', and the request-Uniform Resource Identifier (URI) is set to '%2'. Unless other client-side configuration or user action causes the cookie to be rejected, client browsers should send the cookie if the cookie path matches the prefix for the request-URI.
Cookie path: %1
Request-URI: %2

Modify the Domain Name System (DNS) name for this site so that it is Request for Comments (RFC)-compliant. Compliant DNS host names contain only letters (A through Z), numerals (0 through 9), minus sign (-), and period (.) characters.

Reconfigure the client browser to not reject cookies from this site.

Undo any action that might have been taken by a user to reject or delete the cookies that are needed by this transaction.

Additional Data
For more information about the cookie and request-URI paths, review the following RFCs:

RFC 2616 - This RFC describes the appropriate way to compare Hypertext Transfer Protocol (HTTP) URIs, and it mandates case-sensitive comparisons for the request-URI path.
RFC 2109 - This RFC describes how the cookie path must match a prefix of the request-URI. It is important to note that some browsers treat "/path" or "/path1/samp" as a prefix match of "/path1/sample" while others do not allow matches that consume only parts of the individual words. These strict implementations accept only a subset of those matches that are allowed by the first implementation, for example, "/path1" or "/path1/sample".

705

Microsoft-Windows-ADFS

A client is attempting to continue a pending sign-in request, but the target of the continuing request differs from the target of the pending request. Each browser session may only maintain one pending request at a time.
Continuing request target: %1
Pending request target: %2

This situation may occur if two Microsoft Office applications attempt to perform AD FS authentication simultaneously because session cookies are shared across all Office applications.

User Action
There is typically no action to be taken at the server to correct this situation. A user will see a failure in one of the Office applications. Reopening the failing Office file after the second file finishes loading resolves this issue.

706

Microsoft-Windows-ADFS

A portion of a multipart response was received out of sequence.
Response index: %1
Expected index: %2

This situation is an unrecoverable protocol error. The authentication has failed, and the client request will be denied.

707

Microsoft-Windows-ADFS

A portion of a multipart response was received, but the part contains too much data.
Characters received: %1
Characters expected: %2

This situation is an unrecoverable protocol error. The authentication has failed, and the client request will be denied.

708

Microsoft-Windows-ADFS

One of the session cookies that stores state for pending sign-in requests contains incorrectly formatted data.
Cookie: %1
Formatting error: %2

This cookie is written by AD FS for AD FS use. This error indicates that the cookie has been tampered with. The authentication has failed, and the client request will be denied.

709

Microsoft-Windows-ADFS

The pending sign-in request state specifies an unknown account partner.
Partner URI: %1

This condition can occur if an account partner is deleted during a multipart sign-in request.

710

Microsoft-Windows-ADFS

A request was received that identified itself as a WS-Federation Passive Requestor Profile (WS-F PRP) sign-in message, but the message does not fit the profile of any supported message.

This situation can be due to rogue clients; interoperability failure with non-Microsoft, single-sign-on software; or message tampering.

User Action
If you are using non-Microsoft federation software in your environment, verify that the federation software is compatible with AD FS.

711

Microsoft-Windows-ADFS

A sign-in message was received that contains incorrectly formatted data.
Format error: %1

This situation can be due to rogue clients; interoperability failure with non-Microsoft, single-sign-on software; or message tampering.

User Action
If you are using non-Microsoft federation software in your environment, verify that the federation software is compatible with AD FS.

712

Microsoft-Windows-ADFS

A request was received that is the continuation of a multipart sign-in request, but more data has been requested than exists.
Requested data index: %1
Actual data size: %2

This situation is an unrecoverable protocol error. The authentication has failed, and the client request will be denied.

715

Microsoft-Windows-ADFS

The Federation Service encountered an error while parsing a security token. The token contained an unrecognized claim namespace.
Token issuer: %1
Claim namespace: %2

This request will be denied.

This error might occur as a result of incompatibilities between AD FS and third-party software.

User Action
If this error occurs on the Federation Service and the token issuer is an account partner, it may indicate that custom namespaces should be configured for the partner.

If this error occurs on the AD FS Web Agent, it may indicate that the token issuer is not properly configured. Contact the token issuer's administrator.

723

Microsoft-Windows-ADFS

The cookies that were presented by the client could not be decoded.

This may cause a user request to fail.

User Action
The exception details may give an indication of the precise problem.

Additional Data
HRESULT error code: %1
Exception information:
%2

Federation Service

Active Directory Federation Services