ACS Error Codes
Updated: June 19, 2015
Applies To: Azure
This topic includes the most common error messages that might be encountered when using Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) and the actions required to fix the error, when applicable. For information about how to provide custom error handling based on the error codes, see How to: Use an Error URL for Custom Error Handling.
Important
ACS namespaces can migrate their Google identity provider configurations from OpenID 2.0 to OpenID Connect. Migration must be completed before June 1, 2015. For detailed guidance, see Migrating ACS Namespaces to Google OpenID Connect.
Important
Do not use ACS error codes or descriptions in application logic. When writing error-handling code, use the values of HTTP status and error codes. ACS error codes and error descriptions can change at any time without warning. For more information, see ACS Retry Guidelines and ACS Service Limitations.
Active Federation Protocol Errors, Including SOAP and WS-Trust
| ACS Error | HTTP Status Code | Message | Remedy |
|---|---|---|---|
ACS10000 |
400 |
An error occurred while processing the SOAP message |
Details are in the message. |
ACS10001 |
400 |
An error occurred while processing the SOAP header |
Details are in the message. |
ACS10002 |
400 |
An error occurred while processing the SOAP body |
Details are in the message. |
ACS10003 |
400 |
An error occurred while processing the security header |
Details are in the message. |
WS-Federation Protocol Errors, Including Federation Metadata
The errors in this section are related to WS-Federation protocol and WS-Federation metadata.
To generate a valid WS-FederationMetadata.xml file, use FedUtil or the Identity and Access tool in Visual Studio 2012. The ACS Management Portal also generates a WS-Federation metadata document for each Access Control namespace. To view it, in the ACS Management Portal, click Application integration.
To customize WS-Federation metadata, use the classes in the Microsoft.IdentityModel.Protocols.WSFederation.Metadata namespace.
For the OASIS standard WS-Federation metadata XML schema specification, see Section 3 of the Web Services Federation Language (WS-Federation) Version 1.2 standard at http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174942.
For more information about particular errors and their resolution, see the entries in this table.
| Error | HTTP Status Code | Message | Remedy |
|---|---|---|---|
ACS20000 |
400 |
An error occurred while processing a WS-Federation sign-in request |
Details are in the message. |
ACS20001 |
400 |
An error occurred while processing a WS-Federation sign-in response |
Details are in the message. |
ACS20002 |
400 |
An error occurred while attempting to generate federation metadata |
More details might be found in the message. Verify that there is a primary token signing certificate in your Access Control namespace. |
ACS20003 |
400 |
An error occurred while attempting to import federation metadata |
More details might be found in the message. Make sure that the metadata URL or the metadata file is valid. |
ACS20004 |
Cannot retrieve the entity from the metadata |
Make sure that the metadata file contains an entity ID. |
|
ACS20005 |
Multiple metadata entities are not supported |
Ensure that the federation metadata contains exactly one entity. |
|
ACS20006 |
No security token service descriptors were found |
Ensure that the federation metadata contains exactly one security token service descriptor. |
|
ACS20007 |
Multiple security token service descriptors are not supported |
Ensure that the federation metadata contains exactly one security token service descriptor. |
|
ACS20008 |
400 |
Only identity providers that support WS-Federation can be imported. |
Ensure that the federation metadata contains a RoleDescriptor of type "fed:SecurityTokenServiceType". |
ACS20009 |
400 |
An error occurred reading the WS-Federation metadata document |
ACS was unable to parse the provided metadata document, so it may be invalid. You can validate your document by running it through Microsoft.IdentityModel.Protocols.WSFederation.Metadata.MetadataSerializer.ReadMetadata(). |
ACS20010 |
No application service descriptors were found |
Make sure that the metadata file contains an application service descriptor. |
|
ACS20011 |
Multiple application service descriptors are not supported |
Make sure that the metadata file contains only one application service descriptor. |
|
ACS20012 |
400 |
Incoming request is not a valid WS-Federation request |
Ensure that the request is a valid WS-Federation sign-in request or sign-in response and that it contains all of the required parameters. |
ACS20014 |
400 |
The WS-Federation metadata document is not well-formed XML |
This error occurs when the XML in the WS-Federation metadata document is not syntactically correct, such as when the document has extra or missing brackets or tags. It occurs most often when you attempt to create or edit a WS-FederationMetadata.xml document manually. This error is not related to compliance with the metadata XML schema. To resolve this error, use an XML validator tool, such as the tools in Visual Studio or XML Notepad 2007. |
OpenID Protocol Errors
| Error | HTTP Status Code | Message | Remedy |
|---|---|---|---|
ACS30000 |
400 |
There was an error processing an OpenID sign-in response. |
Details are in the message. |
ACS30001 |
400 |
Unable to verify the OpenID response signature. |
The OpenID signature was invalid or rejected by the identity provider. Ensure that the message was not tampered with. |
Facebook Graph Protocol Errors
| Error | HTTP Status Code | Message | Remedy |
|---|---|---|---|
ACS40000 |
400 |
An error occurred while processing a Facebook sign-in response. This may be caused by invalid configuration of the Facebook application. |
