| Event Id | 601 |
| Source | Microsoft-Windows-ADFS |
| Description | During processing of web.config section '%1', the parameter '%2' was found to have invalid data. The private key for the certificate that was identified by the thumbprint '%3' could not be accessed. Section: %1 Parameter: %2 Thumbprint: %3 The Federation Service or Federation Service Proxy will not be able to start until this configuration parameter is corrected. This condition can occur when the certificate that is identified by the thumbprint is found in the Local Computer Personal store but there is a problem accessing the certificate's private key. Common causes for this condition include the following: (1) The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file. (2) The certificate's private key was imported (for example, from a .pfx file) into a user's certificate store instead of the Local Computer Personal store. (3) The certificate was generated as part of a certificate request that did not specify the ""Machine Key"" option. (4) The Federation Service identity has not been granted read access to the certificate's private key. User Action If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file). If the certificate was imported in a user context, import the certificate again directly into the Local Computer Personal store. If the certificate was generated by a certificate request that did not specify the ""Machine Key"" option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file and import it again directly into the Local Computer Personal store. If the key is not marked as exportable, request a new certificate using the ""Machine Key"" option. If the FS Identity has not been granted read access to the certificate's private key, open the AD FS snap-in. In the console tree, right-click Federation Service, and then click Properties. Under Token Signing Certificate, click View. If the private key has incorrect access control configured, an option to reconfigure the key's access control will appear. |
| Event Information | According to Microsoft : Cause : This event is logged when the processing of web.config section, the parameter was found to have invalid data. Resolution : Reimport a certificate that has a private key If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate into the Local Computer Personal store of the federation server or federation server proxy again from a source that includes the private key, for example, a .pfx file. To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. To import a certificate to the Local Computer Personal store:
If the certificate was generated by a certificate request that did not specify the Machine Key option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file, and import it again directly into the Local Computer Personal store. If the key is not marked as exportable, request a new certificate using the Machine Key option. Check whether the Federation Service identity has been granted Read access to the certificate's private key. To check whether the certificate's private key is configured for Read access:
Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed. |
| Reference Links | Event ID 601 from Source Microsoft-Windows-ADFS |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.