locked
ADFS 2016: "An error occurred while upgrading FarmBehaviorLevel 'Max' from Minor Version '0' to Minor Version '3'. " RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Recently I had to upgrade my clients ADFS 3.0 to 4.0

    They have 2 environments, one for Production and a Development env. When I upgraded the production environment everything went as expected, however, after trying to raise the FBL in the DEV environment I'm getting a lot of Event ID 180 in Event Viewer: "An error occurred while upgrading FarmBehaviorLevel 'Max' from Minor Version '0' to Minor Version '3'. " and the description is:

    Additional Data 
    Exception details: 
    AD FS requires a built-in relying party trust with name Windows Hello - Certificate Provisioning Service and access control policy with identifier PermitEveryone for all features to work correctly, but the access control policy cannot be found.  Add an access control policy with identifier PermitEveryone and restart the service to try creating again.

    I have read other people suggestions on the internet but none of them seem to work:

    • Wait some time (already waited more than 2 weeks, the error does not go away)
    • GO back to the Previous FBL and then upgrade the FBL to v3 using the "-Force" parameter (didn't work either and broke the trust with my WAP servers)

    When I check the FBL it shows that is already on version 3, and if I try to run the FBL raise command I get a warning telling me that the FBL is already on version 3

    I tried manually creating an Access Control Policy with "Permit Everyone" permissions, named the policy "Everyone" and restarted the ADFS service, but did not help. Before creating this access policy the policies list was empty and I do not have any built-in trust named "Windows Hello - Certificate Provisioning Service" either, however, in my Production environment this relying party trust does not exist either but I'm not getting the event 180 error in there so I'm not sure what I can I try next

    Any help will be appreciated, I already checked the following threads:

    • https://social.technet.microsoft.com/Forums/windows/en-US/3ee51c0f-c372-495d-b0b2-5701f6f61720/error-upgrading-farm-behavior-level-for-server-2016?forum=ADFS
    • http://rajkatk.blogspot.com/2018/04/windows-2016-adfs-fbl-challenges.html

    If I execute "Get-AdfsFarmInformation" in both of my ADFS environments, they both return CurrentFarmBehavior=3


    Thursday, May 31, 2018 8:30 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    I'm having the exact same issue.  Tried many of the same steps.  Can't lower the level because I don't have a database to go down to (doesn't exist).  Can't go up because it already says I'm at 3.  

    Andrew Schwalbe

    Wednesday, June 20, 2018 7:22 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    I have the same issue after installing the latest windows updates to my server 2016 farm. Functionality does not seem to be affected.
    Sunday, June 24, 2018 12:53 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Indeed, functionality has not been affected (so far), however, my client is planning to implement Windows Hello for Business in a few weeks, and I fear this unresolved issue might bite me in the rear in the middle of the Windows Hello deployment.
    Wednesday, July 4, 2018 4:32 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Same problem here for the first time. This is upgrading to ADFS 4.0 as well. Even with the FBL at version 3.0 i'm seeing this error every 5 minutes.

    When i do upgrade with the -force option it'll upgrade but then none of the endpoints function anymore.

    Restore-ADFSFarmBehaviorLevel gets everything running again but that error appears.

    Theres one thread that mentions WinRM connectivity but that doesn't seem to be an issue. The error only appears on the primary. We even swapped out the servers and it continues. I wonder if something is corrupted in the WID.

    Hopefully we can get a sure fire way to fix this.

    Saturday, February 23, 2019 9:53 PM