I'm having trouble importing some claim providers and relying parties that specify unsupported values for the xml:lang attribute somewhere in their metadata.

The error message I get is:

ID3202: An error occurred while reading the metadata document. Parameter 'lang' has a value 'ua' that is not valid.

If I understood correctly, "ua" should instead be "uk" for Ukrainian, but I get the same for "la", which is Latin and should be totally accepted :)

What I would like to know is which are the language codes accepted by ADFS.

Thanks,
Paolo

Paolo Tedesco - http://cern.ch/idm

I am trying to troubleshoot an issue with SSO using ADFS for O365. 

We are have ADFD 3.0 and WAP configured.  Basically internal user that access https://login.microsoftonline.com/ should not be prompted for their password as we have Federated Identity and Directory Synchronization.  External user that access https://login.microsoftonline.com/ will get prompted credentials.  I used this great technet blog for the entire setup.  

http://blogs.technet.com/b/rmilne/archive/2014/04/28/how-to-install-adfs-2012-r2-for-office-365.aspx

Recently it was uncovered that when we try to access https://login.microsoftonline.com/ internally we are directed to the ADFS server as suspected but left to enter in our password as if we are trying to access https://login.microsoftonline.com/ externally. This is an example of where internal users get directed to.

https://sts.mycompany.com/adfs/ls/idpinitiatedsignon  

First thing was to rule out federation property between the ADFS server and Office 365.  There are no certificate issues.  This left me to perhaps something wrong with the ADFS server.  Event logs didn't provide anything with substance to look into other than a warning for The SAML artifact resolution endpoint is not configured or it is disabled.  I haven't gotten a good resolution for that in place but don't believe that is the issue.  What I did was remove the Claim Rule for Microsoft Office 365 Identity Platform and recreate using a KB I found without success.  Enable additional ADFS Verbose logging but nothing seem to stick out.

At this point I am not convince the issue is with ADFS, but I need to rule it out completely.

Thanks,

Bij

Hi all,

Playing with ADFS 3.0 and wanted to clarify a few things.

In our lab setup the connection runs via [ADFS client -> firewall appliance -> inspection appliance -> wap server -> firewall appliance -> adfs server]. The connection is secured with https, but at the inspection appliance we terminate the inbound https connection then reestablish the https connection inward.

At the inspection appliance, during the period where the traffic is decrypted, for the following POST,

POST /adfs/ls/?.......

We could see the information in the body showing the clear text username/domain/password,

BODY
UserName=cleartext_user@domain&Password=cleartext_password&AuthMethod=FormsAuthentication

What we'd like to know is, can this be encrypted or obfuscated within the post so that administrators of the device (internal staff + vendors) cannot access the information easily?

From what we can see so far it appears to be down to the implementation of each application,

• Microsoft ADFS = clear text inside https
• Microsoft OWA = clear text inside https
• 3rd party mapping application = encrypted inside https
• etc

MD

Hello MS team

I need some clarification in regards the design and deployment of ADFS server farm in the internal network and Proxy servers in the DMZ network. This client has already Hardware load balancer between the internal network and DMZ, and also between DMZ and external world

My client is looking to implement a SSO solution called Service now [see link below for systems requirements, and is planning on setting up a federated server farm (2 servers) behind a hardware load balance
http://wiki.servicenow.com

I would like propose the following design

Primary Site
2 ADFS 2008 R2 or 2012 R2 deployed on the internal network where the DCD/DNS/Exchange servers are hosted. These servers will be dedicated ADFS boxes

2 Proxy or WAP servers deployed in a DMZ network

A Big IP F5 HLB between internal network and DMZ
A Big IP F5 HLB between DMZ and Internet

Secondary site or DR location

Same as above

Here are my queries, and the confusion:

Is an ADFS proxy or WAP necessary if we put the federated server farm behind the hardware load balancer? I need the solution to be redundant however it would seem unnecessary for us to build out 4 servers (2 for ADFS, 2 for proxy and/or WAP[Windows 2012 R2 or 2008 R2 for proxies).

My understanding is the WAP/or proxy will be used to present ADFS to the internet, so that we can allow external users to access the SSO internal application, and also we can use any kind of reverse proxy to do this, such as TMG or F5. Is that correct?

