ADFS Setup - A Constraint Violation occured RRS feed

  • Question

  • Hello,

    I've spent days on this.  I'm trying to install ADFS on an internal Windows 2016 server (tried on a Windows 2012R2 server too).  After this I need o create the WAP server on the DMZ (Proxy).  However when I install the ADFS server I get an error - A Constraint Violation occurred.

    This is what I have tried.

    Got the new public certificate for sts.externaldomain.com and it failed again.

    1. Used IIS on a Windows 2016 server and followed this https://www.digicert.com/csr-creation-ssl-installation-ad-fs-windows-server-2012-iis8.htm the domain name (common name) is sts.externaldomain.com
    2. On our internal ADFS server (Windows 2016) I selected the ADFS install role.
    3. I followed this https://www.youtube.com/watch?v=tAQ2n-bJ6Vs to install
    4. It’s not until we get to the database section it fails.  We have tried the internal WID method and SQL.  When using SQL the 2 Databases are successfully created, so I think it might be a certificate issue.  For the certificate creation and install I used this https://www.digicert.com/csr-creation-ssl-installation-ad-fs-windows-server-2012-iis8.htm
    5. This is the GUI error:


    6. If I do the same as above, but use Powershell:


    # Windows PowerShell script for AD FS Deployment


    Import-Module ADFS

    # Get the credential used for performing installation/configuration of ADFS

    $installationCredential = Get-Credential -Message "Enter the credential for the account used to perform the configuration."

    # Get the credential used for the federation service account

    $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."

    Install-AdfsFarm `

    -CertificateThumbprint:"036BE04EFC4187CA0909704056153BF9942BB1E3" `

    -Credential:$installationCredential `

    -FederationServiceDisplayName:"EMG ADFS" `

    -FederationServiceName:"sts.externaldomain.com" `

    -ServiceAccountCredential:$serviceAccountCredential `

    -SQLConnectionString:"Data Source=emg-db01;Initial Catalog=ADFSConfiguration;Integrated Security=True;Min Pool Size=20"

    I get this error:

    Unable to configure private key store

    8. I then turned on ADFS verbose logging and see this:

    Event ID 44

    Could not bind to DN:'CN=be06e716-b096-4291-b3e8-f3ac036a0d7e,CN=ADFS,CN=Microsoft,CN=Program Data,DC=us,DC=vo,DC=local'. Got exception:'System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server.

       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.RefreshCache()
       at System.DirectoryServices.DirectoryEntry.FillCache(String propertyName)
       at System.DirectoryServices.DirectoryEntry.get_NativeGuid()
       at System.DirectoryServices.DirectoryEntry.get_Guid()
       at Microsoft.IdentityServer.CertificateManagement.DkmFactory.CheckExistence(String distinguishedName, String& dcName)'. Concluding that the said DN does not exist.

    Event ID 12

    Error: Exception: A constraint violation occurred.

    StackTrace:    at System.DirectoryServices.DirectoryEntry.CommitChanges()
       at Microsoft.IdentityServer.Dkm.ADRepository.SetGroupContainerSecurity(Guid keyGuid)
       at Microsoft.IdentityServer.Dkm.ADRepository.CreateGroupContainer()
       at Microsoft.IdentityServer.Dkm.DKMBase.InitializeGroup(IdentityReference identity)
       at Microsoft.IdentityServer.Configuration.Providers.DkmProvider.CreateDkmGroup(DkmConfiguration dkmSettings)
       at Microsoft.IdentityServer.Configuration.Tasks.DKMSetup.DKMSetupTask.DoSetupDKM(IDKMSetupContext context)
       at Microsoft.IdentityServer.Configuration.UserAccountImpersonator.ImpersonatedExecute(ImpersonatedAction action)
       at Microsoft.IdentityServer.Deployment.Core.Tasks.ConfigurationTaskBase.Execute(IDeploymentContext context, IProgressReporter progressReporter)

    Any ideas on how I fix this?


    Tuesday, July 18, 2017 7:42 AM

All replies

  • First of all thank you! If all posts could be as detailed, it would certainly improve the response rate!

    So it fails at creating the DKM object in AD. This is the object where the farm is storing the encryption keys for the private keys in its DB. I have seen this fails under 3 conditions, so let's check if one of them is a match:

    1. You modified the permissions of the containers under CN=Program Data,DC=us,DC=vo,DC=local. We need to be a member of Domain Admins just for the install of the first node because we are creating objects under there. Let's say you changed the default permissions on the containers and the Domain Admins don't have the necessary permission any more.
    2. The DKM object is using "contact" class objects to store its information. It might sound odd, but it avoids a schema extension and the contact class is a pretty light way class too. So if you have quotas that prevents you from creating more than x objects, maybe you have reached that quota?
    3. The encryption key is stored in the thumbnailPhoto attribute of these objects. So let's say you modified the schema to make sure users are not storing their pictures in AD. Well, by doing that you also prevent ADFS from storing its keys... Can you check the thumbnailPhoto attribute in the schema if it has been changed?

    Let us know!

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, July 18, 2017 1:30 PM
  • Hello,

    I went through all your conditions and all appeared to be ok, however I simply (by chance) create a fresh domain account and tried it and to my disbelief it worked!

    I now have ADFS running and the WAP server too, I just need to link it to Azure.

    The main issue I have right now is testing the single sign on from IE.  I've added sts.ourdomain.com to our IE trusted sites (via GPO) and then go to https://sts.ourdomain.com/adfs/ls/IdpInitiatedSignon.aspx and from my workstation on the internal domain it displays a webpage and I click on sign in and it auto signs me in, so single sign on worked!  However for 2 of my colleagues it doesn't and they have the site added to the IE trusted sites too.

    In our AD DNS I've added an A host record for sts to the ourdomain.com zone to point to our internal ADFS IP.

    How can I troubleshoot this?  I've also got to get it to work in Citrix and get the same issue where you have to manually sign in.  I'm not sure where to look for any clues?


    Wednesday, July 19, 2017 7:14 PM
  • TB303,

    Trusted sites will not assume SSO unless the browser is configured to automatically logon with username and password via the browser setting. In other words, you'll get an NTLM challenge  as the browser degrades the "negotiate" request from Kerberos to NTLM.

    What is the behavior if you configure the same FQDN setting in the Intranet zone? Does it work then or do you still get the prompt for creds?


    Wednesday, July 19, 2017 10:18 PM
  • Yeah it never works on Chrome, 80% of IE, but the ones that fail I don't get the NTLM challenge.  If they manually log in it's ok.

    Is there a better way to test ADFS single sign on is working for users?

    Thursday, July 20, 2017 8:51 AM
  • Sorry the FDQN was added to the local Intranet zone, not the Trusted zone.

    I asked 6 users to try it, only 2 get the prompt to sign in.  We are in the same OU too and on the same laptop image.

    Thursday, July 20, 2017 9:00 AM