Hi,
I have had issue with AD FS and after turning tracing on, I realized that the AD FS endpoints to issue token based on windows authentication were all failing with an error like:
A WS-Trust endpoint that was configured could not be opened.Additional Data
Address: https://adfsvm.dub01.local/adfs/services/trust/13/windowstransport
Mode: WindowsTransport
Error:
MSIS0006: A Service Principal Name is not registered for the AD FS service account.
I have tried to register an SPN for the AD FS service using the following command (I have found the AD FS Service Name in the Federation Service Properties as in the screenshot hereunder) but it fails with the following error.
Checking domain DC=dub01,DC=local
CN=ADFSVM,CN=Computers,DC=dub01,DC=local
WSMAN/ADFSVM
WSMAN/ADFSVM.dub01.local
TERMSRV/ADFSVM
TERMSRV/ADFSVM.dub01.local
RestrictedKrbHost/ADFSVM
HOST/ADFSVM
RestrictedKrbHost/ADFSVM.dub01.local
HOST/ADFSVM.dub01.local
Duplicate SPN found, aborting operation!
Now I have come to realise that the Federation Service name is the same as the computer name but:
- I dont know if that is an issue
- I don't recall having been offered to give a particular name when installing AD FS
This is the first time I install AD FS. Is there anyone who could give me a pointer?
Thanks.
Francois