Should I follow the same Microsoft procedure to setup a farm of ADFS servers with NLB, even if we use a Hardware load balancer [F5]?

Is network load balancing required to setup a farm of ADFS servers and proxies or WAPs?

I found some documentation about the third party HLB that states how we should setup ADFS for F5. Your thoughts?

 let's assume that I install Proxy servers [Windows 2008] or WAP servers[2012 R2] on a DMZ network, and there is a F5 Hardware load balancer between DMZ and internet,  is this still a good design? Are the proxy and WAP servers required even if I have a Hardware load balancer?

My understanding is that to setup a farm of ADFS servers you have to deploy Windows Network load balancing, same for Proxy servers or WAP servers. Should I install NLB for the internal farm of ADFS servers and also proxy or WAP servers or the load balancing stuff must be configured at the Hardware load balancer?

From F5

https://devcentral.f5.com/articles/big-ip-and-adfs-part-1-ndash-ldquoload-balancing-the-adfs-farm-rdquo

The proposed solution will look as per below image

Franki

Hello MS team

I need some clarification in regards the design and deployment of ADFS server farm in the internal network and Proxy servers in the DMZ network. This client has already Hardware load balancer between the internal network and DMZ, and also between DMZ and external world

My client is looking to implement a SSO solution called Service now [see link below for systems requirements, and is planning on setting up a federated server farm (2 servers) behind a hardware load balance
http://wiki.servicenow.com

I would like propose the following design

Primary Site
2 ADFS 2008 R2 or 2012 R2 deployed on the internal network where the DCD/DNS/Exchange servers are hosted. These servers will be dedicated ADFS boxes

2 Proxy or WAP servers deployed in a DMZ network

A Big IP F5 HLB between internal network and DMZ
A Big IP F5 HLB between DMZ and Internet

Secondary site or DR location

Same as above

Here are my queries, and the confusion:

Is an ADFS proxy or WAP necessary if we put the federated server farm behind the hardware load balancer? I need the solution to be redundant however it would seem unnecessary for us to build out 4 servers (2 for ADFS, 2 for proxy and/or WAP[Windows 2012 R2 or 2008 R2 for proxies).

My understanding is the WAP/or proxy will be used to present ADFS to the internet, so that we can allow external users to access the SSO internal application, and also we can use any kind of reverse proxy to do this, such as TMG or F5. Is that correct?

Should I follow the same Microsoft procedure to setup a farm of ADFS servers with NLB, even if we use a Hardware load balancer [F5]?

Is network load balancing required to setup a farm of ADFS servers and proxies or WAPs?

I found some documentation about the third party HLB that states how we should setup ADFS for F5. Your thoughts?

 let's assume that I install Proxy servers [Windows 2008] or WAP servers[2012 R2] on a DMZ network, and there is a F5 Hardware load balancer between DMZ and internet,  is this still a good design? Are the proxy and WAP servers required even if I have a Hardware load balancer?

My understanding is that to setup a farm of ADFS servers you have to deploy Windows Network load balancing, same for Proxy servers or WAP servers. Should I install NLB for the internal farm of ADFS servers and also proxy or WAP servers or the load balancing stuff must be configured at the Hardware load balancer?

From F5

https://devcentral.f5.com/articles/big-ip-and-adfs-part-1-ndash-ldquoload-balancing-the-adfs-farm-rdquo

The proposed solution will look as per below image

Franki

We have a SSO infrastructure setup whereby we are using the whr query string implementation (via the usual handshaking authentication process between the  user and the ADFS farm)  to access our Relay party app  which all  works just fine.

However, when a user close down their app/ browser session (ideally they should logon out) and then click on the UI link to re-launch the application (to fire up a second instance of the app), then the left hand side of the application is missing from view. There are no error msg.

We are currently on ADFS 2.0 while our ADFS hosting partner is on ADFS 2.0 rollup 1.0. I have two questions namely;

Would the new rollup 2.0 rollup 2.0 of ADFS address our above issue?

Should we be on the same version /rollup of ADFS as our ADFS partner (compatibility issues)?

