locked
Error Setting up SharePoint 2007 with ADFS2.0: No Key in dictionary? RRS feed

  • Question

  • I have been manually trying to set up the on the SharePoint server side without using the Federation utility tool. 

    First command

     

    stsadm -o addzoneurl -url https://machinename/ -urlZone internet -zonemappedurl https://machinename/

    This ran successfully

     

     

    Second command

     

    stsadm.exe -o authentication -url https://machinename/ -type websso -membershipprovider SharePointClaimsMembershipProvider -roleManager SharePointClaimsRoleProvider -enableclientintegration

     

    This gave an error: The given key was not present in the dictionary.

    What does this error mean?

     

    Thursday, February 17, 2011 7:40 AM

All replies

  • I have been chasing this issue down for quite a while and happened to resolve the issue after a lot of digging and assistance from Microsoft.

    First, the error is a very generic error.  For those of you familiar with the oh-so-popular "general protection fault" errors, you will understand what I mean.  This error is worthless within the construct of setting up ADFS and you will not find an answer in any knowledge base that will help.

    The error has nothing to do with rights, database or any other dark rat hole they will lead you down.  There are a couple of factors that will cause the error.

    1. The ADFS server cannot use the FQDN of the ADFS server.  You will need to use KERBEROS authenticate and when you run setspn using the FQDN of the server, you will get an error stating the server computer account  is not trusted.  Use a certificate that is associated with a CNAME (alias) for the ADFS server (ex. ADFS2.domain.local is the CNAME for server1.domain.local)

    When you setup your ADFS server, you will need to run setspn -a host/[CNAME of the ADFS server] [domain]\[service account] in order to establish kerberos authentication.  Also, you will notice that if you fail to do this, you can only access the federationmetadata.xml file using the NETBIOS name of the ADFS URL.  setspn fixes that issue.

    2. Certificate trust is key.  You will need to export your certificates from both the ADFS IIS interface and the SharePoint 2007 server as x509 certs and import them as trusted root certificates onto the SP 2007 and ADFS server.

    Perform all imports using the MMC Certificate snap-in in order to ensure the trusted root certificate is added

    3. You will need to extend your SharePoint web application to create an INTRANET or EXTRANET application using SSL.  Simply adding alternate access mappings will not help.  Create or Extend a Web Application is performed through the SharePoint Central Admin Console.

    You will need to change your bindings on the default SharePoint-80 site to not use 443 for SSL and if you want to use port 80 on the SharePoint 80 application, set the HTTP port on your new INTRANET web application to another port.

    I hope this clarifies some of the causes of the "key not present" error when running the Federation Utility for SharePoint 2007.
    Thursday, September 15, 2011 2:35 AM