locked
Adding new servers to existing ADFS farm - Event ID 201 when trying to start service. RRS feed

  • Question

  • Hello!

    Having small issues attempting to join a new ADFS server to an existing ADFS farm.

    Farm's DB is running on SQL and existing servers are using gMSA to run. The same gMSA is re-used to run the service on the new server.

    When attempting to start the service, it fails and events 201, 102 and 220 are logged in the ADFS Admin logs. With the gMSA as a member of local Administrators, ADFS service will start fine. However, the existing servers don't have the gMSA as a member of local Administrators and everything is working without issues.

    Description of the events:

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          11/1/2019 1:48:34 PM
    Event ID:      201
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          Domain\gMSA_Account
    Computer:      NEWADFSERVER.DOMAIN
    Description:
    The Federation Service configuration service encountered an Access Denied error while trying to register one or more endpoint URLs. This condition typically occurs when the ACL for the endpoint URL is missing or the HTTP namespace in the ACL is not a prefix match of the endpoint URL. 

     The configuration service could not be opened.

    Additional Data 
    Exception details: 
    System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL http://+:80/adfs/services/policystoretransfer/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details). 


    #############################

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          11/1/2019 1:48:34 PM
    Event ID:      102
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          Domain\gMSA_Account
    Computer:      NEWADFSERVER.DOMAIN
    Description:
    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. 

    User Action 
    Ensure that a valid ACL for each of the URLs has been configured on this computer. 

    #############################

    Log Name:      AD FS/Admin
    Source:        AD FS
    Date:          11/1/2019 1:48:34 PM
    Event ID:      220
    Task Category: None
    Level:         Error
    Keywords:      AD FS
    User:          Domain\gMSA_Account
    Computer:      NEWADFSERVER.DOMAIN
    Description:
    The Federation Service configuration could not be loaded correctly from the AD FS configuration database. 

    #############################

    I understand that netsh could be used to manually configure the required ACLs on the HTTP endpoints. Thing is, I'm a bit puzzled as of why this is required to be done manually.

    My questions:

    Is there a Local Security Policy that would grant permission to the gMSA to configure the ACLs on the endpoints?

    If not, is there a list of every endpoints where ACLs are required to be configured so I don't have to through a trial and error method to catch every endpoints in the ADFS Admin event logs (hehe).

    Regards,

    Friday, November 1, 2019 7:18 PM

Answers

  • Issue is fixed.

    I used the Server Manager's wizard to install the role. Adding the server to the existing farm was done through Powershell.

    Thing is, I recall not running Powershell as Administrator when executing the Add-AdfsFarmNode cmdlet.

    The fix was simple. Running Powershell as Administrator and removing the role completely (Uninstall-WindowsFeature -Name ADFS-Federation) and adding it again (Add-WindowsFeature -Name ADFS-Federation). Then, adding the server to the existing farm using Add-AdfsFarmNode cmdlet.

    • Marked as answer by TheOiman Tuesday, November 5, 2019 2:57 PM
    Tuesday, November 5, 2019 2:57 PM