Event ID - 650

Event Id650
SourceMicrosoft-Windows-ADFS
DescriptionThe Federation Service encountered an error while loading the trust policy. An application or resource partner is configured to use Kerberos-based token verification, but the Service Principal Name (SPN) for the application is not valid. SPN: %1 If this error occurs during startup of the Federation Service, the Federation Service will be not be able to start, and all requests to the Federation Service will fail until the configuration is corrected. If this error occurs while the Federation Service is running, the Federation Service will continue to use the last trust policy that was loaded successfully. User Action This error should occur only if the trust policy file has been modified without use of the AD FS administrative tools. Correct the SPN to a valid value.
Event Information According to Microsoft :

Cause :

This event is logged when the Federation Service encountered an error while loading the trust policy.

Resolution :

Change the SPN to a valid value

This error occurs only if the trust policy (trustpolicy.xml) file has been modified without the use of the Active Directory Federation Services snap-in and the modification causes another relying parameter to fall outside the scope of acceptable values. In this case, the manual change that was made to the trustpolicy.xml file specifies that a value for a Service Principal Name (SPN), which is located in a trusting application, is in a format that is not valid. Change the SPN to a valid value.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To configure the SPN for an application:
  1. Click Start , point to Administrative Tools , and then click Active Directory Federation Services .
  2. Double-click Trust Policy , double-click My Organization , and then double-click Applications .
  3. Right-click the application whose SPN you want to change, and then click Properties .
  4. On the General tab, under Security token protection method , change the value in Service principal name (SPN) of service account to a valid value, and then click OK .
Verify :

Verify that you can access the Active Directory Federation Services (AD FS)-enabled application from a client browser and that the resource can be accessed.
Reference LinksEvent ID 650 from Source Microsoft-Windows-ADFS

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh