Event ID 697 — Federation Service Authentication Web Pages

Applies To: Windows Server 2008 R2

The Federation Service provides Web pages that prompt the user to select an appropriate account partner to which the user can authenticate. The Federation Service also provides Web pages that prompt for the user’s credentials, such as a user name and password, for forms-based authentication. A Web page is also provided that supports Windows Integrated authentication and Secure Sockets Layer (SSL) client certificate authentication.

Event Details

Product: Windows Operating System
ID: 697
Source: Microsoft-Windows-ADFS
Version: 6.1
Symbolic Name: AnonymousLogonNotSupported
Message: The LSAuthenticationObject method LogonClient was called with the anonymous WindowsIdentity. This condition occurs when LogonClient(WindowsIdentity) is called in a context where anonymous access has been enabled in Internet Information Services (IIS).

User Action
Ensure that only integrated authentication is enabled for the ls/auth/integrated directory.

Ensure that LogonClient(WindowsIdentity) is called only from the authentication Web form in the ls/auth/integrated directory.

Resolve

Enable only integrated authentication

Ensure that only Windows Authentication is enabled for the Internet Information Services (IIS) virtual directory ls/auth/integrated directory. To do this, check the following:

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

  1. On the federation server, open the Internet Information Services (IIS) Manager snap-in.
  2. Click ComputerName\Sites\Default Web site\adfs\ls\auth\integrated, and, in the center pane, double-click Authentication.
  3. Ensure that all statuses in the center pane are set to Disabled except for Windows Authentication, which should be set to Enabled.

Ensure that LogonClient (WindowsIdentity) is called only from the authentication Web form in the ls/auth/integrated directory. Windows Integrated authentication is not supported on the Federation Service Proxy. To ensure that LogonClient (WindowsIdentity) is called only from the authentication Web form in the ls/auth/integrated directory:

  1. Using Notepad on the federation server, open the file clientlogon.aspx, which is located under %systemdrive%\Windows\SystemData\ADFS\sts\ls\auth\integrated.

  2. Ensure that the following line of code is present in the file:

    WindowsIdentity wi = (WindowsIdentity)HttpContext.Current.User.Identity

Verify

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

Federation Service Authentication Web Pages

Active Directory Federation Services