Verify that the Application ID and Secret configured on ACS match the same values in the Facebook developer portal. |
ACS40001 |
400 |
An error occurred while attempting to get an access token from Facebook. |
Make sure that the application ID and the application secret that were configured via ACS are valid. |
General Security Token Service Errors, Including Identity Provider Metadata
| Error | HTP Status Code | Message | Remedy |
|---|---|---|---|
ACS50000 |
There was an error issuing a token. |
Details are in the message. |
|
ACS50001 |
400 |
Requested relying party realm '<Realm URL>' is unknown. |
There was a mismatch between the AppliesTo given in the token request and the realms you have configured in ACS. Check that: 1. Your relying party has its realm configured correctly. You can do this through the Management Portal or using the Management Service, by looking at your RelyingParty.RelyingPartyAddresses entries.2. Your relying party has been associated with the identity provider. You can also do this from the Management Portal or using the Management Service, by looking at your RelyingPartyIdentityProviders entries. |
ACS50002 |
400 |
Invalid service configuration. (Details are in the message.) |
Details are in the message. |
ACS50003 |
400 |
No primary symmetric signing key is configured. A symmetric signing key is required for SWT. |
If the chosen relying party uses SWT as its token type, verify that a symmetric key is configured for the relying party or the Access Control namespace, and that the key is set to primary and within its validity period. |
ACS50004 |
400 |
No primary X.509 signing certificate is configured. A signing certificate is required for SAML. |
If the chosen relying party uses SAML as its token type, ensure that a valid X.509 certificate is configured for the relying party or the Access Control namespace. The certificate must be set to primary and must be within its validity period. |
ACS50005 |
400 |
Token encryption is required but no encrypting certificate is configured for the relying party. |
Either disable token encryption for the chosen relying party or upload an X.509 certificate to be used for token encryption. |
ACS50006 |
403 |
Signature verification failed. (There may be more details in the message.) |
Ensure that the verification keys that were configured via ACS are valid. |
ACS50007 |
400 |
Signature not found. |
Make sure that the incoming token is signed and valid. |
ACS50008 |
401 |
SAML token is invalid. (There may be more details in the message.) |
For more information, see How to Fix Error ACS50008. |
ACS50009 |
401 |
SWT token is invalid. (There may be more details in the message.) |
Details are in the message. |
ACS50010 |
403 |
Audience URI validation failed. (There may be more details in the message.) |
Make sure that the Audience of the incoming token is set to https://yournamespace.accesscontrol.windows.net |
ACS50011 |
400 |
The ReplyTo address is missing or does not match the realm. |
In order to work with WS-Federation, a relying party must have at least one ReplyTo address configured. |
ACS50012 |
401 |
Authentication failed. (There may be more details in the message.) |
When a multi-tenant application tries to acquire a token to access the Graph API for an Azure AD tenant that has recently consented to the application, the token request might fail temporarily with error ACS50012. To resolve the problem, wait a few minutes and try again. Or, have the tenant administrator who provided consent log on to the application after consenting. |
ACS50013 |
400 |
The number of segments in the URI value is more than the maximum acceptable number of path segments. |
Make sure that the number of segments in the URI value is equal to or less than 32. |
ACS50014 |
400 |
Self-asserted claims are not allowed for service and management identities. |
Ensure that your service identity authentication token contains either no claims or only the name identifier claim. |
ACS50015 |
400 |
An error occurred while attempting to get identity provider metadata. |
More details might be found in the message. Make sure that the metadata URL or file is valid. |
ACS50016 |
400 |
X509Certificate with subject '<Certificate subject name>' and thumbprint '<Certificate thumbprint>' does not match any configured certificate. |
Ensure that the requested certificate has been uploaded to ACS. |
ACS50017 |
401 |
The certificate with subject '<Certificate subject name>' and issuer '<Issuer name>' failed validation. |
Ensure that the certificate is either self-signed or that it chains to a trusted root certification authority. The certificate must also not be revoked and must be within its validity period. For more information, see How to Fix Error ACS50017. |
ACS50018 |
400 |
Missing realm. The name of the relying party was not specified. |
Ensure that the request contains a realm. |
ACS50019 |
401 |
Sign-in was canceled by the user. |
|
ACS50020 |
401 |
User is unauthorized. |
|
ACS50022 |
400 |
Callback parameter value '<Function name>' is not a valid JavaScript function name. |
Ensure that the specified callback parameter is the name of a valid JavaScript function name. Valid JavaScript function names contain only letters, digits, and the ‘$’ and ‘_’ characters, and may not start with a digit. Unicode characters in function names are not supported. |
ACS50026 |
Principal with name 'name' is not a valid principal. |
This error indicates that an attempt to find an entity by the specified name has failed because the entity is not known to ACS. This entity could be a service identity, a relying party application, or an identity provider, depending on the scenario. Verify that this entity exists in your Access Control namespace. |
|
ACS50042 |
401 |
The salt required to generate a pairwise identifier is missing. If this application has been recently registered, wait for a few minutes before retrying. |
