Event ID 655 — Trust Policy and Configuration

Applies To: Windows Server 2008

The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.

Event Details

Product: Windows Operating System
ID: 655
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: NoIdentityClaimForTrustingApp
Message: The Federation Service encountered an error while loading the trust policy. An application has no identity claim enabled.
Application: %1

If this error occurs during startup of the Federation Service, the Federation Service will not be able to start and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last policy that was loaded successfully.

User Action
This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Enable an identity claim for this application.

Resolve

Enable at least one identity claim for the application

This error occurs only if the trust policy file (trustpolicy.xml) has been modified without the use of the Active Directory Federation Services snap-in and the modification causes another relying parameter to fall outside the scope of acceptable values. In this case, the manual change that was made to the trustpolicy.xml file disabled all identity claims that are associated with this application. Enable at least one identity claim for this application.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To manually enable an identity claim for an application in the trustpolicy.xml file:

  1. In Notepad or another text editor, open the TrustPolicy.xml file, which by default is in %systemdrive%\windows\systemdata\adfs.
  2. In the **TrustingApplication **section, change the value of the AllowUPNClaim, AllowEmailClaim, or AllowCommonNameClaim element (depending on which one should be enabled) from false to true.
  3. Save and close Notepad.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.

Trust Policy and Configuration

Active Directory Federation Services