Event ID 104 — Windows NT Token-Based Application Malformed Requests

Applies To: Windows Server 2008

Web Agent for Windows NT Token-Based Applications Malformed Requests logs token requests, session cookies, and sign-in requests that are associated with the Windows token-based agent. Malformed Requests also provides information about protocol requests that are made to the AD FS Web Agent and client cookies, and it records any sign-on issues.

Event Details

Product: Windows Operating System
ID: 104
Source: Microsoft-Windows-ADFS
Version: 6.0
Message: The AD FS Web Agent for Windows NT token-based applications encountered a serious error. The cookies that were presented by the client could not be validated.

This condition occurs when a client presents well-formed cookies that are not valid. If the client is known to be a valid user, this error might be caused by a transient issue. For instance, trust properties (for example, certificates) may have changed recently or revocation status may not be available from the certification authority.

User Action
Look for additional events in the security log that may contain more details. Consider enabling failure auditing on this Web server if auditing is not already enabled.


Look for additional events in log files for more details

Consider enabling failure auditing for the Windows NT token-based application to obtain more information about the issue.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To enable failure auditing for a Windows NT token-based application:

  1. On the AD FS-enabled Web server, open Regedit. Click Start, click Run, type regedit, and then click OK.
  2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ifssvc.
  3. Right-click Parameters, click New, and then click DWORD Value.
  4. In the new value file name box, type ADFSEvent, and then press Enter.
  5. Double-click the new entry, and then in Value data, type 8, and then click OK to enable failure auditing.


Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

Windows NT Token-Based Application Malformed Requests

Active Directory Federation Services