Relying Party Encryption Certificate Error - Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceRelyingPartyEncryptionCertificateCrlCheckFailureMonitor (UnitMonitor)

Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceRelyingPartyEncryptionCertificateCrlCheckFailureMonitor (UnitMonitor)

Knowledge Base article:

Summary

An error occurred during an attempt to build the certificate chain for the relying party trust's encryption certificate. This will cause token issuance for this relying party trust to fail or it will cause the Federation Service to fail the sign-out request process from this relying party.

If the same problem does not happen again within 15 minutes, the health state of this monitor will change back to a Green state. A corresponding alert is generated by the alert rule, and it must be resolved manually.

Causes

The following are possible causes for this event:

The certificate has been revoked.
The certificate chain could not be verified as specified by the revocation settings of the encryption certificate for this relying party trust.
The certificate is not within its validity period.

Note

You can use Windows PowerShell cmdlets for AD FS to configure the revocation settings for the relying party trust's encryption certificate. For the specific setting, use the EncryptionCertificateRevocationCheck parameter of the Set-ADFSRelyingPartyTrust cmdlet.

Resolutions

The following are possible resolutions to this event:

Ensure that the relying party trust's encryption certificate is valid and has not been revoked.
Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see "Things to Check Before Troubleshooting AD FS" section in the AD FS troubleshooting guide.

Element properties:

Source Code:

Target	Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuance
Parent Monitor	System.Health.ConfigurationState
Category	ConfigurationHealth
Enabled	True
Alert Generate	False
Alert Auto Resolve	True
Monitor Type	Microsoft.Windows.SingleEventLogTimer2StateMonitorType
Remotable	True
Accessibility	Public
RunAs	Default

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceRelyingPartyEncryptionCertificateCrlCheckFailureMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuance" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Windows!Microsoft.Windows.SingleEventLogTimer2StateMonitorType" ConfirmDelivery="true"> <Category>ConfigurationHealth</Category> <OperationalStates> <OperationalState ID="EventRaised" MonitorTypeStateID="EventRaised" HealthState="Warning"/> <OperationalState ID="TimerEventRaised" MonitorTypeStateID="TimerEventRaised" HealthState="Success"/> </OperationalStates> <Configuration> <ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer"]/ADFSEventLog$</LogName> <Expression> <And> <Expression> <SimpleExpression> <ValueExpression> <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery> </ValueExpression> <Operator>Equal</Operator> <ValueExpression> <Value Type="UnsignedInteger">317</Value> </ValueExpression> </SimpleExpression> </Expression> <Expression> <RegExExpression> <ValueExpression> <XPathQuery Type="String">PublisherName</XPathQuery> </ValueExpression> <Operator>MatchesMOM2005RegularExpression</Operator> <Pattern>(^AD FS$)</Pattern> </RegExExpression> </Expression> </And> </Expression> <TimerWaitInSeconds>900</TimerWaitInSeconds> </Configuration> </UnitMonitor>