Event ID - 645

Event Id645
SourceMicrosoft-Windows-ADFS
DescriptionThe Federation Service encountered an error while loading the trust policy. An account partner that does not have Windows trust enabled is configured to allow all e-mail suffixes. If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Account partners that do not have Windows trust enabled must provide an explicit list of e-mail suffixes for validation. Add at least one e-mail suffix for this account partner.
Event Information According to Microsoft :

Cause :

This event is logged when the Federation Service encountered an error while loading the trust policy.

Resolution :

Provide an explicit list of UPN suffixes for validation

This error occurs only if the trust policy (trustpolicy.xml) file has been modified without the use of the Active Directory Federation Services snap-in and the modification causes another relying parameter to fall outside the scope of acceptable values. In this case, the manual change that was made to the trustpolicy.xml file affected the Windows trust settings for a specific account partner. The change resulted in a mismatch of acceptable user principal name (UPN) suffix values that are defined in the claim mapping settings for that account partner.

You can correct this problem by configuring the account partner to use Windows trust.

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To configure an account partner to use Windows trust:
  1. Click Start , point to Administrative Tools , and then click Active Directory Federation Services .
  2. Double-click Federation Service , double-click Trust Policy , double-click Partner Organizations , and then double-click Account Partners .
  3. Right-click the account partner that you want to configure to use Windows trust, and then click Properties .
  4. On the Windows Trust tab, select the Use Windows trust relationship check box.
  5. In Trusted Active Directory Domain Services (AD DS) domains and forests , do one of the following, and then click OK :
  • If you want to allow federated access to users in all trusted domains in the account partner forest and in any forest that is trusted by the account partner forest, click All AD DS domains and forests , and then click OK .
  • If you want to name only the domains where you want to allow federated access, click Specified AD DS domains and forests (press Enter to separate entries) . Type a domain name, and then press ENTER. Repeat this action to add each domain in the account partner forest and in any other trusted forests for the users that you want to grant access to resources.
You can also correct this problem by adding at least one UPN suffix to the properties of the incoming UPN claim mapping for this account partner.

To add a UPN suffix to an incoming UPN claim mapping:
  1. Click Start , point to Administrative Tools , and then click Active Directory Federation Services .
  2. Double-click Federation Service , double-click Trust Policy , double-click Partner Organizations , and then double-click Account Partners .
  3. In the console tree, click the account partner that you want to add the E-mail suffix to.
  4. In the details pane, double-click E-mail .
  5. In the Incoming E-mail Claim Mapping dialog box, click Accept some domain suffixes , type at least one valid E-mail domain suffix in the text box, and then click OK .
Verify :

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.
Reference LinksEvent ID 645 from Source Microsoft-Windows-ADFS

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh