Share via


ACS Error Codes

Updated: June 19, 2015

Applies To: Azure

This topic includes the most common error messages that might be encountered when using Microsoft Azure Active Directory Access Control (also known as Access Control Service or ACS) and the actions required to fix the error, when applicable. For information about how to provide custom error handling based on the error codes, see How to: Use an Error URL for Custom Error Handling.

Important

ACS namespaces can migrate their Google identity provider configurations from OpenID 2.0 to OpenID Connect. Migration must be completed before June 1, 2015. For detailed guidance, see Migrating ACS Namespaces to Google OpenID Connect.

Important

Do not use ACS error codes or descriptions in application logic. When writing error-handling code, use the values of HTTP status and error codes. ACS error codes and error descriptions can change at any time without warning. For more information, see ACS Retry Guidelines and ACS Service Limitations.

Active Federation Protocol Errors, Including SOAP and WS-Trust

ACS Error HTTP Status Code Message Remedy

ACS10000

400

An error occurred while processing the SOAP message

Details are in the message.

ACS10001

400

An error occurred while processing the SOAP header

Details are in the message.

ACS10002

400

An error occurred while processing the SOAP body

Details are in the message.

ACS10003

400

An error occurred while processing the security header

Details are in the message.

WS-Federation Protocol Errors, Including Federation Metadata

The errors in this section are related to WS-Federation protocol and WS-Federation metadata.

To generate a valid WS-FederationMetadata.xml file, use FedUtil or the Identity and Access tool in Visual Studio 2012. The ACS Management Portal also generates a WS-Federation metadata document for each Access Control namespace. To view it, in the ACS Management Portal, click Application integration.

To customize WS-Federation metadata, use the classes in the Microsoft.IdentityModel.Protocols.WSFederation.Metadata namespace.

For the OASIS standard WS-Federation metadata XML schema specification, see Section 3 of the Web Services Federation Language (WS-Federation) Version 1.2 standard at http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-federation-1.2-spec-os.html#_Toc223174942.

For more information about particular errors and their resolution, see the entries in this table.

Error HTTP Status Code Message Remedy

ACS20000

400

An error occurred while processing a WS-Federation sign-in request

Details are in the message.

ACS20001

400

An error occurred while processing a WS-Federation sign-in response

Details are in the message.

ACS20002

400

An error occurred while attempting to generate federation metadata

More details might be found in the message. Verify that there is a primary token signing certificate in your Access Control namespace.

ACS20003

400

An error occurred while attempting to import federation metadata

More details might be found in the message. Make sure that the metadata URL or the metadata file is valid.

ACS20004

Cannot retrieve the entity from the metadata

Make sure that the metadata file contains an entity ID.

ACS20005

Multiple metadata entities are not supported

Ensure that the federation metadata contains exactly one entity.

ACS20006

No security token service descriptors were found

Ensure that the federation metadata contains exactly one security token service descriptor.

ACS20007

Multiple security token service descriptors are not supported

Ensure that the federation metadata contains exactly one security token service descriptor.

ACS20008

400

Only identity providers that support WS-Federation can be imported.
or
Only relying parties that support WS-Federation can be imported.

Ensure that the federation metadata contains a RoleDescriptor of type "fed:SecurityTokenServiceType".

ACS20009

400

An error occurred reading the WS-Federation metadata document

ACS was unable to parse the provided metadata document, so it may be invalid. You can validate your document by running it through Microsoft.IdentityModel.Protocols.WSFederation.Metadata.MetadataSerializer.ReadMetadata().

ACS20010

No application service descriptors were found

Make sure that the metadata file contains an application service descriptor.

ACS20011

Multiple application service descriptors are not supported

Make sure that the metadata file contains only one application service descriptor.

ACS20012

400

Incoming request is not a valid WS-Federation request

Ensure that the request is a valid WS-Federation sign-in request or sign-in response and that it contains all of the required parameters.

ACS20014

400

The WS-Federation metadata document is not well-formed XML

This error occurs when the XML in the WS-Federation metadata document is not syntactically correct, such as when the document has extra or missing brackets or tags. It occurs most often when you attempt to create or edit a WS-FederationMetadata.xml document manually. This error is not related to compliance with the metadata XML schema.

To resolve this error, use an XML validator tool, such as the tools in Visual Studio or XML Notepad 2007.

OpenID Protocol Errors

Error HTTP Status Code Message Remedy

ACS30000

400

There was an error processing an OpenID sign-in response.

Details are in the message.

ACS30001

400

Unable to verify the OpenID response signature.

The OpenID signature was invalid or rejected by the identity provider. Ensure that the message was not tampered with.

Facebook Graph Protocol Errors

Error HTTP Status Code Message Remedy

ACS40000

400

An error occurred while processing a Facebook sign-in response. This may be caused by invalid configuration of the Facebook application.

Verify that the Application ID and Secret configured on ACS match the same values in the Facebook developer portal.

ACS40001

400

An error occurred while attempting to get an access token from Facebook.

Make sure that the application ID and the application secret that were configured via ACS are valid.

General Security Token Service Errors, Including Identity Provider Metadata

Error HTP Status Code Message Remedy

ACS50000

There was an error issuing a token.

Details are in the message.

ACS50001

400

Requested relying party realm '<Realm URL>' is unknown.

There was a mismatch between the AppliesTo given in the token request and the realms you have configured in ACS. Check that: 1. Your relying party has its realm configured correctly. You can do this through the Management Portal or using the Management Service, by looking at your RelyingParty.RelyingPartyAddresses entries.2. Your relying party has been associated with the identity provider. You can also do this from the Management Portal or using the Management Service, by looking at your RelyingPartyIdentityProviders entries.

ACS50002

400

Invalid service configuration. (Details are in the message.)

Details are in the message.

ACS50003

400

No primary symmetric signing key is configured. A symmetric signing key is required for SWT.

If the chosen relying party uses SWT as its token type, verify that a symmetric key is configured for the relying party or the Access Control namespace, and that the key is set to primary and within its validity period.

ACS50004

400

No primary X.509 signing certificate is configured. A signing certificate is required for SAML.

If the chosen relying party uses SAML as its token type, ensure that a valid X.509 certificate is configured for the relying party or the Access Control namespace. The certificate must be set to primary and must be within its validity period.

ACS50005

400

Token encryption is required but no encrypting certificate is configured for the relying party.

Either disable token encryption for the chosen relying party or upload an X.509 certificate to be used for token encryption.

ACS50006

403

Signature verification failed. (There may be more details in the message.)

Ensure that the verification keys that were configured via ACS are valid.

ACS50007

400

Signature not found.

Make sure that the incoming token is signed and valid.

ACS50008

401

SAML token is invalid. (There may be more details in the message.)

For more information, see How to Fix Error ACS50008.

ACS50009

401

SWT token is invalid. (There may be more details in the message.)

Details are in the message.

ACS50010

403

Audience URI validation failed. (There may be more details in the message.)

Make sure that the Audience of the incoming token is set to https://yournamespace.accesscontrol.windows.net

ACS50011

400

The ReplyTo address is missing or does not match the realm.

In order to work with WS-Federation, a relying party must have at least one ReplyTo address configured.
This is configurable in the ACS Management Portal using the Return URL field.
If the incoming message specifies a ReplyTo address, ensure that it matches a configured ReplyTo, or is a suffix of one (for example, for configured ReplyTo http://example.com/path1/, http://example.com/path1/index.aspx would be a valid requested ReplyTo, but http://example.com/path2/index.aspx would not).

ACS50012

401

Authentication failed. (There may be more details in the message.)

When a multi-tenant application tries to acquire a token to access the Graph API for an Azure AD tenant that has recently consented to the application, the token request might fail temporarily with error ACS50012. To resolve the problem, wait a few minutes and try again. Or, have the tenant administrator who provided consent log on to the application after consenting.

ACS50013

400

The number of segments in the URI value is more than the maximum acceptable number of path segments.

Make sure that the number of segments in the URI value is equal to or less than 32.

ACS50014

400

Self-asserted claims are not allowed for service and management identities.

Ensure that your service identity authentication token contains either no claims or only the name identifier claim.

ACS50015

400

An error occurred while attempting to get identity provider metadata.

More details might be found in the message. Make sure that the metadata URL or file is valid.

ACS50016

400

X509Certificate with subject '<Certificate subject name>' and thumbprint '<Certificate thumbprint>' does not match any configured certificate.

Ensure that the requested certificate has been uploaded to ACS.

ACS50017

401

The certificate with subject '<Certificate subject name>' and issuer '<Issuer name>' failed validation.

Ensure that the certificate is either self-signed or that it chains to a trusted root certification authority. The certificate must also not be revoked and must be within its validity period. For more information, see How to Fix Error ACS50017.

ACS50018

400

Missing realm. The name of the relying party was not specified.

Ensure that the request contains a realm.

ACS50019

401

Sign-in was canceled by the user.

ACS50020

401

User is unauthorized.

ACS50022

400

Callback parameter value '<Function name>' is not a valid JavaScript function name.

Ensure that the specified callback parameter is the name of a valid JavaScript function name. Valid JavaScript function names contain only letters, digits, and the ‘$’ and ‘_’ characters, and may not start with a digit. Unicode characters in function names are not supported.

ACS50026

Principal with name 'name' is not a valid principal.

This error indicates that an attempt to find an entity by the specified name has failed because the entity is not known to ACS. This entity could be a service identity, a relying party application, or an identity provider, depending on the scenario.

Verify that this entity exists in your Access Control namespace.

ACS50042

401

The salt required to generate a pairwise identifier is missing. If this application has been recently registered, wait for a few minutes before retrying.

If you try to log in to an application immediately after adding it to Azure AD, the log-in attempt might fail until the pairwise keys are synchronized. Wait a few minutes and try to log in again. For more information, see ACS Retry Guidelines.

Rules Engine, Data, and Management Service Errors

Error HTTP Status Code Message Remedy

ACS

60000

403

Policy engine error

Details are in the message.

ACS60001

No output claims were generated during rules processing.

The rule group(s) associated with the chosen relying party has no rules that are applicable to the claims generated by your identity provider. Configure some rules in a rule group associated with your relying party or generate pass-through rules using the rule group editor.

ACS60002

403

The quota for the number of token requests has been reached and no more may be requested.

ACS60003

403

Cannot modify a read-only property.

Certain built-in ACS objects cannot be modified or deleted.

ACS60004

409

Version conflict

A version conflict error can be received when trying to update the name of a relying party, identity provider, service identity, or issuer to be the same name as another relying party, identity provider, service identity, or issuer. To resolve the issue, choose a different unique name.

ACS60005

400

Attempted to add a child object with an invalid or missing parent.

For child objects, such as addresses, ensure that the parent object or object ID is valid and of the correct type.

ACS60006

400

Attempted to insert a new copy of an object that already exists in the database.

The object that you are attempting to insert violates a uniqueness constraint. Ensure that the object’s properties, such as name and address, are unique if required.

ACS60007

400

Invalid X.509 certificate

Ensure that the provided bytes are a valid X.509 certificate.

ACS60008

Unable to find a unique name for this <object type>.

ACS60012

The number of input claims (#) exceeds the limit (80).

Your incoming token must have 80 claims or less in order for ACS to process them and then successfully issue an outgoing token.

ACS60021

503

Service unavailable

The token request is rejected because ACS data servers are busy responding to token requests from all namespaces. Wait a few seconds and retry the requests over increasing time intervals. For more information, see ACS Retry Guidelines.

OAuth 2.0 Protocol Errors

Error HTTP Status Code Message Action required to fix the error

ACS70000

401

The provided access grant is invalid, expired or revoked.

Details are in the message.

ACS70001

401

The client is unauthorized.

ACS70002

401

Invalid client.

ACS70003

401

The access grant included is not supported by the authorization server.

ACS Management Portal Errors

Error HTTP Error Code Message Action required to fix the error

ACS80001

404

This rule is configured to use a Claim Issuer type that is not supported by the management portal. Please use the management service to view and edit this rule.

This error occurs if a rule is configured to use an Issuer that is not an identity provider or the Access Control Service “LOCAL AUTHORITY” issuer. For details on how to use the ACS Management Service, see ACS Management Service.

Other Errors

Error HTTP Error Code Message Remedy

ACS90002

404

The service namespace name in the URL is invalid.

Verify that the requested Access Control namespace exists.

ACS90004

400

The request is not properly formatted.

ACS90005

502

External server error. (More details may be found in the message.))

An error occurred during communication with an external server, such as an identity provider.

ACS90006

504

External server timeout.

Communication timed out while communicating with an external server, such as an identity provider.

ACS90007

405

Request method not allowed.

Ensure that the HTTP method (such as GET and POST) used is supported by that endpoint.

ACS90008

403

The tenant is disabled.

Make sure that your Access Control namespace is active.

ACS90009

404

No <object> was found for the given ID.

Details are in the message.

ACS90010

400

Not supported. (More details may be found in the message.)

Details are in the message.

ACS90011

400

Invalid request. (More details may be found in the message.)

Details are in the message.

ACS90012

408

The request to the server timed out.

Details are in the message.

ACS90013

400

Invalid user input. (More details may be found in the message.)

Details are in the message.

ACS90014

400

The required field '<Field>' is missing.

Make sure that your request to ACS contains all parameters that are required by the protocol that you are using.

ACS90015

403

Not authorized: Service keys are restricted for this Tenant.

ACS will not display keys belonging to the ServiceBus and Cache namespaces. To view these keys, use the ServiceBus or Cache portal.

ACS90016

400

'<Key size>' bits is an invalid key size. Key size must be greater than 0 and a multiple of 8.

ACS90046

503

Service unavailable

The token request is rejected because ACS is busy responding to token requests from all namespaces. Wait a few seconds and retry the requests over increasing time intervals. For more information, see ACS Retry Guidelines.

ACS90055

429

Too many requests

The token request is rejected, because this namespace exceeded the maximum token request rate of 30 tokens per second for a prolonged period. Wait a few seconds and retry the requests over increasing time intervals. If the error recurs, consider redistributing the workload over multiple namespaces. For more information, see ACS Service Limitations.