Claims Provider Encryption Certificate Is Not Valid - Microsoft.ActiveDirectoryFederationServices.2016.TokenAcceptanceAuthorityEncryptionCertificateCrlCheckFailureMonitor (UnitMonitor)

Microsoft.ActiveDirectoryFederationServices.2016.TokenAcceptanceAuthorityEncryptionCertificateCrlCheckFailureMonitor (UnitMonitor)

Knowledge Base article:

Summary

This monitor indicates that the SAML sign-out request failed because the encryption certificate for the claims provider trust is not valid.

If the same problem does not happen again within 15 minutes, the health state of this monitor will change back to a Green state. A corresponding alert is generated by the alert rule, and it must be resolved manually.

Causes

The following are possible causes for this event:

The certificate has been revoked.
The certificate chain could not be verified as specified by the revocation settings of the encryption certificate for this claims provider trust.
The certificate is not within its validity period.

Note

You can use Windows PowerShell cmdlets for AD FS to configure the revocation settings for the claims provider trust's encryption certificate. For the specific setting, use the EncryptionCertificateRevocationCheck parameter of the Set-ADFSClaimsProviderTrust cmdlet.

Resolutions

The following are possible resolutions to this event:

Ensure that the claims provider trust's encryption certificate is valid and has not been revoked.
Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see Things to Check Before Troubleshooting AD FS.

Element properties:

Source Code:

Target	Microsoft.ActiveDirectoryFederationServices.2016.TokenAcceptance
Parent Monitor	System.Health.ConfigurationState
Category	ConfigurationHealth
Enabled	True
Alert Generate	False
Alert Auto Resolve	True
Monitor Type	Microsoft.Windows.SingleEventLogTimer2StateMonitorType
Remotable	True
Accessibility	Public
RunAs	Default

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices.2016.TokenAcceptanceAuthorityEncryptionCertificateCrlCheckFailureMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices.2016.TokenAcceptance" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.SingleEventLogTimer2StateMonitorType" ConfirmDelivery="true"> <Category>ConfigurationHealth</Category> <OperationalStates> <OperationalState ID="EventRaised" MonitorTypeStateID="EventRaised" HealthState="Warning"/> <OperationalState ID="TimerEventRaised" MonitorTypeStateID="TimerEventRaised" HealthState="Success"/> </OperationalStates> <Configuration> <ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</LogName> <Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">374</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <RegExExpression> <ValueExpression> <XPathQuery Type="String">PublisherName</XPathQuery> </ValueExpression> <Operator>MatchesMOM2005RegularExpression</Operator> <Pattern>(^AD FS$)</Pattern> </RegExExpression> </Expression> </And> </Expression> <TimerWaitInSeconds>900</TimerWaitInSeconds> </Configuration> </UnitMonitor>