Event ID 727 — Trust Policy and Configuration

Applies To: Windows Server 2008

The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.

Event Details

Product: Windows Operating System
ID: 727
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: LdapShouldBeOverSslForAdamStores
Message: The Federation Service has detected that Secure Sockets Layer (SSL) is not enabled for communication between this federation server and the server hosting the Active Directory Lightweight Directory Services (AD LDS) account store, identified by URI: %1, that you specified in the trust policy. Although communications between a federation server and an AD LDS server will be successful when a secure channel has not been established, we recommend that you configure the properties of your AD LDS account store using SSL unless this communication has already been secured by other means, such as Internet Protocol security (IPsec).

User Action
Ensure that communication between this federation server and the AD LDS server is secure. You can use the Active Directory Federation Services snap-in to edit the properties of your AD LDS account stores and configure them to use a secure channel. To enable this configuration, select the Enable Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols check box in the properties for each AD LDS account store in the trust policy.

Resolve

Enable TLS and SSL configuration in the trust policy

Ensure that communication between this federation server and the Active Directory Lightweight Directory Services (AD LDS) server is secure. You can use the Active Directory Federation Services snap-in to edit the properties of your AD LDS account stores and to configure them to use a secure channel.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To enable a secure-channel configuration:

  1. On the federation server, click Start, point to Administrative Tools, and then click Active Directory Federation Services.
  2. In the console tree, under Federation Service\Trust Policy\My Organization\Account Stores, right-click the AD LDS account store, and then click Properties.
  3. Select the Enable TLS/SSL protocols check box, and then click OK.
  4. Repeat these steps for each AD LDS account store in the trust policy.

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.

Trust Policy and Configuration

Active Directory Federation Services