The Federation Service failed to process the signed SAML sign-in or sign-out request because the certificate that the partner used to sign the request failed a certificate revocation check or it has expired.
The following are possible causes for this event:
The certificate has been revoked.
The certificate chain could not be verified as specified by the revocation settings of the signing certificate for this relying party trust.
The certificate is not within its validity period.
Note:
You can use Windows PowerShell cmdlets for AD FS to configure the revocation settings for the relying party trust's signing certificate. For the specific setting, use the SigningCertificateRevocationCheck parameter of the Set-ADFSRelyingPartyTrust cmdlet.
The following are possible resolutions for this event:
Ensure that the relying party trust's signing certificate is valid and has not been revoked.
Ensure that AD FS can access the certificate revocation list if the revocation setting does not specify "none" or a "cache only" setting.
Verify your HTTP proxy server settings. For more information about how to verify your HTTP proxy server settings, see "Things to Check Before Troubleshooting AD FS" section in the AD FS troubleshooting guide.
Target | Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuance | ||
Category | ConfigurationHealth | ||
Enabled | True | ||
Event_ID | 316 | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Remotable | True | ||
Alert Message |
| ||
Event Log | $Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer"]/ADFSEventLog$ |
ID | Module Type | TypeId | RunAs |
---|---|---|---|
DS | DataSource | Microsoft.Windows.EventProvider | Default |
Alert | WriteAction | System.Health.GenerateAlert | Default |
<Rule ID="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceRelyingPartySigningCertificateCrlCheckFailureRule" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuance" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">
<Category>ConfigurationHealth</Category>
<DataSources>
<DataSource ID="DS" TypeID="Windows!Microsoft.Windows.EventProvider">
<ComputerName>$Target/Host/Host/Host/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>
<LogName>$Target/Host/Host/Property[Type="Microsoft.ActiveDirectoryFederationServices2012R2.FederationServer"]/ADFSEventLog$</LogName>
<Expression>
<And>
<Expression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="UnsignedInteger">316</Value>
</ValueExpression>
</SimpleExpression>
</Expression>
<Expression>
<RegExExpression>
<ValueExpression>
<XPathQuery Type="String">PublisherName</XPathQuery>
</ValueExpression>
<Operator>MatchesMOM2005RegularExpression</Operator>
<Pattern>(^AD FS$)</Pattern>
</RegExExpression>
</Expression>
</And>
</Expression>
</DataSource>
</DataSources>
<WriteActions>
<WriteAction ID="Alert" TypeID="Health!System.Health.GenerateAlert">
<Priority>1</Priority>
<Severity>1</Severity>
<AlertOwner/>
<AlertMessageId>$MPElement[Name="Microsoft.ActiveDirectoryFederationServices2012R2.TokenIssuanceRelyingPartySigningCertificateCrlCheckFailureRule.AlertMessage"]$</AlertMessageId>
<AlertParameters>
<AlertParameter1>$Data/Params/Param[1]$</AlertParameter1>
</AlertParameters>
<Suppression>
<SuppressionValue>$Data/Params/Param[1]$</SuppressionValue>
<SuppressionValue>$Data/Params/Param[2]$</SuppressionValue>
</Suppression>
<Custom1/>
<Custom2/>
<Custom3/>
<Custom4/>
<Custom5/>
<Custom6/>
<Custom7/>
<Custom8/>
<Custom9/>
<Custom10/>
</WriteAction>
</WriteActions>
</Rule>