5000
.jpg)
Troubleshooting: Windows NT Events
This topic provides descriptions of Microsoft® Windows NT® events specific to Microsoft® .NET Passport that can be generated on your server. It also provides troubleshooting tips, where applicable.
To go directly to the description of a particular event, click its MessageId number in the following list.
5000 | 5001 | 5002 | 5003 | 5004 | 5005 | 5006 | 5007 | 5008 | 5010 | 5011 | 5012 | 5013 | 5014 | 5015 | 5021 | 5023 | 5024 | 5100 | 5101 | 5102 | 5103 | 5104 | 5105 | 5108 | 5109
Note The symbol "$" in the following descriptions represents information specific to the message returned by the event.
5000
Passport Manager process started successfully.
5001
Passport Manager process was stopped.
5002
CCD Doc was successfully loaded.
This event fires each time the Partner.xml Component Configuration Document (CCD) is successfully loaded into memory.
5003
CCD Doc failed to load (Error $).
This event fires if Passport Manager is loaded by Microsoft® Internet Information Services (IIS) through an Active Server pages (ASP) page, but the CCD failed to load. The "$" in the error message may be filled by a more specific code-based error number.
Check the version of Microsoft® Internet Explorer present on the server. The version of Msxml.dll may be incompatible with Passport Manager. You must do one of the following:
- Uninstall Internet Explorer 5 and reinstall Internet Explorer 4.
- Get the Msxml.dll file from the original Internet Explorer 4 installation, and then write and register it (using Regsvr32.exe) over the Internet Explorer 5 version.
- Get Internet Explorer version 5.01 or later.
If XML parsing is the problem, no other aspect of Passport Manager will work until this problem is corrected on the server.
Typically this event is accompanied by either event 5101 or event 5104.
5004
Invalid ticket presented on request.
5005
Invalid profile data was presented.
This event fires if the decrypted Profile or Ticket cookie or query string is not valid in its format.
It is not very likely that this is an indication of someone hacking Tickets or Profiles, because the cookie or query string could be properly decrypted, and it would be difficult to hack the encrypted text in such a way that the decryption was successful. This event may indicate problems with cookie-write operations on a client browser.
5006
Encryption key requested is invalid.
This event fires if Passport Manager receives Tickets or Profiles that are encrypted in a key that does not exist on the server at all. This might indicate a hacking attempt in which someone is attempting to use a Ticket or Profile written into another .NET Passport site (which uses a different key) and is sending it to your site on the query string.
Alternatively, this could come from a very old Ticket or Profile that is already two steps removed from the current encryption key. If the encryption key were only one step removed, but expired, event 5012 would fire instead.
5007
Passport Manager is misconfigured: $.
Misconfiguration could be a result of providing invalid method default values, either by direct registry editing or by using the Passport Manager Administration utility. Using the utility, try reentering existing or similar values for various fields and check the warnings and error messages issued for indications that you may have entered bad values.
Another event (5006, regarding an invalid encryption key) may accompany this one. If this is an isolated instance, you may have received a stray old Ticket or Profile and no action is required. If this occurs continuously, you may need to reinstall keys from the provided key installation program or contact your .NET Passport sales representative, as this may indicate a problem with key installation.
If this event is accompanied by event 5003, see specific steps for that error.
5008
Passport Manager configuration ok.
5010
LCID in domain map was invalid.
The locale ID (LCID) must be one that is recognized by Passport Manager. You may get this event from the Lang_ID parameter of a method call or if you are attempting to circumvent the Passport Manager Administration utility and set the default language/locale value in the registry incorrectly by hand.
5011
A new key has been installed.
Passport Manager has successfully written a new encryption key. Profiles and Tickets written with the old key can still be decrypted until that key's expiration date.
5012
Requested encryption key has expired.
A Ticket or Profile was received that was encrypted with the last previously installed key. This event is usually accompanied by events 5021 and 5023.
After the user signs out and signs in again manually this problem will correct itself, because the new cookies will be written using the current key. This error is more likely to occur for users who are saving passwords and thus have older cookies.
5013
TimeWindow must be between 100 and 1000000. (Got #)
The "#" will be replaced by the rejected TimeWindow value. This event is generated any time a TimeWindow value used by Passport Manager methods LoginUser, AuthURL2, IsAuthenticated, or LogoTag2 falls out of bounds. Change the supplied TimeWindow values to be zero, greater than one hundred, or less than one million.
