AD FS 2.0 Event id 143 and 248

Question

Hi All,

Since a few weeks we get the following event on our AD FS 2.0 Federation server:

Source: AD FS 2.0
Event ID: 143

The Federation Service was unable to create the federation metadata document as a result of an error.
Document Path: /FederationMetadata/2007-06/FederationMetadata.xml

Additional Data

Exception details:
System.Net.HttpListenerException: The specified network name is no longer available
at System.Net.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataListener.OnGetContext(IAsyncResult result)

On our Federation Proxy we get the following event:

Source: AD FS 2.0
Event ID: 248

The federation server proxy was not able to retrieve the list of endpoints from the Federation Service at adfs.domain.com. The error message is 'An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.'.

User Action
Make sure that the Federation Service is running. Troubleshoot network connectivity. If the trust between the federation server proxy and the Federation Service is lost, run the Federation Server Proxy Configuration Wizard again.

We did the following to troubleshoot the issue:

1. Checked the certificates. All are still valid.
2. restarted de federation service.
3. On the Federation Proxy, I ran the Federation Server Proxy Configuration Wizard with success, but still got the "not able to retrieve the list of endpoints" error.

Any help to solve these two events is greatly appreciated.

Regards,

Liendley

Answer 1

Hi Liendley

I haven't ecountered those event ID problems myself but have been doing a lot of ADFS troubleshooting over the last few weeks.

Here are some suggestions on what to check even if not possibly relevant:

1. Make sure that the ADFS service account is in the Local Administrators group.

2. In the ADFS 2.0 Snap In, right click the ADFS 2.0 node and select Edit Federation Server Properties. Make sure the federation service identifier is correct and that its starts with http,  not https. It should be something like http://adfshostname.yourdomainname.com/adfs/services/trust

Piley

 

---

IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

Answer 2

and when you got it working - remove the account again from the admins group because it is not necessary - and dangerous as well.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 3

Hi Piley,

 

Thank you for replying on my post.

1. I added the service account to the local admin group, restarted the "AD FS 2.0 Windows Service". I still get event id 143.

2. Do you have any official links about this? AD FS 2.0 has been set up for a few months now. The events started to appear a few weeks ago.

Regards

Liendley

 

Answer 4

and when you got it working - remove the account again from the admins group because it is not necessary - and dangerous as well.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Hi Dom

Can you clarify why it's dangerous?

We have a service account for ADFS and it has to be in the local admin group of the ADFS server or we hit problems.

Piley

 

---

IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

Answer 5

Hi Liendly

I can only speak from experience so far.

I have found this guide very helpful too:

http://technet.microsoft.com/en-us/library/adfs2-troubleshooting-things-to-check(WS.10).aspx

 

Piley

---

IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

Answer 6

For the same reason you would not run a web app as admin (if you don't have to) - to reduce the attack surface of the service.

My ADFS runs as Network Service - and that's working fine.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 7

Thanks Dom, that makes sense.

The Network Service account does not have enough privs to access information from AD across domains. I'll find out how we can give the service account enough privs without having it in the local admin group - but for now I have no choice.

---

IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

Answer 8

Hi Piley,

 

I did the checks. I dont have the 'card' node from the following check;

In the Internet Information Services (IIS) Manager dialog box, in the Connections pane, expand your computer name, expand Sites, and then expand Default Web Site.

Verify that the adfs node exists, and then expand it to verify that the card and ls nodes appear as well.

Only the 'ls' node is present.

 

Liendley

 

Answer 9

Hi Piley,

 

I did the checks. I dont have the 'card' node from the following check;

In the Internet Information Services (IIS) Manager dialog box, in the Connections pane, expand your computer name, expand Sites, and then expand Default Web Site.

Verify that the adfs node exists, and then expand it to verify that the card and ls nodes appear as well.

Only the 'ls' node is present.

 

Liendley

 

I don't have the card node either - never found out if it's important.

---

IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

Answer 10

Does anyone know what this mean?

 

Exception details:
System.Net.HttpListenerException: The specified network name is no longer available
at System.Net.HttpResponseStream.Write(Byte[] buffer, Int32 offset, Int32 size)
at Microsoft.IdentityServer.Service.FederationMetadata.SamlMetadataListener.OnGetContext(IAsyncResult result)

Answer 11

card has been removed in the RTM version of ADFS2 - so don't worry about it.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Answer 12

Did you change your ADFS server name?

Is the federation service name correct?

---

IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

Answer 13

card has been removed in the RTM version of ADFS2 - so don't worry about it.

---

Dominick Baier | thinktecture | http://www.leastprivilege.com

Thank you for the reply Dominick. One less thing to worry about :)

Answer 14

Did you change your ADFS server name?

Is the federation service name correct?

---

IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

No I did not change any ADFS settings.

Answer 15

I found a Microsoft wiki article about the Federation proxy error.

 

http://social.technet.microsoft.com/wiki/contents/articles/ad-fs-2-0-federation-server-proxy-servers-fail-to-authenticate-users-events-248-and-996-logged.aspx

 

I changed the Federation Service Identifier to begin with http:// and the error is gone.

 

Thank you Piley for your help.

 

I am still on the issue with the federation server. I will post my findings as soon as possible.

Answer 16

Glad that fixed the one error.

Let us know if you sort the other one or if any other errors appear.

I'll post some more ideas if anything comes up.

---

IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.

Answer 17

Hi,

 

I checked all possible solutions mentioned here but I'm still getting this strange warning.

This warning only occurs when I configure the ADFS Proxies.

Without any proxies configured, this warning does not occur.

 

Did anyone get rid of this nasty warning ?

 

Thanks  :)

Answer 18

I logged a case with Microsoft Support. After some troubleshooting we concluded that it is save to ignore this warning. Quote from the Microsoft engineer:

The ADFS 143 error message you are seeing is an informative event and related to failure to download the metadata, in your case most likely caused by a user manually trying to download it with IE ESC enabled.  Users should not need to download the metadata.

I.e. it's a non-issue.

Thank you all that contributed to the solution of the issues.

Regards,

Liendley

Answer 19

For anyone still interested; I started to get this same error after Load Balancing / Proxying my ADFS 3.0 farm with Citrix NetScaler. I have a Service Monitor in my Load Balancer which tries to GET https header of /FederationMetadata/2007-06/FederationMetadata.xml.

There is probably another way of creating a monitor but this was the problem in my case. On the other hand it is an irrelevant Warning message but quite annoying because it fills the log.