Additional Certificate Load Error - Microsoft.ActiveDirectoryFederationServices.2016.CertificateManagementAdditionalCertificateLoadErrorRule (Rule)

Microsoft.ActiveDirectoryFederationServices.2016.CertificateManagementAdditionalCertificateLoadErrorRule (Rule)

Knowledge Base article:

Summary

The Federation Service failed to load its token-signing, token-decrypting, and SSL certificates. If the failing certificate is the primary certificate, the AD FS Windows service will fail to start up.

Causes

The following are possible causes for this event:

Active Directory objects are missing under the specified distinguished name in the diagnostic information regarding X.509 certificate private key sharing that is provided in this event.
The access control list (ACL) permissions of the Active Directory objects that are specified in the diagnostic information have changed, and the service identity of AD FS no longer has rights to read or modify those objects.

Resolutions

The following are possible resolutions for this event:

You may have to restore all Active Directory objects under the distinguished name that was specified in the event-included diagnostic information.
Work with your domain administrator to help restore read/write ACL permissions.

Element properties:

Target

Microsoft.ActiveDirectoryFederationServices.2016.CertificateManagement

Category

ConfigurationHealth

Enabled

True

Event_ID

329

Alert Generate

True

Alert Severity

Warning

Alert Priority

Normal

Remotable

True

Alert Message

Additional Certificate Load Error

The Federation Service Failed to load additional certificates.

Event Log

$Target/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Windows.EventProvider	Default
Alert	WriteAction	System.Health.GenerateAlert	Default

Module Type

TypeId

RunAs

DataSource

Microsoft.Windows.EventProvider

Default

Alert

WriteAction

System.Health.GenerateAlert

Default

Source Code:

<Rule ID="Microsoft.ActiveDirectoryFederationServices.2016.CertificateManagementAdditionalCertificateLoadErrorRule" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices.2016.CertificateManagement" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100"> <Category>ConfigurationHealth</Category> <DataSources> <DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider"> <ComputerName>$Target/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>$Target/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</LogName> <Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">329</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <RegExExpression> <ValueExpression> <XPathQuery Type="String">PublisherName</XPathQuery> </ValueExpression> <Operator>MatchesMOM2005RegularExpression</Operator> <Pattern>(^AD FS$)</Pattern> </RegExExpression> </Expression> </And> </Expression> </DataSource> </DataSources> <WriteActions> <WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert"> <Priority>1</Priority> <Severity>1</Severity> <AlertName/> <AlertDescription/> <AlertOwner/> <AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices.2016.CertificateManagementAdditionalCertificateLoadErrorRule.AlertMessage"]$</AlertMessageId> <AlertParameters/> <Suppression> <SuppressionValue>$Data/Params/Param[1]$</SuppressionValue> </Suppression> <Custom1/> <Custom2/> <Custom3/> <Custom4/> <Custom5/> <Custom6/> <Custom7/> <Custom8/> <Custom9/> <Custom10/> </WriteAction> </WriteActions> </Rule>