Hello!
Having small issues attempting to join a new ADFS server to an existing ADFS farm.
Farm's DB is running on SQL and existing servers are using gMSA to run. The same gMSA is re-used to run the service on the new server.
When attempting to start the service, it fails and events 201, 102 and 220 are logged in the ADFS Admin logs. With the gMSA as a member of local Administrators, ADFS service will start fine. However, the existing servers don't have the gMSA as a member of
local Administrators and everything is working without issues.
Description of the events:
Log Name: AD FS/Admin
Source: AD FS
Date: 11/1/2019 1:48:34 PM
Event ID: 201
Task Category: None
Level: Error
Keywords: AD FS
User: Domain\gMSA_Account
Computer: NEWADFSERVER.DOMAIN
Description:
The Federation Service configuration service encountered an Access Denied error while trying to register one or more endpoint URLs. This condition typically occurs when the ACL for the endpoint URL is missing or the HTTP namespace in the ACL is not a prefix
match of the endpoint URL.
The configuration service could not be opened.
Additional Data
Exception details:
System.ServiceModel.AddressAccessDeniedException: HTTP could not register URL http://+:80/adfs/services/policystoretransfer/. Your process does not have access rights to this namespace (see http://go.microsoft.com/fwlink/?LinkId=70353 for details).
#############################
Log Name: AD FS/Admin
Source: AD FS
Date: 11/1/2019 1:48:34 PM
Event ID: 102
Task Category: None
Level: Error
Keywords: AD FS
User: Domain\gMSA_Account
Computer: NEWADFSERVER.DOMAIN
Description:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
User Action
Ensure that a valid ACL for each of the URLs has been configured on this computer.
#############################
Log Name: AD FS/Admin
Source: AD FS
Date: 11/1/2019 1:48:34 PM
Event ID: 220
Task Category: None
Level: Error
Keywords: AD FS
User: Domain\gMSA_Account
Computer: NEWADFSERVER.DOMAIN
Description:
The Federation Service configuration could not be loaded correctly from the AD FS configuration database.
#############################
I understand that netsh could be used to manually configure the required ACLs on the HTTP endpoints. Thing is, I'm a bit puzzled as of why this is required to be done manually.
My questions:
Is there a Local Security Policy that would grant permission to the gMSA to configure the ACLs on the endpoints?
If not, is there a list of every endpoints where ACLs are required to be configured so I don't have to through a trial and error method to catch every endpoints in the ADFS Admin event logs (hehe).
Regards,