If you try to log in to an application immediately after adding it to Azure AD, the log-in attempt might fail until the pairwise keys are synchronized. Wait a few minutes and try to log in again. For more information, see ACS Retry Guidelines. |
Rules Engine, Data, and Management Service Errors
| Error | HTTP Status Code | Message | Remedy |
|---|---|---|---|
ACS 60000 |
403 |
Policy engine error |
Details are in the message. |
ACS60001 |
No output claims were generated during rules processing. |
The rule group(s) associated with the chosen relying party has no rules that are applicable to the claims generated by your identity provider. Configure some rules in a rule group associated with your relying party or generate pass-through rules using the rule group editor. |
|
ACS60002 |
403 |
The quota for the number of token requests has been reached and no more may be requested. |
|
ACS60003 |
403 |
Cannot modify a read-only property. |
Certain built-in ACS objects cannot be modified or deleted. |
ACS60004 |
409 |
Version conflict |
A version conflict error can be received when trying to update the name of a relying party, identity provider, service identity, or issuer to be the same name as another relying party, identity provider, service identity, or issuer. To resolve the issue, choose a different unique name. |
ACS60005 |
400 |
Attempted to add a child object with an invalid or missing parent. |
For child objects, such as addresses, ensure that the parent object or object ID is valid and of the correct type. |
ACS60006 |
400 |
Attempted to insert a new copy of an object that already exists in the database. |
The object that you are attempting to insert violates a uniqueness constraint. Ensure that the object’s properties, such as name and address, are unique if required. |
ACS60007 |
400 |
Invalid X.509 certificate |
Ensure that the provided bytes are a valid X.509 certificate. |
ACS60008 |
Unable to find a unique name for this <object type>. |
||
ACS60012 |
The number of input claims (#) exceeds the limit (80). |
Your incoming token must have 80 claims or less in order for ACS to process them and then successfully issue an outgoing token. |
|
ACS60021 |
503 |
Service unavailable |
The token request is rejected because ACS data servers are busy responding to token requests from all namespaces. Wait a few seconds and retry the requests over increasing time intervals. For more information, see ACS Retry Guidelines. |
OAuth 2.0 Protocol Errors
| Error | HTTP Status Code | Message | Action required to fix the error |
|---|---|---|---|
ACS70000 |
401 |
The provided access grant is invalid, expired or revoked. |
Details are in the message. |
ACS70001 |
401 |
The client is unauthorized. |
|
ACS70002 |
401 |
Invalid client. |
|
ACS70003 |
401 |
The access grant included is not supported by the authorization server. |
ACS Management Portal Errors
| Error | HTTP Error Code | Message | Action required to fix the error |
|---|---|---|---|
ACS80001 |
404 |
This rule is configured to use a Claim Issuer type that is not supported by the management portal. Please use the management service to view and edit this rule. |
This error occurs if a rule is configured to use an Issuer that is not an identity provider or the Access Control Service “LOCAL AUTHORITY” issuer. For details on how to use the ACS Management Service, see ACS Management Service. |
Other Errors
| Error | HTTP Error Code | Message | Remedy |
|---|---|---|---|
ACS90002 |
404 |
The service namespace name in the URL is invalid. |
Verify that the requested Access Control namespace exists. |
ACS90004 |
400 |
The request is not properly formatted. |
|
ACS90005 |
502 |
External server error. (More details may be found in the message.)) |
An error occurred during communication with an external server, such as an identity provider. |
ACS90006 |
504 |
External server timeout. |
Communication timed out while communicating with an external server, such as an identity provider. |
ACS90007 |
405 |
Request method not allowed. |
Ensure that the HTTP method (such as GET and POST) used is supported by that endpoint. |
ACS90008 |
403 |
The tenant is disabled. |
Make sure that your Access Control namespace is active. |
ACS90009 |
404 |
No <object> was found for the given ID. |
Details are in the message. |
ACS90010 |
400 |
Not supported. (More details may be found in the message.) |
Details are in the message. |
ACS90011 |
400 |
Invalid request. (More details may be found in the message.) |
Details are in the message. |
ACS90012 |
408 |
The request to the server timed out. |
Details are in the message. |
ACS90013 |
400 |
Invalid user input. (More details may be found in the message.) |
Details are in the message. |
ACS90014 |
400 |
The required field '<Field>' is missing. |
Make sure that your request to ACS contains all parameters that are required by the protocol that you are using. |
ACS90015 |
403 |
Not authorized: Service keys are restricted for this Tenant. |
ACS will not display keys belonging to the ServiceBus and Cache namespaces. To view these keys, use the ServiceBus or Cache portal. |
ACS90016 |
400 |
'<Key size>' bits is an invalid key size. Key size must be greater than 0 and a multiple of 8. |
|
ACS90046 |
503 |
Service unavailable |
The token request is rejected because ACS is busy responding to token requests from all namespaces. Wait a few seconds and retry the requests over increasing time intervals. For more information, see ACS Retry Guidelines. |
ACS90055 |
429 |
Too many requests |
The token request is rejected, because this namespace exceeded the maximum token request rate of 30 tokens per second for a prolonged period. Wait a few seconds and retry the requests over increasing time intervals. If the error recurs, consider redistributing the workload over multiple namespaces. For more information, see ACS Service Limitations. |