Event ID 687 — Claims-Aware Application Malformed Requests

Applies To: Windows Server 2008

Web Agent for Claims-Aware Applications Malformed Requests logs token requests, session cookies, and sign-in requests that are associated with the claims-aware agent. Malformed Requests also provides information about protocol requests that are made to the AD FS Web Agent and client cookies, and it records any sign-on issues.

Event Details

Product: Windows Operating System
ID: 687
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: SamlTokenNotFound
Message: A malformed protocol request was received by the AD FS Web Agent. The response contained no Security Assertion Markup Language (SAML) token.

This request will fail.

This situation can occur because of data corruption, data tampering, malfunctioning software, or interoperability failure.

User Action
If you are using non-Microsoft federation software in your environment, verify that the federation software is compatible with AD FS.

If this condition persists, consider enabling the AD FS troubleshooting log.


Use compatible federation software with AD FS

If you are using non-Microsoft federation software in your environment, check that the federation software is compatible with Active Directory Federation Services (AD FS). For software to be compatible with AD FS, it must comply with the WS-Federation Passive Requestor Profile (http://go.microsoft.com/fwlink/?LinkID=89387).

If this condition persists, enable the AD FS troubleshooting log. For more information about logging, see ADFS troubleshooting (http://go.microsoft.com/fwlink/?LinkId=64644).


Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

If a failure occurs, verify that the web.config file is configured with correct URL values and that all configuration parameters contain valid values.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the web.config file is configured with the correct Return URL value:

  1. On a resource federation server, click Start, point to Administrative Tools, and then click Active Directory Federation Services.
  2. Double-click Federation Service, double-click Trust Policy, double-click My Organization, click Applications, right-click the application in the list that represents this claims-aware application, and then click Properties.
  3. Verify that the https value specified in Application URL—for example, https://www.treyresearch.net/ApplicationName/— is identical to the value specified between the returnurl tags within the web.config file.

Claims-Aware Application Malformed Requests

Active Directory Federation Services