Event ID 697 — Federation Service Authentication Web Pages
Applies To: Windows Server 2008 R2
The Federation Service provides Web pages that prompt the user to select an appropriate account partner to which the user can authenticate. The Federation Service also provides Web pages that prompt for the user’s credentials, such as a user name and password, for forms-based authentication. A Web page is also provided that supports Windows Integrated authentication and Secure Sockets Layer (SSL) client certificate authentication.
Event Details
Product: | Windows Operating System |
ID: | 697 |
Source: | Microsoft-Windows-ADFS |
Version: | 6.1 |
Symbolic Name: | AnonymousLogonNotSupported |
Message: | The LSAuthenticationObject method LogonClient was called with the anonymous WindowsIdentity. This condition occurs when LogonClient(WindowsIdentity) is called in a context where anonymous access has been enabled in Internet Information Services (IIS). User Action Ensure that only integrated authentication is enabled for the ls/auth/integrated directory. Ensure that LogonClient(WindowsIdentity) is called only from the authentication Web form in the ls/auth/integrated directory. |
Resolve
Enable only integrated authentication
Ensure that only Windows Authentication is enabled for the Internet Information Services (IIS) virtual directory ls/auth/integrated directory. To do this, check the following:
To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.
- On the federation server, open the Internet Information Services (IIS) Manager snap-in.
- Click ComputerName\Sites\Default Web site\adfs\ls\auth\integrated, and, in the center pane, double-click Authentication.
- Ensure that all statuses in the center pane are set to Disabled except for Windows Authentication, which should be set to Enabled.
Ensure that LogonClient (WindowsIdentity) is called only from the authentication Web form in the ls/auth/integrated directory. Windows Integrated authentication is not supported on the Federation Service Proxy. To ensure that LogonClient (WindowsIdentity) is called only from the authentication Web form in the ls/auth/integrated directory:
Using Notepad on the federation server, open the file clientlogon.aspx, which is located under %systemdrive%\Windows\SystemData\ADFS\sts\ls\auth\integrated.
Ensure that the following line of code is present in the file:
WindowsIdentity wi = (WindowsIdentity)HttpContext.Current.User.Identity
Verify
Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.