Event ID 680 — Client Certificate Authentication
Applies To: Windows Server 2008 R2
Clients must authenticate to a federation server by presenting a client authentication certificate. Authentication is granted when the federation server accepts a client authentication certificate from a federation server proxy.
|Product:||Windows Operating System|
|Message:||The Federation Service was not able to communicate with the AD FS Authentication Package.
Until this situation is resolved, the Federation Service will not be able to authenticate Active Directory Domain Services users by using Transport Layer Security / Secure Sockets Layer (TLS/SSL) client certificates.
Check for the presence of the authentication package binary (ifsap.dll) in %%systemroot%%\system32. If it is not present, reinstall AD FS.
Check for the value "ifsap" in the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa value "Security Packages". If this value is absent, add it to the list, and then restart the computer.
The data field contains the NTSTATUS error code from LsaLookupAuthenticationPackage.
Check the authentication package binary
Check for the presence of the authentication package binary (ifsap.dll) in %%systemroot%%\system32. If the authentication package binary is not present, reinstall Active Directory Federation Services (AD FS).
Check for the value ifsap.dll in the Security Packages registry key under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa. If this key is absent, add it to the list, and then restart the computer.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To check the Lsa registry key:
Caution: Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data.
- On the federation server, click Start.
- In the Start Search text box, type regedit, and then press ENTER.
- Click the following key in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa, double-click Security Packages, and check that the value ifsap.dll is present in the Edit Multi-String dialog box.
- Click OK, and then close Registry Editor.
- Restart the computer.
Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.