The signing certificate for one of the claims provider trusts is not valid. This will cause the Federation Service to fail to accept the incoming signed token. In the sign-out scenario, this will cause the Federation Service to fail to accept signed sign-out requests.
If the same problem does not occur again within 15 minutes, the health state of this monitor will change back to a Green state. A corresponding alert is generated by the alert rule, and it must be resolved manually.
The following are possible causes for this event:
The certificate has been revoked.
The certificate chain could not be verified as specified by the revocation settings of the signing certificate for this claims provider trust.
The certificate is not within its validity period.
Note:
You can use Windows PowerShell cmdlets for AD FS to configure the revocation settings for the claims provider trust's signing certificate. For the specific setting, use the SigningCertificateRevocationCheck parameter of the Set-ADFSClaimsProviderTrust cmdlet.
The following are possible resolutions for this event:
Ensure that the claims provider trust's signing certificate is valid and has not been revoked.
Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see "Things to Check Before Troubleshooting AD FS" section in the AD FS troubleshooting guide.
Target | Microsoft.ActiveDirectoryFederationServices.2016.TokenAcceptance | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | ConfigurationHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | MatchMonitorHealth | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.Windows.SingleEventLogTimer2StateMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices.2016.TokenAcceptanceClaimsProviderSigningCertificateCrlCheckFailureMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices.2016.TokenAcceptance" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.SingleEventLogTimer2StateMonitorType" ConfirmDelivery="true">
<Category>ConfigurationHealth</Category>
<AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices.2016.TokenAcceptanceClaimsProviderSigningCertificateCrlCheckFailureMonitor_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>MatchMonitorHealth</AlertSeverity>
<AlertParameters>
<AlertParameter1>$Data/Context/EventDescription$</AlertParameter1>
</AlertParameters>
</AlertSettings>
<OperationalStates>
<OperationalState ID="EventRaised" MonitorTypeStateID="EventRaised" HealthState="Warning"/>
<OperationalState ID="TimerEventRaised" MonitorTypeStateID="TimerEventRaised" HealthState="Success"/>
</OperationalStates>
<Configuration>
<ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices.2016.FederationServer"]/ADFSEventLog$</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">315</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>(^AD FS$)</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
<TimerWaitInSeconds>900</TimerWaitInSeconds>
</Configuration>
</UnitMonitor>