locked
While adding the 2nd Windows 2016 ADFS server as secondary server in existing adfs farm, the setup fails with error "MSIS7711:PolicyOperationFault & event IDs 344 & 542. RRS feed

  • Question


  • Issue:

    1st ADFS Server gets installed successfully and ADFS Farm is succssfully created.

    Both https://sts.x.com/adfs/ls/idpinitiatedsignon.htm & https://sts.x.com/federationmetadata/2007-06/federationmetadata.xml are working as desired.

    While adding the 2nd ADFS server as secondary server in existing adfs farm, the setup fails with error "MSIS7711:PolicyOperationFault & event IDs 344 & 542 mentioning "There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur." & "There was an error during heartbeat." & "Client is unable to finish the security negotiation within the configured timeout (00:09:59.9989986).  The current negotiation leg is 1 (00:09:59.9989986)"

    Infra background:

    • AD: Windows 2012 & Windows 2016
    • Forest & Domain functional model: Windows Server 2008 R2
    • ADFS OS version is Windows 2016 Standard (VmWare VMs)
    • ADFS is being implemented for Office 365 SSO plus other apps publishing.
    • ADFS Plan: 2 ADFS Servers in Corporate LAN & 2 WAP Servers in DMZ. Both servers to be load balanced using
    • Windows NLB in unicast mode.

      Troubleshooting done so far:
    • Confirmed that there is a dedicated domain user account used while installing both ADFS servers as ser service account.
    • Initially, intallation was being done on servers in NLB, but secondary ADFS server setup error resulted into mentioned error.
    • Then, NLB was broken & uninstalled & then the ADFS intallation was being done on servers as standalone (No NLB), but secondary ADFS server setup error again resulted into mentioned error.
    • Then, reversed the primary & secondary servers... i.e. uninstalled adfs from both servers & installed primary ADFS on server2 & then also got same error while secondary server setup on server1.
    • Confirmed that time & timezone are correct.
    • Confirmed that all ADFS servers are at same update level which is the latest build of 1607 - KB4051033 (OS Build 14393.1914).
    • Checked that the service account is correctly set with STS domain name.
    • Removed all group policies from the servers.
    • Removed all antivirus or dlp software from the servers.
    • Disabled Windows firewall.

    event ID detail:

    There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.

     

    There was an error during heartbeat.

     

    Additional data

     

    Exception details:

    System.TimeoutException: Client is unable to finish the security negotiation within the configured timeout (00:09:59.9989986).  The current negotiation leg is 1 (00:09:59.9989986).   ---> System.TimeoutException: The request channel timed out while waiting for a reply after 00:09:59.9960009. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The remote server returned an error: (504) Gateway Timeout. ---> System.Net.WebException: The remote server returned an error: (504) Gateway Timeout.

       at System.Net.HttpWebRequest.GetResponse()

       at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

       --- End of inner exception stack trace ---

       at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)

       at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

       at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)

       --- End of inner exception stack trace ---

       at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)

       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)

       --- End of inner exception stack trace ---

     

    Server stack trace:

       at System.ServiceModel.Security.IssuanceTokenProviderBase`1.DoNegotiation(TimeSpan timeout)

       at System.ServiceModel.Security.SspiNegotiationTokenProvider.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Security.CommunicationObjectSecurityTokenProvider.Open(TimeSpan timeout)

       at System.ServiceModel.Security.SymmetricSecurityProtocol.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Security.WrapperSecurityCommunicationObject.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)

       at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)

       at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)

       at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)

       at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

       at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)

       at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)

       at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)

       at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

       at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

       at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

     

    Exception rethrown at [0]:

       at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

       at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

       at Microsoft.IdentityServer.Protocols.PolicyStore.IPolicyStoreReadOnlyTransfer.GetHeaders()

       at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync(Boolean syncAll)

       at Microsoft.IdentityServer.Service.Synchronization.SyncAdministrationManager.Sync()

       at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.SqlPolicyStoreService.DoSyncDirect()

       at Microsoft.IdentityServer.Service.Synchronization.SyncBackgroundTask.Run(Object context)

     

    User Action

     Make sure the primary federation server is available or the service account identity of this machine matches the service account identity of the primary federation server.


    Rgds, Harish

    Sunday, December 10, 2017 6:53 AM

Answers

  • The issue was in the VM. We rebuilt the VMs from a new media & the issue was resolved.

    Rgds, Harish

    • Marked as answer by Harish Singh Saturday, October 20, 2018 7:15 AM
    Saturday, October 20, 2018 7:15 AM

All replies