5014
The time stamp in the Ticket is in the future. Possible security attack.
Passport Manager compares the time stamps between itself and the Login server using a time stamp that is exchanged on the query string and also written to the MSPAuth cookie. If the MSPAuth cookie time stamp is more than five minutes different from the query string time, then this event is generated. The assumption is that someone has discovered the meaning of the ct parameter in the query string and is attempting to hack around a participating site's time stamp requirements. This is hacking pre-encryption, because the ct parameter is not encrypted on the query string.
It is also possible that the time-skew mechanism at the Login server is not responding correctly or that your system clock on the server is drastically wrong. Try signing in to your site using a client, or check the system time using scripting. On the query string, ct is the number of seconds since a particular date in 1970.
If your site uses Kids Passport, there is some possibility of time-skew problems on your site's Account Data URL and Account Removal URL pages, because the authentication mechanism for these operations requires that Passport "bounce" the user off the Login server before necessarily knowing the time skew at your server. Silently redirecting the user back to the Login server will provide a correct time skew the second time and correct the problem. For more information, see Linking Parent and Child.
5015
HasProfile called with nonexistent profile type.
If no attribute of the given name appears in the core profile, or that attribute has a value (version) of zero or less, this event is generated when you call the HasProfile method of Passport Manager.
This event is generated instead of having an error returned by the actual HasProfile call. The method still would have returned the correct False result.
5021
Improperly encrypted ticket presented in cookie.
5023
Improperly encrypted profile presented in cookie.
A Ticket or Profile was received but was encrypted using a key that is no longer valid. When you run the supplied key installation program upon initial site registration or after requesting a new encryption key, you can set the /makecurrent command-line option to specify a length of time during which the old key is still valid. In this case, the old key has expired and Passport Manager received a Ticket or Profile encrypted using this old key.
It is also possible that the decryption of the Ticket or Profile failed because of improper installation of the encryption key, subsequent change of network cards in the server, or a hacking attempt. In each of these cases, these events will be accompanied by another warning or error event that will help identify the problem.
Check the kv parameter on the URL going to the Login server to make sure it agrees with the key version of the last key you were issued. If not, rerun the key installation program. If you have recently reinstalled Passport Manager, the installation can occasionally overwrite the previously existing site-specific key with the "default" key that is used for Site ID=1. If so, rerun the key installation program to add your site-specific key again and make it current.
These events may also indicate some sort of failure with the .NET Passport network encryption operations.
Are your site's pages using t or p as a private query string variable, or are you perpetuating part (but not all) of the t and p query string parameters as sent by the .NET Passport Login servers? These query string parameters must be kept reserved for .NET Passport use, as must f.
5024
Unable to decrypt configuration data. This may occur if you have changed network cards on this computer. If so, you must reinstall Passport Manager, reapply configuration settings, and reinstall keys.
It may be possible that one of the network cards on the server failed on startup. As long as this is a transitory failure of the network card, rebooting the server may solve the problem.
If the network card is permanently down, you may need to replace the network card and reinstall Passport Manager along with keys and settings as detailed here:
- Before reinstalling, make sure to save old configuration settings to a text file by using the Save menu option in the Passport Manager Administration utility.
- Reinstall Passport Manager by re-running the Setup.exe file contained in the initial SDK .cab file.
- Run the Passport Manager Administration utility. From the File menu, choose Open to open the previously saved configuration settings file and then commit these changes to the current installation.
- Rerun the key installation program given to you upon initial registration. Follow the directions supplied with the program.
This event may be generated twice: once upon attempted encryption and again on attempted decryption.
5100
Fetch of document $ from Nexus failed with status $.
This indicates that the failure to fetch a document was with either the HTTP content or the HTTP status of the response.
This event is generated if the Partner.xml CCD could not be updated at the scheduled interval and an update was required. The "$" symbols in the error message are replaced by the name of the file in question and a specific HTTP status code (in hexadecimal notation).
Check if sign-in and sign-out operations at the Login page are still working. If not, consider switching to stand-alone mode. For more information, see Stand-Alone Mode.
| 5101 | Fetch of document $ from Nexus failed with error = $. |
Unlike 5100, this indicates that the error was generated by a Microsoft® Win32® application or library on the client side—for example, WinInet.
