Event ID 722 — Trust Policy and Configuration

Applies To: Windows Server 2008

The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.

Event Details

Product: Windows Operating System
ID: 722
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: PrivacyKeyNotRequiredLength
Message: The Federation Service has encountered an error while loading the trust policy. The trust policy contains a privacy key that is not the expected length.
Expected length: %1
Actual length: %2

If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.

User Action
This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Configure a privacy key of the expected length.

Resolve

Configure a privacy key of the expected length

This error occurs only if the trust policy (trustpolicy.xml) file has been modified without the use of the Active Directory Federation Services snap-in.

Configure a privacy key of the expected length (at least 128 bits). Disable enhanced identity privacy for the partner and re-enable enhanced identity privacy again so that the privacy key of appropriate length is generated.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To disable and re-enable the enhanced identity privacy setting on a resource partner:

  1. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
  2. Double-click Federation Service, double-click Trust Policy, double-click Partner Organizations, and then double-click Resource Partners.
  3. Right-click the resource partner for which you want to disable enhanced identity privacy, and then click Properties.
  4. On the General tab, click Enable enhanced identity privacy so that it is not selected, and then click OK.
  5. Right-click the same resource partner, and then click Properties.
  6. On the General tab, click Enable enhanced identity privacy so that it is selected, and then click OK.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.

Trust Policy and Configuration

Active Directory Federation Services