Event ID 696 — AD FS Claim Transform Module
Applies To: Windows Server 2008 R2
You can use a claim transform module when existing claim rules are not sufficient to generate claims that meet user requirements. You configure a claim transform module in the custom module settings in the trust policy.
|Product:||Windows Operating System|
|Message:||An exception occurred during an attempt to connect to a remote custom transform module.
Remote config file: %4
This error may be caused by a non-Microsoft module that is not part of AD FS.
Configure the claim transform module
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
Make sure that you have performed the following steps for the claim transform module:
- Add the appropriate claim transform functionality to the CustomClaimMapper class in customclaimmapper\customclaimmapper.cs.
- Build the CustomClaimMapper and ListenerService projects. Note that, for this release, these projects should be built using the .NET Framework Version 2.0.
- Put the ListenerService.exe, CustomClaimMapper.dll, and listener.exe.config files (in the listenerservice directory) in a single folder on the Active Directory Federation Services (AD FS) computer. Do not put them in the same directory as FederationServerService.asmx. Do not install CustomClaimMapper.dll into the Global Assembly Cache (GAC).
- Put the customtransform.remoting.config file (in the customclaimmapper directory) in the same directory as the trust policy file.
- Install ListenerService.exe as a Windows service. Make sure that the service is running under the Network Service or Local System account.
- Start the service.
- Specify a custom claim mapper assembly. To do this, start the Active Directory Federation Services snap-in, right-click the Trust Policy folder, and then click Properties.
- Click the Transform Module tab, and then type the path of CustomClaimMapper.dll for the assembly and CustomClaimMapper as the name of the class. In other words, specify the claim mapper exactly as you would for an inproc assembly, for example:
- assembly: c:\adfs\customtransform\CustomClaimMapper.dll
- class: ClaimMapper.CustomClaimMapper
Contact the vendor or provider of the module for more information.
You use Active Directory Federation Services (AD FS) claim transform modules to modify claim names and values as they pass through the federation server. If you experience problems running a claim transform module, verify that the settings in the trust policy are configured appropriately.
To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
To verify trust policy settings for a claim transform module:
- On the federation server whose transform module you want to change, click Start, point to Administrative Tools, and then click Active Directory Federation Services.
- Double-click Federation Service, right-click Trust Policy, and then click Properties.
- In the Trust Policy Properties dialog box, click the right arrow to scroll to the Transform Module tab, and then click the Transform Module tab.
- In DLL file, verify that the path to the dynamic-link library (DLL) file is correct.
- In Class name, verify that the namespace-qualified class name that the transform module will use is correct.
Also, in your AD FS scenario, click the Uniform Resource Locator (URL) of the configured Web server from the client computer, and the use the following procedure to check certain particular events.
To verify event details for a claim transform module:
On the account federation server, click Start, point to Administrative Tools, and then click Event Viewer.
Click Security, and in the details pane of the Success Audit events, locate Event ID 10550.
This event provides the details of the claims that have been sent by the account partner. Look for claims that are supposed to be modified by the custom claim transform module. If the modified claims are listed in the event, the claim transform module should work properly.