Event ID - 652

Event Id652
SourceMicrosoft-Windows-ADFS
DescriptionThe Federation Service encountered an error while loading the trust policy. An Active Directory Lightweight Directory Services (AD LDS) account store was configured with an identity claim extraction. AD LDS store: %1 If this error occurs during startup of the Federation Service, the Federation Service will not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Configure at least one identity claim extraction for this account store: user principal name (UPN), e-mail, or common name.
Event Information According to Microsoft :

Cause :

This event is logged when the federation service encountered an error while loading the trust policy.

Resolution :

Configure identity claim extractions for the account store

This error occurs only if the trust policy (trustpolicy.xml) file has been modified without the use of the Active Directory Federation Services snap-in and the modification causes another relying parameter to fall outside the scope of acceptable values. In this case, the manual change that was made to the trustpolicy.xml file removed or disabled all identity claim extractions that were associated with this account store.

To correct this problem, add at least one Lightweight Directory Access Protocol (LDAP) attribute for an identity claim to the account store settings in the trustpolicy.xml file: user principal name (UPN), e-mail, or common name.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To manually add the LDAP attribute for a claim to the trustpolicy.xml file:
  1. In Notepad or another text editor, open the trustpolicy.xml file, which by default is in %systemdrive%\windows\systemdata\adfs.
  2. In the AccountStore section, add the value of the LDAP attribute for the claim by adding the following tags (and value) under the LdapDirectoryAccountStore tag
  3. Save and close Notepad.
Verify :

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.
Reference LinksEvent ID 652 from Source Microsoft-Windows-ADFS

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.