Thanks in advance

According to this: http://blogs.technet.com/b/askds/archive/2012/09/27/ad-fs-2-0-relaystate.aspx

The RelayState parameter was supported as of ADFS 2.0 Update 2 with an edit to web.config. There is no information on RelayState support with ADFS 3.0 in WS 2012 R2, so I assume that RelayState is supported without any additional configuration. Is this correct?

We are having trouble passing a RelayState URL created with the URL generator to a third party STS. We are trying to figure out if the issue is with ADFS passing the URL or on the 3rd party STS. Can someone confirm if there is any additional configuration required on ADFS 3.0 to pass RelayState (like it was in ADFS 2.0)? Or is this supported right out of the box?

thanks,

Dustin

Hi All - We have configured the ADFS SSO for few of the applications so once I logged in SSO I can see that all the applications under "<label for="idp_OtherRpRadioButton">Sign in to one of the following sites:</label>"

When I select and signing in the application it is opening in the same window in all the browsers so  if I need to login other application again I have to enter the ADFS URL in another one tab and signing in for the other applications. It is not asking the credentials but that should open in new tab, not in the same window.

how to open the application in new tab when we are signing in. Do we have the way to change that.

All the application should open in the new tab from the SSO home page.

Please suggest how to achieve this.

Thanks in advance!!

Regards,

Suthakar

I have a rule like this:

=> issue(type = "http://foo.bar/someclaim", value = "a "quotes-containing" claim value");

How am I supposed to escape the quotes in the claim rules language?

I have tried using \" and "" but it didn't work.

Paolo Tedesco - http://cern.ch/idm

Hello Experts

I am trying to configure ADFS 3.0 with Sharepoint 2013 and facing an issue with ADFS 3.0 url

When I try to access url https://<ADFS.domain.com>/adfs/ls - I face following error 

----------------------------------------------------------

Encountered error during federation passive request. 

Additional Data 

Protocol Name: 

Relying Party: 

Exception details: 
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/ to process the incoming request.
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

----------------------------------------------------------

But When I try to access ADFS url - https://<ADFS.domain.com>/adfs/ls/idpinitiatedsignon 

It works.. 

Is it normal behavior or something wrong here.

Please suggest.

Thanks

in ADFS event viewer I am getting the below :

I am trying to get ADFS and SAML authentication working and the resolution I was told was in this post: https://social.msdn.microsoft.com/Forums/en-US/7f3bd35f-b86d-4a31-98f9-9fcdd571c05d/sessionindex-attribute-missing-in-authnstatement-element?forum=Geneva

However, I am not sure how to do what it mentions. Anyone have any insight? Thanks

Hi All,<o:p></o:p>

I have on ADFS server and one ADFS proxy .<o:p></o:p>

I was using the key  <useRelayStateForIdpInitiatedSignOn enabled="true" />in my ADFS/ls configuration file.<o:p></o:p>

To use this key we have installed the HOT fix roll up 2. (Microsoft windows kb2681584)<o:p></o:p>

This hot fix was recommended to make ADFS 2.0 consume the RelayState for SAML application integrations.<o:p></o:p>

But now suddenly my application is not able to use this key in ADFS/ls configuration file.<o:p></o:p>

Is this hot fix setup got corrupt ? Should I reinstall this hot fix again and will  re installing  impact my ADFS 2.0 environment.<o:p></o:p>

Can anybody tell me how I can fix this issue.

Thanks in advance<o:p></o:p>

i'm trying to install ADFS on a new installation of a Win Server 2012R2 and I get an error in the post-deployment configuration. The Domain Controller is a Win Server 2008R2. Please someone help me, i've been trying to solve this for 3 days.

The error says:

Schema verification failed for database 'AdfsConfiguration'. ALTER DATABASE statement failed. Failed to restart the current database. The current database is switched to master.

This is the error log after the installation:

2015-04-29 12:46:55.93 Server Microsoft SQL Server 2012 - 11.0.2100.60 (X64) Feb 10 2012 19:39:15 Copyright (c) Microsoft Corporation Windows Internal Database (64-bit) on Windows NT 6.2 (Build 9200: ) (Hypervisor)

2015-04-29 12:46:55.97 Server (c) Microsoft Corporation.

