Event ID 608 — Federation Service Malformed Requests
Applies To: Windows Server 2008
Federation Service Malformed Requests logs information about incorrectly configured or missing data values that reside in the trust policy, along with information about client cookie issues and sign-on issues.
|Product:||Windows Operating System|
|Message:||A token request was received for an application with the Uniform Resource Locator (URL) '%1', but the request could not be fulfilled because the URL does not identify any known application.
This request will be failed.
If this URL should be handled, verify that it matches the URL for the application in the Federation Service trust policy. Hypertext Transfer Protocol (HTTP) URLs are matched according to a set of rules in the HTTP specification. Host names are case insensitive, but the path portion of the URL is matched in a case-sensitive manner.
Refer to Request for Comments (RFC) 2616 for HTTP URL matching rules.
Examine the URL of the application
If this Uniform Resource Locator (URL) should be handled, check that the return URL in the web.config file or on the ADFS Windows Token-Based Agent tab in Internet Information Services (IIS) for the application on the Web server matches exactly the URL for the application in the trust policy.
To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To check the return URL using IIS or the web.config file for a claims aware application:
- In Notepad or another text editor, open the web.config file that is in the Web application directory (typically \Inetpub\wwwroot\ApplicationName) on the Web server.
- Search for returnurl.
- Record the URL value, and compare it with the value in the Active Directory Federation Services snap-in.
To check the return URL for a Windows NT token-based application:
- Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
- Double-click ComputerName.
- Double-click Sites.
- Find the Virtual Directory where your Windows NT token-based application is created.
- Double-click the Authentication icon under the IIS settings.
- Click AD FS Windows Token-Based Agent.
- In the details pane, click Edit.
- Check the value of Return URL in the dialog box, and compare it with the value in the Active Directory Federation Services snap-in.
To check the URL for an application using the Active Directory Federation Services snap-in:
- Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
- Double-click Federation Service, double-click Trust Policy, double-click My Organization, and then double-click Applications.
- Right-click the application, and then click Properties.
- On the General tab, locate the Application URL value, and check that it is configured the same as the value previously discovered in the web.config file or on the ADFS Windows Token-Based Agent tab.
Hypertext Transfer Protocol (HTTP) URLs are matched according to a set of rules in the HTTP specification. Host names are case insensitive, but the path portion of the URL is matched in a case-sensitive manner. For HTTP URL matching rules, see Request for Comments (RFC) 2616 (http://go.microsoft.com/fwlink/?LinkId=29138).
Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.