Server Error in '/claimapp' Application.

---

The web server has been unable to contact the Federation Server.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.InvalidOperationException: The web server has been unable to contact the Federation Server.

Source Error:

[InvalidOperationException: The web server has been unable to contact the Federation Server.]
   System.Web.Security.SingleSignOn.WSPersistentState.GetPersistentInfo(TrustedRealm& trustedRealm, String& fsAccountName) +137
   System.Web.Security.SingleSignOn.WebSsoAuthenticationModule.OnEnter(Object o, EventArgs args) +449
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +64

Browse to the asmx service file from the Federation servers via IIS. Check to see if you get the cert errors.  We had this last week and it was just a cert issue that needed to be corrected. If so you'll need to try installing the certs again.

We used SelfSSL and it worked fine for us last week.

jrmcdona:

Browse to the asmx service file from the Federation servers via IIS.

It is on the federation server that you are trying to connect to.

Look in IIS under the virtual directories where you federation service lives. I think it is called "adfs" or something like that.

Hi,

This error is telling you that the web server is unable to contact the Federation Server.  To test this, you should launch a browser on the web server and see if you can browse to this page:

https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.asmx   <--This is the actual link if you used the computer names outlined in the guide.  If you used different server names, then replace the servername with what you used.

Most likely, this test will fail.  The application event logs on the Web Server and the Federation Server may tell you more information as to the reason for the failure.

Also, the ADFS Diagnostic tool may help diagnose the problem further if the event logs don't help with the problem.

Thanks,

Jim

jimsim:

Hi,

This error is telling you that the web server is unable to contact the Federation Server.  To test this, you should launch a browser on the web server and see if you can browse to this page:

https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.asmx   <--This is the actual link if you used the computer names outlined in the guide.  If you used different server names, then replace the servername with what you used.

Most likely, this test will fail.  The application event logs on the Web Server and the Federation Server may tell you more information as to the reason for the failure.

Also, the ADFS Diagnostic tool may help diagnose the problem further if the event logs don't help with the problem.

Thanks,

Jim

We are getting the same error on our web server.

I can hit the Federation server address no problem, ADFS tool comes back 100% passed... Can't seem to figure this one out.

Edit:

Screenshot: http://img442.imageshack.us/img442/1872/adfserror3sm3.jpg

Log File output:

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 4/15/2008 9:05:20 PM
Event time (UTC): 4/16/2008 1:05:20 AM
Event ID: 6e5375f90775421a866230cf4293a204
Event sequence: 8
Event occurrence: 7
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/827010264/Root/lp-1-128527803859305715
    Trust level: Full
    Application Virtual Path: /lp
    Application Path: C:\Inetpub\LandingPage\lp\
    Machine name: GOLDERWEB
 
Process information:
    Process ID: 3528
    Process name: w3wp.exe
    Account name: NT AUTHORITY\NETWORK SERVICE
 
Exception information:
    Exception type: InvalidOperationException
    Exception message: The web server has been unable to contact the Federation Server.
 
Request information:
    Request URL: https://golderweb.golderdev.net:8081/lp/Default.aspx
    Request path: /lp/Default.aspx
    User host address: 192.168.1.3
    User: 
    Is authenticated: False
    Authentication Type: 
    Thread account name: NT AUTHORITY\NETWORK SERVICE
 
Thread information:
    Thread ID: 1
    Thread account name: NT AUTHORITY\NETWORK SERVICE
    Is impersonating: False
    Stack trace:    at System.Web.Security.SingleSignOn.WSPersistentState.GetPersistentInfo(TrustedRealm& trustedRealm, String& fsAccountName)
   at System.Web.Security.SingleSignOn.WebSsoAuthenticationModule.OnEnter(Object o, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 
 
Custom event details:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Trusted Root Certificate Authorities?

It's sitting in there...

I used selfssl /t /n:cn=golderweb.golderdev.net /v:365

I'm not exactly sure what is going on here either...

1.  Do you get any certificate prompts/errors when manually going to the federationserverservice.asmx page?

2. Is the event you posted the only thing logging in the application log?

3.  Are there any application log events on the FS-R?

4.  Do you have a proxy server specified in IE on the web server?

Can you send me the complete diagnostic file so I can look at it off-line?

1. Yes, IE asks me to "Choose a digital certificate" with and empty box.

http://img182.imageshack.us/img182/8888/adfserror6uk1.jpg

2. Yes, and in all logs on the FS Web Server

3. No.

4.) No, should I? this is all an internal lab.

Here is an additional error that just seems to be popping up every now and then on the Web Server:

Event Type: Error
Event Source: ADFS
Event Category: None
Event ID: 684
Date:  4/16/2008
Time:  6:52:45 PM
User:  N/A
Computer: GOLDERWEB
Description:
The ADFS Web Agent was unable to update trust information from the Federation Service. The Federation Service Secure Sockets Layer (SSL) server certificate could not be validated.
Federation Service URL: https://golderdevdc.golderdev.net/adfs/fs/federationserverservice.asmx

User Action
Verify that the Federation Service SSL server certificate chains to a root certificate that is in the Local Computer Trusted Root Certification Authorities certificate store on the web server.

Verify that the SSL certificate is neither expired nor revoked.

Verify that the SSL certificate subject matches the host name portion of the Federation Service Uniform Resource Locator (URL).

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Edit:  The cert from the FS is sitting in the trusted root, its not expired... and it has the same name "golderdevdc.golderdev.net" as the FQDN of the machine its from...

I am not sure what else to look for here.

Make sure you use a browser from the agent box to the FS URL https://golderdevdc.golderdev.net/adfs/fs/federationserverservice.asmx and see if there are any cert warnings.

Also, if you had to modify the trusted roots to get the cert to chain, make sure you modified the right cert store!  You want the root CA cert for this cert (perhaps the cert itself if self-signed) in the trusted roots container for the LOCAL MACHINE store.  If you accidentally put this in the MY store, that will apply to the logged on user but not to other users on the machine.

Yah, the web server can hit that URL just fine.  The only cert warning i get is the one that is shown in that screenshot : http://img182.imageshack.us/img182/8888/adfserror6uk1.jpg

Modify the trusted roots? I am not quite sure what this means... But on my web agent, I have a selfsigned SSL cert, and I have installed the cert from the FS while browsing to the *.asmx file.

That Cert is sitting in the trusted root.

Are you saying that i need the base cert from the Certificate Authority Server?

The client cert auth prompt you show in the screen shot there is normal for browsing the FS endpoint.  The /adfs/fs/ path is configured to accept client cert auth (but not require it) because the FS-P uses client cert auth to authenticate with the FS.  This is how the FS authorized access to the "privileged" methods exposed by the FS web service.  Two of the methods are used by the agent and are called anonymously, but the rest are used by the proxy and are only intended to be called by the proxy.

When you accepted the certificate using the browser, that adds the cert to the trusted roots container for the "current user" store, not the local machine store.  You should do this manually using the certificates MMC snap-in instead.

Self-signed certs are a pain to deal with because nothing trusts them by default.  They are initially easy to get going with since you can create them yourself, but trade off that initial ease fairly quickly.