This event is generated if the Partner.xml CCD could not be updated at the scheduled interval and an update was required. The "$" symbols in the error message are replaced by the name of the file in question and a specific error. As long as informational event 5002 was received, Passport Manager can continue to function using any previous CCD from disk, and eventually Passport Manager should be able to get a new CCD from the Nexus.
Check to see if there is a local condition that is preventing your server from reaching the Nexus. Check file permissions for the file Partner2.xml.
Check the registry key HKEY_Local_Machine\Software\Microsoft\Passport\Nexus\Partner\CCDRemoteFile and determine whether the URL contained in this key resolves. (You will not actually be able to view this file directly in a browser, because the CCD source itself is password-protected.)
To check the specific WinInet error code, go to MSDN Online.gif)
.
If this event continues to appear over a long period of time, you may need to contact your .NET Passport sales representative to verify that the installation was performed correctly. You may be asked to edit the value of the registry key HKEY_Local_Machine\Software\Microsoft\Passport\Nexus\Partner\CCDRemoteFile.
| 5102 | The document returned for $ did not contain valid XML. It is possible that the response contains information about a failure contacting the Nexus. The data of this event contains the response. |
This event is thrown if the Partner.xml CCD could not be parsed by the local XML parsing code. The "$" symbol in the error message above is replaced by the name of the file in question.
Check that your XML-parsing dynamic-link library (DLL) is operational and compatible. Passport Manager uses the XML parsing DLL that ships with Internet Explorer version 4 (Service Pack 2) or 5.01. You may need to get a more recent version of Internet Explorer on your server.
It is also possible that the request that expected to receive XML instead returned an HTTP response such as 401 for missing content. Try viewing the actual returned content in a browser.
| 5103 | Nexus document $ contained NoPersist attribute, not saving to disk. |
This event is generated if the Partner.xml CCD is marked so that it is not saved to your local disk. This event is generated only if Passport Manager is configured always to check for a fresh CCD from the network on each operation; this configuration is not generally recommended (and thus is not documented), and should be used only in extreme troubleshooting situations.
| 5104 | Failed to load Nexus document $. |
This event is generated if a CCD could not be loaded from disk. The "$" symbol in the error message above is replaced by the name of the file in question (Partner.xml).
If accompanied by event 5101, the automatic CCD retrieval mechanism is not working and the Passport Manager installation does not have a current CCD loaded. The local CCD may still be valid, however.
You may be able to place a local CCD file on the server computer manually by reinstalling Passport Manager, or by copying a saved version of Partner.xml. This file should be placed in the same directory as the Msppmgr.dll file.
Check file permissions on the CCD file.
| 5105 | Local file $ is valid, Nexus fetch not performed. |
This event fires at any interval when the CCD should be checked, but at this time no update is required.
| 5106 | Fetch of document $ from Nexus succeeded. |
Fires when a network CCD is fetched and replaced on disk.
| 5107 | Save of document $ failed with error = $. |
Fired when a network CCD is fetched but could not be saved locally. The problem may be a file-system error (for example, the process did not have permissions, or the file was locked or marked read-only). Verify that the file named in the event is writable by a service.
| 5108 | Found empty CCDRemoteFile entry in registry $. |
This event will fire in conjunction with other errors relating to either reading or writing a CCD file such as Partner.xml. The string returned by this event gives the remote URL where Passport Manager expected to find a file. This URL is stored as a registry entry when Passport Manager is installed.
Do not change this URL path unless directed to by .NET Passport support or sales representatives.
| 5109 | Found empty CCDLocalFile entry in registry $. |
This event fires in conjunction with other errors relating to either reading or writing a CCD file such as Partner.xml. The string returned by this event gives the local file path where Passport Manager expected to find a file.
Check the path given in the event text to see whether it exists. Check the server's directory structure to see whether the file in question was written to some other location. If so, copy the file to the path specified in the event. If the next attempt to refresh gives another error or if no file exists, contact .NET Passport support.
See Also
Passport Manager Administration Utility | Passport Manager Windows NT Events | Passport Manager Error Codes | Manager.HasProfile | Manager.Profile | Manager.GetDomainAttribute | Support Contact Information and Hours