Symptoms

After a system reboot, the AD FS 2.0 Windows service fails to start

The following events are logged in the AD FS 2.0/Admin event log.

Event ID 352

Log Name: AD FS 2.0/Admin

Source: AD FS 2.0

Date:

%Date / Time%

Event ID: 352

Task Category: None

Level:

Error

Keywords: AD FS

User: %AD FS Service

Account%

Computer: %ComputerName%

Description:

A SQL operation in the AD FS configuration database with connection string Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True failed. 

Additional Data
Exception details:

Access to module IdentityServerPolicy.GetServiceSettings is blocked because the signature is not valid.

Event ID 102

Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: %Date / Time%
Event ID: 102
Task Category: None
Level: Error
Keywords: AD FS
User: %AD FS Service Account%
Computer: %ComputerName%
Description:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Additional Data
Exception details:
System.ServiceModel.FaultException`1[Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault]: ADMIN0012: OperationFault (Fault Detail is equal to Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault).

Event ID 220

Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: %Date / Time%
Event ID:  220
Task Category: None
Level:
Error
Keywords: AD FS
User: %AD FS Service Account%
Computer: %ComputerName%
Description:
The Federation Service configuration could not be loaded correctly from the AD FS configuration database.
Additional Data
Error:
ADMIN0012: OperationFault
 

Cause

The code-signing certificate verification check for the AD FS 2.0 service executable is failing. AD FS 2.0 is a .Net application that is code-signed using Microsoft digital certificates. When the service attempts to start, the code signing certificate that is embedded within the service executable is validated to verify that the certificate was valid at the time of signing. Code signing verification is accomplished via Authenticode methods, and is controlled through the Advanced tab of Internet Explorer, and can also be managed within the registry.

In Internet Explorer, the Advanced Internet Options contains checkboxes within the Security section which will affect the settings for certificate validation. Examples: "Check for signatures on downloaded programs" and "Check for publisher's certificate revocation".

The registry location affected by these settings is:

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Type:REG_DWORD

Value Name: State

Default Value: 0x23c00

Notice that the example registry location specifies the S-1-5-20 user. This is Network Service. When the service is starting, Service Control Manager (SCM) is using the Network Service account to attempt to validate the code-signing certificate that was used to sign the executable. This will be true even if your AD FS 2.0 service identity is a domain service account. If the WinTrust "State" registry key is configured incorrectly, it can cause the service to fail startup.

Resolution

You will likely see this issue in a closed network where the AD FS 2.0 server does not have access to the internet directly or access to the internet through a proxy server.

It is unlikely that the Network Service WinTrust "State" value was changed via IE settings, and the correct approach is to look for scripts, security templates, registry files, and Group Policies to see where the registry change comes from. You could audit the registry location or use a tool like Process Monitor to monitor for changes to the registry value.

Validate the existence and value of the following registry key:

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing

Type:REG_DWORD

Value Name: State

Default Value: 0x23c00

This value can be configured for different settings depending on your validation needs. To determine the correct "State" value for your environment, see the More Information section.

More Information

WTPF_TRUSTTEST -Trust any test certificate.

0x00000020

WTPF_TESTCANBEVALID - Check any test certificate for validity.

0x00000080

WTPF_IGNOREEXPIRATION - Use expiration date. 

0x00000100

WTPF_IGNOREREVOKATION - Do revocation check. 

0x00000200

WTPF_OFFLINEOK_IND - If the source is offline, trust any individual certificates.

0x00000400

WTPF_OFFLINEOK_COM - If the source is offline, trust any commercial certificates.

0x00000800

WTPF_OFFLINEOKNBU_IND - If the source is offline, trust any individual certificates. Do not use the user interface (UI).

0x00001000

WTPF_OFFLINEOKNBU_COM - If the source is offline, trust any commercial certificates. Do not use the checking UI.

0x00002000

WTPF_VERIFY_V1_OFF - Turn off verification of version 1.0 certificates.

0x00010000

WTPF_IGNOREREVOCATIONONTS - Ignore time stamp revocation checks.

0x00020000

WTPF_ALLOWONLYPERTRUST - Allow only items in personal trust database.

0x00040000

When it has the 0x00040000 flag set – it will only allow items in the trusted publisher store.

If you are using software restriction policies (SAFER) and have configured Trusted Publisher settings via Group Policy or Group Policy Preferences, these values will be manipulated.

WintrustSetRegPolicyFlags Function -

http://msdn.microsoft.com/en-us/library/Aa388201