locked
ADFS Setup - A Constraint Violation occured RRS feed

  • Question

  • On a fresh Server 2012 R2 Standard install, I am trying to setup the first federation server in a farm (using windows internal database). However, the Active Directory Federation Services Configuration Wizard fails at the last step with the error "A constrain violation occured".

    The only related events I can find are 

    Source:MSSQL$MICROSOFT##WID
    Event ID: 9645
    An error occurred in the service broker manager

    Any suggestions?

    The event log:-

    Log Name:      Application

    Source:        MSSQL$MICROSOFT##WID

    Date:          8/25/2016 6:46:26 AM

    Event ID:      9645

    Task Category: Server

    Level:         Error

    Keywords:      Classic

    User:          N/A

    Computer:      Example.test.local

    Description:

    An error occurred in the service broker manager, Error: 3602, State: 124.

    Event Xml:

    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

      <System>

        <Provider Name="MSSQL$MICROSOFT##WID" />

        <EventID Qualifiers="49152">9645</EventID>

        <Level>2</Level>

        <Task>2</Task>

        <Keywords>0x80000000000000</Keywords>

        <TimeCreated SystemTime="2016-08-25T11:46:26.000000000Z" />

        <EventRecordID>2931</EventRecordID>

        <Channel>Application</Channel>

        <Computer><obfuscated></Computer>

        <Security />

      </System>

      <EventData>

        <Data>3602</Data>

        <Data>124</Data>

        <Binary><obfuscated></Binary>

      </EventData>

    </Event>



    Thursday, August 25, 2016 12:21 PM

Answers

  • Wait, how did you past the previous error? Did you manage to get more verbose logs?

    For the proxy, make sure you are using an account member of the local Administrators group of the primary ADFS server, that you can reach the port TCP 443 and that there is no SSL offloading between the WAP and the ADFS farm.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, August 26, 2016 2:16 PM

All replies

  • Did you already have WID installed on this server? If so, is it used by other services?

    If not, you could try to remove the feature and restart the installation.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 25, 2016 1:26 PM
  • This is a new server built only for this, we did try removing the role and adding back in but still the same.

    Tried on another server too but still the same.

    Thursday, August 25, 2016 1:57 PM
  • Can you try to configure the role using PowerShell? Just to have more verbosity on the error message?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Thursday, August 25, 2016 3:10 PM
  • Was able to get past that error, not sure what was causing the issues.

    We are now trying to setup the WAP server and getting "Event ID 393 The federation server proxy could not establish a trust with the Federation Service."

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          8/26/2016 2:50:10 AM
    Event ID:      393
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          ADFS03\Administrator
    Computer:      ADFS03
    Description:
    The federation server proxy could not establish a trust with the Federation Service.

    Additional Data
    Exception details:
    Unable to connect to the remote server

    User Action
    Ensure that the credentials being used to establish a trust between the federation server proxy and the Federation Service are valid and that the Federation Service can be reached.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="AD FS" Guid="{2FFB687A-1571-4ACE-8550-47AB5CCAE2BC}" />
        <EventID>393</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000001</Keywords>
        <TimeCreated SystemTime="2016-08-26T07:50:10.917309900Z" />
        <EventRecordID>7</EventRecordID>
        <Correlation ActivityID="{9934AE94-FF6D-0001-75B1-34996DFFD101}" />
        <Execution ProcessID="2956" ThreadID="3640" />
        <Channel>AD FS/Admin</Channel>
        <Computer>ADFS03</Computer>
        <Security UserID="S-1-5-21-564230595-2159454881-1314291571-500" />
      </System>
      <UserData>
        <Event xmlns="http://schemas.microsoft.com/ActiveDirectoryFederationServices/2.0/Events">
          <EventData>
            <Data>Unable to connect to the remote server</Data>
          </EventData>
        </Event>
      </UserData>
    </Event>

    Friday, August 26, 2016 9:57 AM
  • Wait, how did you past the previous error? Did you manage to get more verbose logs?

    For the proxy, make sure you are using an account member of the local Administrators group of the primary ADFS server, that you can reach the port TCP 443 and that there is no SSL offloading between the WAP and the ADFS farm.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, August 26, 2016 2:16 PM
  • Any updates?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, September 2, 2016 1:32 PM
  • I'm having the exact same issue "Unable to connect to the remote server ".  Did you figure out a resolution, please please please post it.
    Sunday, January 15, 2017 3:15 AM
  • Having a problem with ADFS installation. It fails with: "Unable to configure the private key store. A constraint violation occurred".

    Below is my whole script:

    # # Windows PowerShell script for AD FS Deployment # Import-Module ADFS # Get the credential used for performaing installation/configuration of ADFS $installationCredential = Get-Credential -Message "Enter the credential for the account used to perform the configuration." # Get the credential used for the federation service account $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account." $output = Install-AdfsFarm ` -CertificateThumbprint:"C02B5EEFE5344B12F3F8D8BE40B60AF3B3503ED3" ` -Credential:$installationCredential ` -FederationServiceDisplayName:"ABC" ` -FederationServiceName:"ENN01-ADFS01.abc.domain.com" ` -OverwriteConfiguration:$true ` -ServiceAccountCredential:$serviceAccountCredential ` -SQLConnectionString:"Data Source=ENN01-SSQL01;Initial Catalog=ADFSConfiguration;Integrated Security=True;Min Pool Size=20"

    Install-AdfsFarm : A constraint violation occurred. At C:\Users\admttu\Desktop\adfs.ps1:13 char:11 + $output = Install-AdfsFarm ` + ~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [Install-AdfsFarm], DirectoryServicesCOMException + FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.InstallFarmCommand PS C:\Windows\system32> $output.Message Unable to configure the private key store. A constraint violation occurred.

    I've checked certificates and they are ok (tried several different guides for ADFS, including the official one) and I'm using a domain admin account for installation and a service account as domain user. Error occurs no matter if I use WID or SQL.



    • Edited by ttuczap Monday, May 22, 2017 2:10 PM added db info
    Monday, May 22, 2017 2:06 PM
  • We are getting the same issue too, did you fix this in the end? Would love to know as I've spent days on this.

    This is the first install of ADFS too, I've not even started on the Proxy (WAP) server yet.

    no one seems to know how to fix this issue.

    Thanks

    Monday, July 17, 2017 3:16 PM
  • This thread is dead. Please start a new one and add your step by step scenario as well as the error messages you get in the logs. Thanks!

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, July 17, 2017 6:17 PM
  • Thanks - I have now done this:

    Forum post

    Kind regards

    Tuesday, July 18, 2017 12:02 PM