2015-04-29 12:46:55.97 Server All rights reserved.

2015-04-29 12:46:55.97 Server Server process ID is 1532.

2015-04-29 12:46:55.97 Server System Manufacturer: 'VMware, Inc.', System Model: 'VMware Virtual Platform'.

2015-04-29 12:46:55.98 Server Authentication mode is WINDOWS-ONLY.

2015-04-29 12:46:55.98 Server Logging SQL Server messages in file 'C:\Windows\WID\Log\error.log'.

2015-04-29 12:46:55.98 Server The service account is 'NT SERVICE\MSSQL$MICROSOFT##WID'. This is an informational message; no user action is required.

2015-04-29 12:46:56.00 Server Registry startup parameters: -w 65535 -T 1617 -K -e C:\Windows\WID\Log\error.log -l C:\Windows\WID\Data\mastlog.ldf -d C:\Windows\WID\Data\master.mdf

2015-04-29 12:46:56.00 Server Command Line Startup Parameters: -S "MSWIN8.SQLWID" -s "MICROSOFT##WID"

2015-04-29 12:46:56.54 Server SQL Server detected 1 sockets with 1 cores per socket and 1 logical processors per socket, 1 total logical processors; using 1 logical processors based on SQL Server licensing. This is an informational message; no user action is required.

2015-04-29 12:46:56.54 Server SQL Server is starting at normal priority base (=7). This is an informational message only. No user action is required.

2015-04-29 12:46:56.54 Server Detected 4095 MB of RAM. This is an informational message; no user action is required.

2015-04-29 12:46:56.54 Server Using conventional memory in the memory manager.

2015-04-29 12:46:59.38 Server Node configuration: node 0: CPU mask: 0x0000000000000001:0 Active CPU mask: 0x0000000000000001:0. This message provides a description of the NUMA configuration for this computer. This is an informational message only. No user action is required.

2015-04-29 12:46:59.41 Server Using dynamic lock allocation. Initial allocation of 2500 Lock blocks and 5000 Lock Owner blocks per node. This is an informational message only. No user action is required.

2015-04-29 12:46:59.42 Server Software Usage Metrics is disabled.

2015-04-29 12:46:59.57 spid7s Starting up database 'master'.

2015-04-29 12:47:00.20 spid7s The password regeneration attempt for SA was successful.

2015-04-29 12:47:00.25 spid7s Resource governor reconfiguration succeeded.

2015-04-29 12:47:00.25 spid7s SQL Server Audit is starting the audits. This is an informational message. No user action is required.

2015-04-29 12:47:00.26 spid7s SQL Server Audit has started the audits. This is an informational message. No user action is required.

2015-04-29 12:47:00.48 spid7s SQL Trace ID 1 was started by login "sa".

2015-04-29 12:47:00.50 spid7s Server name is 'GARWEB01\MICROSOFT##WID'. This is an informational message only. No user action is required.

2015-04-29 12:47:01.00 Server CLR version v4.0.30319 loaded.

2015-04-29 12:47:01.16 spid9s Starting up database 'mssqlsystemresource'.

2015-04-29 12:47:01.21 spid7s Starting up database 'msdb'.

2015-04-29 12:47:01.24 spid13s The service master key regeneration was successful.

2015-04-29 12:47:01.24 spid13s Server local connection provider is ready to accept connection on [ \.\pipe\MICROSOFT##WID\tsql\query ].

2015-04-29 12:47:01.25 spid9s The resource database build version is 11.00.2100. This is an informational message only. No user action is required.

2015-04-29 12:47:01.26 spid13s Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag 7806. This is an informational message only. No user action is required.

2015-04-29 12:47:01.43 spid9s Starting up database 'model'.

2015-04-29 12:47:01.87 spid9s Clearing tempdb database.

2015-04-29 12:47:03.65 spid9s Starting up database 'tempdb'.

2015-04-29 12:47:07.48 spid16s The Service Broker endpoint is in disabled or stopped state.

2015-04-29 12:47:07.52 spid16s The Database Mirroring endpoint is in disabled or stopped state.

2015-04-29 12:47:07.72 spid16s Service Broker manager has started.

