Event ID 721 — Trust Policy and Configuration
Applies To: Windows Server 2008 R2
The Active Directory Federation Services (AD FS) trust policy file defines the set of parameters that a Federation Service requires to identify partners, certificates, account stores, claims, and the various properties of these entities that are associated with the Federation Service.
|Product:||Windows Operating System|
|Message:||The Federation Service has encountered an error while loading the trust policy. An application has enhanced identity privacy enabled.
Application URL: %1
If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully.
This error should only occur if the trust policy file has been modified without use of the AD FS administrative tools. Disable enhanced identity privacy from the application in question.
Disable enhanced identity privacy for the application in question
This error occurs only if the trust policy (trustpolicy.xml) file has been modified without the use of the Active Directory Federation Services snap-in. You can enable the enhanced identity privacy setting only on the federation resource partner. This is not a setting for applications. Disable enhanced identity privacy for the application in question.
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To disable enhanced identity privacy on a resource partner:
- In Notepad or another text editor, open the trustpolicy.xml file, which by default is in %systemdrive%\windows\systemdata\adfs.
- Change the value of the UseEnhancedIdentityPrivacy element from false to true.
- Save and close Notepad.
For more information about enhanced identity privacy, see Partner organizations (http://go.microsoft.com/fwlink/?LinkId=62227).
Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.