locked
problem adding secondary ADFS server to the farm RRS feed

  • Question

  • We have a single server (Windows server 2016) ADFS farm. When adding a secondary server (also a Windows 2016 server) to the farm, I am getting the following error at the end of the configuration wizard and it could not complete successfully. All pre-requisite checks was fine.

    The SSL certificate subject alternative names do not support host name 'certauth.sts.mydomin.com'. Configuring certificate authentication binding on port '49433' and hostname 'sts.mydomain.com'

    ADMIN0012: Operationfault.

    I know this has something to do with user certificate authentication with ADFS. Our certificate doesn't have SAN for the certauth.sts.mydomain.com hostname. According to the MS Docs, we can use the port 49433 on the same hostname, sts.mydomain.com. But how do I go about the configuration?

    Thanks

    Thursday, September 6, 2018 8:33 PM

All replies

  • I checked the event viewer and noticed that there was an error about synchronization didn't occur between the primary server and the new one that I was setting up. Any idea how this could happen?
    Thursday, September 6, 2018 9:36 PM
  • Have you maked sure port 80 is opened between the 2 servers if you are using a WID?

    Regarding the other issue is what its say, the cert ned to have certauth.sts.mydomain.com in SAN so you do not need to open up 49443 for certauth via WAP. But you should be able to change that via netsh command if you want to. 

    Friday, September 7, 2018 6:04 AM
  • Thanks for the quick reply.

    Port 80 is opened on both servers. I think the warning about the certificate authentication is not critical, the admin0012:operationfault is the primary problem on adding the server to the farm.

    I just removed the ADFS role and the WID database and redid the whole process again and it is still giving me the same error.

    Friday, September 7, 2018 6:12 PM
  • Prior to the sychronization error in the event viewer, there was another error generated from the ADFS configuration wizard.

    A SQL operation in the AD FS configuration database with connection string Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial Catalog=AdfsConfigurationV3;Integrated Security=True failed.  

    Additional Data

    Exception details:
    Procedure or function CreateAuthorityGroup has too many arguments specified.

    The WID service seems to be running fine though.

    Friday, September 7, 2018 7:04 PM
  • I do see that synchronization attempt every 5 mins and the new adfs server in the farm using the get-adfsfarminformation. The problem should lies on the WID database access and etc.
    Friday, September 7, 2018 8:59 PM
  • What kind of service account are you using for the ADFS-service?
    Are the account you install ADFS-role with administrator in the local machine?

    Monday, September 10, 2018 6:59 AM
  • A domain admin account is used for the ADFS installation on the secondary server.  As for the service account, I used the same service account that is used on the primary ADFS server.

    All prerequisite checks was fine on the secondary server when running the ADFS configuration wizard. The error showed at the end of the configuration.

    Also, I saw that IIS was running on the primary ADFS server and the default website (IIS) was using port 80. Based on  your first suggestion, I thought that was the problem. I went ahead and disabled IIS and restart the ADFS service. However, I still got the same error message after rerunning the configuration wizard on the new server.

    Every synchronization (5 mins) cycle, the first error message is following and then followed by 344 and 345.

    A SQL operation in the AD FS configuration database with connection string Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial Catalog=AdfsConfigurationV3;Integrated Security=True failed.  

    Additional Data

    Exception details:
    Procedure or function CreateAuthorityGroup has too many arguments specified.

    • Edited by hkg04 Monday, September 10, 2018 5:10 PM
    Monday, September 10, 2018 4:19 PM
  • I guessed I didn't answer your original question. The service account is just a regular AD account, not mGSA account.
    Monday, September 10, 2018 6:04 PM
  • Some update here.

    After the ADFS configuration wizard is done, I restarted the ADFS service. I saw that the service seems to be loading successfully, event 100 is there (ADFS is operational). The event shows all the URL endpoints and authentication providers were loaded successfully. Then the log showed the same errors 344,345 and 353 again afterward. The server manager still shows ADFS needs to be configured.

    I restarted the server and the exact same thing happened as above. ADFS successfully loaded then the 344\345\364 errors.

    Monday, September 10, 2018 9:15 PM
  • My guess is that its IIS that's causing the issue.

    Please use netsh http show iplisten, netsh http show urlacl and net http show sslcert and verify that everything seems fine. 

    Because somehow it feels like port 80 is configured for IIS and not ADFS and thats why the sync is not working. Since the sync is configured as a "pull"-service, the secondary servers are talking to the primay server for getting the WID config. So secondary server is contacting primary server on port 80 and is expected to reach ADFS and not IIS. 

    You can also change sync port for ADFS, and use like 8080 or similar, but that would be last step in my opinion. 

     

    Tuesday, September 11, 2018 5:43 AM
  • Thanks for the feed back. I did the command as you suggested on the primary adfs server.

    netsh http show iplisten:
    nothing

    netsh http show urlacl:
    Reserved URL            : http://+:80/adfs/
    User: NT SERVICE\adfssrv
    Listen: Yes
    Delegate: Yes
    Reserved URL            : http://+:80/Temporary_Listen_Addresses/
    User: \Everyone
    Listen: Yes
    Delegate: No

    netsh http show sslcert:

    nothing is bind to port 80, only 443 and 49443 are used

    I have disabled the www publishing service. I know ADFS is using port 80 as the port is not listening if the ADFS service is stopped.

    Does this mean changing the port is the only option?

    Tuesday, September 11, 2018 5:24 PM
  • Make sure which process binds to port 80, so run netstat -ano and check the process (PID) that uses port 80 and make sure its not related to IIS.

    If you want to make a change to the port sync of WID you can read more here:

    https://www.vroege.biz/?p=3220

    • Proposed as answer by Jmeth Thursday, January 23, 2020 3:33 AM
    Wednesday, September 12, 2018 8:52 AM
  • Thanks for all the help. I will see what else I can do. 
    Friday, September 14, 2018 2:01 AM