2015-04-29 12:47:08.13 Server Common language runtime (CLR) functionality initialized using CLR version v4.0.30319 from C:\Windows\Microsoft.NET\Framework64\v4.0.30319.

2015-04-29 12:47:09.13 spid7s SQL Server is now ready for client connections. This is an informational message; no user action is required.

2015-04-29 12:47:09.28 spid7s Recovery is complete. This is an informational message only. No user action is required.

2015-04-29 12:47:09.59 spid3s A significant part of sql server process memory has been paged out. This may result in a performance degradation. Duration: 0 seconds. Working set (KB): 5648, committed (KB): 119708, memory utilization: 4%.

2015-04-29 12:49:03.32 spid3s A significant part of sql server process memory has been paged out. This may result in a performance degradation. Duration: 331 seconds. Working set (KB): 24060, committed (KB): 98188, memory utilization: 24%.

2015-04-29 12:52:52.70 spid51 Attempting to load library 'xpsqlbot.dll' into memory. This is an informational message only. No user action is required.

2015-04-29 12:52:52.74 spid51 Using 'xpsqlbot.dll' version '2011.110.2100' to execute extended stored procedure 'xp_qv'. This is an informational message only; no user action is required.

2015-04-29 12:53:05.74 spid3s A significant part of sql server process memory has been paged out. This may result in a performance degradation. Duration: 601 seconds. Working set (KB): 38888, committed (KB): 98548, memory utilization: 39%.

2015-04-29 12:58:19.65 spid3s A significant part of sql server process memory has been paged out. This may result in a performance degradation. Duration: 928 seconds. Working set (KB): 39020, committed (KB): 98548, memory utilization: 39%.

2015-04-29 13:03:46.67 spid3s A significant part of sql server process memory has been paged out. This may result in a performance degradation. Duration: 1258 seconds. Working set (KB): 39580, committed (KB): 98892, memory utilization: 40%.

2015-04-29 13:09:17.59 spid3s A significant part of sql server process memory has been paged out. This may result in a performance degradation. Duration: 1523 seconds. Working set (KB): 39568, committed (KB): 98940, memory utilization: 39%.

2015-04-29 13:15:34.11 spid3s A significant part of sql server process memory has been paged out. This may result in a performance degradation. Duration: 1853 seconds. Working set (KB): 39776, committed (KB): 99044, memory utilization: 40%.

2015-04-29 13:16:33.02 Logon Error: 18456, Severity: 14, State: 38.

2015-04-29 13:16:33.02 Logon Login failed for user 'GARANTIZAR\BackupUSR'. Reason: Failed to open the explicitly specified database 'AdfsConfiguration'. [CLIENT: ]

2015-04-29 13:16:48.56 Logon Error: 18456, Severity: 14, State: 38.

2015-04-29 13:16:48.56 Logon Login failed for user 'GARANTIZAR\BackupUSR'. Reason: Failed to open the explicitly specified database 'AdfsConfiguration'. [CLIENT: ]

2015-04-29 13:16:50.57 spid51 Starting up database 'AdfsConfiguration'.

2015-04-29 13:16:51.38 spid51 Setting database option SINGLE_USER to ON for database 'AdfsConfiguration'.

2015-04-29 13:16:51.88 spid34s Could not start Service Broker for database id: 5. A problem is preventing SQL Server from starting Service Broker. Check the SQL Server error log for additional messages.

2015-04-29 13:16:51.97 spid34s Error: 9645, Severity: 16, State: 3.

2015-04-29 13:16:51.97 spid34s An error occurred in the service broker manager, Error: 3602, State: 124.

2015-04-29 13:16:59.89 spid51 Setting database option MULTI_USER to ON for database 'AdfsConfiguration'.

2015-04-29 13:17:00.23 spid51 Starting up database 'AdfsConfiguration'.

2015-04-29 13:17:00.34 spid51 Failed to verify Authenticode signature on DLL 'C:\Windows\WID\Binn\DBVerify\adfsconfigDbVerify.dll'.

2015-04-29 13:17:58.86 spid51 Starting up database 'AdfsConfiguration'.

2015-04-29 13:18:20.94 spid54 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.

