Event ID - 128

Event Id128
SourceMicrosoft-Windows-ADFS
DescriptionThe AD FS Web Agent Authentication Service was not able to start. The authentication service has not been configured to run as a principal that has been granted the ""Impersonate a client after authentication"" privilege (SeImpersonatePrivilege). Users will not be able to access protected resources until the authentication service can be restarted. User Action Either grant the AD FS authentication service principal the ""Impersonate a client after authentication"" privilege or configure the service to run as a principal that has already been granted the ""Impersonate a client after authentication"" privilege. (For example, configure the authentication service to run as LocalSystem.) This privilege is granted by default to the SERVICE group, but on a hardened server it may be necessary to grant the privilege explicitly.
Event Information According to Microsoft :

Cause :

This event is logged when the AD FS Web Agent Authentication Service was not able to start.

Resolution :

Configure the AD FS Web Agent Authentication Service with the Impersonate a client after authentication privilege

Add the account that is specified on the Log On tab of the AD FS Web Agent Authentication Service to the AD FS-enabled Web server computer using the Local Security Policy snap-in. Using this snap-in, either grant the account the Impersonate a client after authentication privilege or configure the service to run as an account that has already been granted the Impersonate a client after authentication privilege. For example, configure the authentication service to run as LocalSystem. This privilege is granted by default to the SERVICE group. However, on a hardened server it may be necessary to grant the privilege explicitly.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To grant an account the "Act as part of the operating system" privilege:
  1. Click Start/Administrative Tools/Local Security Policy , and then double-click Local Policies .
  2. Double-click User Rights Assignment .
  3. In the details pane, right-click the Impersonate a client after authentication setting, and then select Properties .
  4. Add the account that is specified on the Log On tab of the AD FS Web Agent Authentication Service to the setting.
Verify :

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed with the appropriate authorization.

If you cannot access the application successfully, verify that the Windows token-based agent is configured with correct URL values and that all configuration parameters contain valid values.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the Windows token-based agent is configured with correct values:
  1. Click Start , point to Administrative Tools , and then click Internet Information Services (IIS) Manager .
  2. In the console tree, click YourComputerName (local computer) .
  3. In the console tree, double-click Sites , and then click YourWebSiteName.
  4. In the center pane, double-click Authentication , highlight AD FS Windows Token-Based Agent , and then in the Actions pane click Edit .
  5. In the AD FS Windows Token-Based Agent dialog box, confirm that the Enable AD FS Web Agent check box is selected.
  6. Make sure that the following values are valid, and then click OK .
  • Cookie path
  • Cookie domain
  • Return URL
Reference LinksEvent ID 128 from Source Microsoft-Windows-ADFS

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.