none
How to register service principal name?

    Question

  • I recently went through AD FS installation on windows server 2016 as trial to understand this service. After reading Understand Key AD FS Concepts, I was convinced that I have to add Relying Trust which would represent Ldap v3 compliant directory such as Oracle OUD.

    After restarting AD FS service, I ran into following error.

    A WS-Trust endpoint that was configured could not be opened.

    Error:
    MSIS0006: A Service Principal Name is not registered for the AD FS service account.

    I don't remember ever setting up service account during the AD FS installation process. If there is none found, how can I add one?

    So I tried with "setspn -S HTTP/<ADFS_Name> fooServiceAccnt" in order to create One but output says unable to locate account "fooServiceAccnt".

    Is this step is required in order to make connection between Claims Provider Trust (e.g AD) and Local Claims Provider Trust (eg. Oracle OUD directory).

    • Edited by vitovnica Thursday, December 6, 2018 8:51 PM
    Thursday, December 6, 2018 7:39 PM

All replies

  • Hello,
    When installing ADFS the Configuration Wizard propose to specify a service account in Active Directory or a group managed service account (group MSA) where the farm will reside.

    This account is necessary for the Kerberos authentication protocol to work and to allow pass-through authentication on each of the federation servers.

    In your case you can associate the SPN to your service account, but according to the error msg you have to create the service account in Active Directory and ensure that "Password never expires" is enabled.
    Then you run run the SETSPN command : setspn -s host/<server name> <service account>  

    After that you have to set the access control lists (ACLs) on the SQL Server database to allow Read access to this new account so that the ADFS servers can read the policy data.

    _____________________________________________________

    Please don't forget to mark the correct answer, to help others who have the same issue.

    Tahar AROUA: MCSE Cloud Platform and Infrastructure

    Friday, December 7, 2018 12:11 PM