locked
Unable to start ADFS service after export/import (ADFS 2.0 to 4.0 migration) RRS feed

  • Question

  • Hi,
    I've perfomed the export/import scripts to migrate ADFS from an ADFS 2.0 server to an ADFS 4.0 server. (from the ADFS sources folder of the Win2016 DVD)
    The export/import went without issues (claims provider trusts visible, certificates Ok, etc)

    I've used the same SVC account on the 4.0 server as we had on the 2.0 server.

    However, after restarting the ADFS service on the ADFS 4.0 server, it now fails to start :

    In eventvwr (ADFS admin log), I see the following events :

    102 :
    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. 

    Additional Data 
    Exception details: 
    System.Runtime.InteropServices.COMException (0x8007200A): The specified directory service attribute or value does not exist.

       at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
       at System.DirectoryServices.DirectoryEntry.Bind()
       at System.DirectoryServices.DirectoryEntry.RefreshCache()
       at System.DirectoryServices.DirectoryEntry.FillCache(String propertyName)
       at System.DirectoryServices.DirectoryEntry.get_NativeGuid()
       at System.DirectoryServices.DirectoryEntry.get_Guid()
       at Microsoft.IdentityServer.CertificateManagement.DkmFactory.CheckExistence(String distinguishedName, String& dcName)
       at Microsoft.IdentityServer.CertificateManagement.DkmFactory.GetDkm(DkmConfiguration config)
       at Microsoft.IdentityServer.CertificateManagement.DkmDataProtector.GetInstance(IDkmFactory factory, DkmConfiguration config)
       at Microsoft.IdentityServer.CertificateManagement.DataProtectorFactory.CreateDataProtector(ServiceSettingsData settings)
       at Microsoft.IdentityServer.Service.Configuration.AdministrationServiceState.LoadDynamicConfiguration()
       at Microsoft.IdentityServer.Service.Configuration.AdministrationServiceState.FetchAdministrationServiceStateData()
       at Microsoft.IdentityServer.ServiceHost.STSService.FetchAdministrationServiceConfiguration()
       at Microsoft.IdentityServer.ServiceHost.STSService.OnStartInternal(Boolean requestAdditionalTime)

    220 :
    The Federation Service configuration could not be loaded correctly from the AD FS configuration database. 
    Additional Data 
    Error:  
    The specified directory service attribute or value does not exist.
    The windows internal database service can be restarted without issues. 

    PS : the adfs svc account has read access on the certificates, so that part is also ok

    Any idea what might be causing this?
    Tuesday, November 7, 2017 1:35 PM

All replies

  • Did you export the communication cert from the ADFS 2.0 and install it on the ADFS 4.0 Server?
    Wednesday, November 8, 2017 1:57 PM
  • Did you go through the Troubleshooting Guide
    Wednesday, November 8, 2017 2:20 PM
  • Thanks Freddy.
    We indeed exported the communication cert from the 2.0.

    Actually I imported it from the orginal pfx. All properties are correct (+ identifier)

    I verified the troubleshooting guide, but didn't get a solution there.

    We get both events mentioned above.

    After the import, everything seemed to be ok, but the problem occurs after restarting the ADFS service. (I could not connect tot the idpinitiated logon page however)
    I also verified tried logging in with the service account ,and logon to the WID via SQL management tools.
    I'm able to logon with that user and connect to the DB so that seems to be Ok too.

    Wednesday, November 8, 2017 2:45 PM
  • Do you use gMSA ?

    If yes, did you install it on the new ADFS Server ?

    Install-AdServiceAccount <gMSA>
    Test-AdServiceAccount <gMSA>

    And did you set the new SPN and DNS Hostname to the gMSA?

    Set-ADServiceAccount <gMSA> -DNSHostName <FQDN ADFS SERVER> -ServicePrincipalNames http/<FQDN ADFS SERVER>

    Thursday, November 9, 2017 9:36 AM
  • Does the account has read access to the PrivKeys like mentioned in this thread:

    adfs-certificate-error-enabling-endpoints-of-federation-service

    I also found this solution:

    http://nilsvanwoensel.azurewebsites.net/?p=62

    • Edited by 1.FreddyD Thursday, November 9, 2017 9:51 AM
    Thursday, November 9, 2017 9:48 AM
  • Hi
    The svc account has read perms on the private keys, so that part is covered.
    We're not using managed service accounts, but a regular svc account.

    I'll check with the customer when we can do the schema extension. Altough it doesn't seem to be required unless you want to use the latest ADFS features.

    I did notice that they're using SQL for DB, and not WID, so that's probably the reason why the svc doesn't start.

    There's no info whatsover available from Microsoft itself to migrate from SQL to WID, unless some scripts I found from a MS MVP.
    The script only covers migration from 2.x to 3.0 and not 4.0, so possibly that won't work.. :-s

    Friday, November 10, 2017 1:27 PM