2015-04-29 13:18:21.11 spid54 Using 'xpstar.dll' version '2011.110.2100' to execute extended stored procedure 'xp_instance_regread'. This is an informational message only; no user action is required.

2015-04-29 13:18:23.04 spid54 Starting up database 'AdfsConfiguration'.

2015-04-29 13:18:42.36 spid54 Setting database option MULTI_USER to ON for database 'AdfsConfiguration'.

2015-04-29 13:18:42.41 spid54 Starting up database 'AdfsConfiguration'.

2015-04-29 13:18:42.44 spid54 Failed to verify Authenticode signature on DLL 'C:\Windows\WID\Binn\DBVerify\adfsconfigDbVerify.dll'.

Hi

Am trying to configure ADFS for customer application called Cornerstone , they have given inputs for configuring SSO in link 

https://support.symplified.com/entries/36837653-Application-Enablement-Cornerstone-SAML (refer SSO Guide)

1. Do i still need metadata file from the application vendor to import on ADFS 

Need help to configure same , step-by-step will be helpfull

I have been working through an issue with ADFS 3.0 and alternateloginid...I was wondering if anyone else has seen this?

I have some users that are set with UPN suffix default.co.uk, but the dns name and default UPN suffix is default.com. Everyone is logging in with their email address which might be one of several domains. Users will be able to logon via WIA (username and pass is correct), but...

• This only happens with forms auth...either non-wia browser or through the proxies
• I can see the user being found via mail=mail_addr in the ADFS trace logs
• The user has a successful security event log entry for explicit credential login. (event id: 4648)
• ADFS returns event id: 364 with "MSIS7066: Authentication failed for the request. ---> The user name or password is incorrect."
• UPN suffix is in the alternate UPN suffix list

When you change from "default.co.uk" to "default.com" user is able to login. One of the reason's we rolled out ADFS 3 was to keep from having to modify users UPN values. If the alternatelogonid is discoverable, the credentials validate, and the UPN suffix is in the list of alternate suffixes...why fail the authentication?

Does anyone know if this is configurable?

Hi,

I have a load balanced ADFS 3.0 farm with a load balanced WAP front end infrastructure using Windows NLB.  The ADFS farm uses the internal Windows database.  I am looking for some documentation on how to backup and restore ADFS 3.0 in this configuration. There are documents on ADFS 2.0 but ADFS 3.0 differs from this version so I am looking for updated information.

Regards,

B

Hello everyone!

I have deployed an environment in two locations.

The first one contains:

2 x Domain Controllers (let's name it DC1 and DC2)- both are connected through vpn to the 3rd domain controler( DC3) in second location

5 x ADFS Servers connected to the load balancer  - there is no connection between ADFS servers and 3rd domain controler(DC3) in second location

The second contains:

1 x Domain Controller (DC3)

2 x Clustered OBIEE servers connected to the DC3's AD LDAP. Also these servers are connected to the LB and are accessible from the internet

If I had test environment containing OBIEE servers in first location everything was ok. I could log into OBIEE weblogic servers through SSO (ADFS). 

Now there is a problem. I can't log in to OBIEE becouse I am getting on OBIEE site 403 - forbidden.

In ADFS logs all the time I am getting  when I am trying to connect OBIEE following error:

Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '2' seconds.

I read many articles in oracle support and microsoft sites wchich indicated on:

1. differences between network time servers - I synchronized the time between all servers.
2. permissions for users and groups who can access to the obiee - I did it

The main question is: Is it possible the problem persists becouse my DC3 is not connected to the ADFS servers?

Hi,

while sign-out from application. it is throwing error massage.

--------------------------------------------------------

An error occurred         

Error details

• Activity ID: 00000000-0000-0000-4f5a-008000000091
• Error time: Thu, 30 Apr 2015 13:22:53 GMT
• Cookie: enabled
• User agent string: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; Zune 4.7; InfoPath.3)

------------------------------------------------------------------

I have configured three RPs trusts like this.

https://tesdev.contoso.com/

https://testdev.contoso.com/app1

https://testdev.contoso.com/app2

 from home page https://tesdev.contoso.com/ , when I click signout ADFS throws the error.

How would I Correct this error ?

Regards,

Saswati