AD FS 2.0 Event 206: "The Federation Service could not fulfill the token-issuance request"

Question

I am getting a strange error from ADFS 2.0 event Log as follows:

"The Federation Service could not fulfill the token-issuance request because the relying party 'https://my-relying-party' is missing a WS-Federation Passive endpoint address.

Relying party: https://my-relying-party

This request failed.

User Action

Use the AD FS 2.0 Management snap-in to configure a WS-Federation Passive endpoint on this relying party."

This happens after SAML response is verified successfully by ADFS 2.0 but apparently fails to issue a token for the relying party application.

I configured in ADFS 2.0 both IDP and SP as SAML 2.0 so I don't understand why is WS-Federation endpoint is expected?

Any help will be appreciated.

MarnixKlooster ReinstateMonica MarnixKlooster ReinstateMonica · Accepted Answer · 2011-02-15T17:09:07

Is your web application talking the WS-Federation protocol or the SAML protocol (SAML-P)? If your web application is based on WIF, then you are using WS-Federation. Note that both protocols use SAML tokens.

If your application talks the WS-Federation protocol, then in your AD FS Relying Party Trust you need to set the WS-Federation endpoint(s). If it talks the SAML protocol, you need to set the SAML protocol endpoint(s).

Based on your error message, your application probably talks WS-Federation, therefore you need to set the WS-Federation endpoint.

AD FS 2.0 Event 206: "The Federation Service could not fulfill the token-issuance request"

4 Answers