Dear colleagues,
Actually, we are facing a really strange issue regarding a clean installation of ADFS on Windows 2012R2. We are using PowerShell for installation:
Import-Module ADFS
$ServiceAccount = Get-Credential "CONTOSO\STS_ADFSsvc"
$FederationServiceName = "sts.contoso.com"
$FederationServiceDisplayName = "Contoso Test ADFS"
$SQLConnectionString = "Data Source=STSAGListen,50801;Integrated Security=True"
Install-AdfsFarm -FederationServiceName $FederationServiceName –FederationServiceDisplayName $FederationServiceDisplayName –CertificateThumbprint $ServiceComCertThumb -ServiceAccountCredential $ServiceAccount –SQLConnectionString $SQLConnectionString
Resulting Errors:
Unable to configure the private key store. A constraint violation occurred
With additional PowerShell Exception:
[Install-AdfsFarm], DirectoryServicesCOMException
To locate the root cause of the problem we enabled the ADFS Tracing debug log after increasing the log verbosity by running wevtutil sl "AD FS Tracing/Debug" /L:5
The debug logs along with the error message “Unable to configure the private key store” appear to point to an issue with the certificate sharing container located at CN=<GUID>,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com. For the repeated failed attempts we continually see the following event entries in the ADFS Traceing log (<GUID> varies in between attempts):
Log Name: AD FS Tracing/Debug
Source: AD FS Tracing
Date: 18.09.2015 17:10:33
Event ID: 44
Task Category: None
Level: Information
Keywords: ADFSPolicyModel
User: CONTOSO\STS_ADFSsvc
Computer: CONTOSOAFS00.contoso.com
Description:
Could not bind to DN:'CN=507f24fb-3217-4ee9-8d16-a6f272be1d46,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com'. Got exception:'System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.RefreshCache()
at System.DirectoryServices.DirectoryEntry.FillCache(String propertyName)
at System.DirectoryServices.DirectoryEntry.get_NativeGuid()
at System.DirectoryServices.DirectoryEntry.get_Guid()
at Microsoft.IdentityServer.CertificateManagement.DkmFactory.CheckExistence(String distinguishedName, String& dcName)'. Concluding that the said DN does not exist.
Checking the existence of this container after the failed setup shows that it was successfully created by the installation accounts (a dedicated account with local OS admin rights on the ADFS server and Domain Admin rights within the CONTOSO.COM domain for the duration of the installation). The account is confirmed to have full control over the entire CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com container and its sub-objects.
Based on network traces it appears that the Install-AfdsFarm PoweShell commandlet attempts to create the certificate sharing container on the PDC role holder, while using the site assigned DC for the rest. To rule out any replication related issues (despite having change notification enabled on the site link between the ADFS servers AD site and the AD site in which the PDC role holder resides), we have retried the installation while assigning the ADFS server subnet to the AD site in which the PDC role holder and 2 other DCs resides, with no success. We receive the same error message (DN does not exist). In our last attempt we even blocked outbound communication between the ADFS server and the other 2 DCs in which are in that site using Windows Firewall, which should have forced the ADFS server to use the PDC. This was also not successful and resulted in the same error message.
Sadly the Install-AdfsFarm commandlet does not appear to have a Server parameter which allows specifying a specific DC.
Searching around the internet, eventID 44 seems not to exist, so does anybody has a clue whats going on here ?
Actually, we are facing a really strange issue regarding a clean installation of ADFS on Windows 2012R2. We are using PowerShell for installation:
Import-Module ADFS
$ServiceAccount = Get-Credential "CONTOSO\STS_ADFSsvc"
$FederationServiceName = "sts.contoso.com"
$FederationServiceDisplayName = "Contoso Test ADFS"
$SQLConnectionString = "Data Source=STSAGListen,50801;Integrated Security=True"
Install-AdfsFarm -FederationServiceName $FederationServiceName –FederationServiceDisplayName $FederationServiceDisplayName –CertificateThumbprint $ServiceComCertThumb -ServiceAccountCredential $ServiceAccount –SQLConnectionString $SQLConnectionString
Resulting Errors:
Unable to configure the private key store. A constraint violation occurred
With additional PowerShell Exception:
[Install-AdfsFarm], DirectoryServicesCOMException
To locate the root cause of the problem we enabled the ADFS Tracing debug log after increasing the log verbosity by running wevtutil sl "AD FS Tracing/Debug" /L:5
The debug logs along with the error message “Unable to configure the private key store” appear to point to an issue with the certificate sharing container located at CN=<GUID>,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com. For the repeated failed attempts we continually see the following event entries in the ADFS Traceing log (<GUID> varies in between attempts):
Log Name: AD FS Tracing/Debug
Source: AD FS Tracing
Date: 18.09.2015 17:10:33
Event ID: 44
Task Category: None
Level: Information
Keywords: ADFSPolicyModel
User: CONTOSO\STS_ADFSsvc
Computer: CONTOSOAFS00.contoso.com
Description:
Could not bind to DN:'CN=507f24fb-3217-4ee9-8d16-a6f272be1d46,CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com'. Got exception:'System.DirectoryServices.DirectoryServicesCOMException (0x80072030): There is no such object on the server.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.RefreshCache()
at System.DirectoryServices.DirectoryEntry.FillCache(String propertyName)
at System.DirectoryServices.DirectoryEntry.get_NativeGuid()
at System.DirectoryServices.DirectoryEntry.get_Guid()
at Microsoft.IdentityServer.CertificateManagement.DkmFactory.CheckExistence(String distinguishedName, String& dcName)'. Concluding that the said DN does not exist.
Checking the existence of this container after the failed setup shows that it was successfully created by the installation accounts (a dedicated account with local OS admin rights on the ADFS server and Domain Admin rights within the CONTOSO.COM domain for the duration of the installation). The account is confirmed to have full control over the entire CN=ADFS,CN=Microsoft,CN=Program Data,DC=contoso,DC=com container and its sub-objects.
Based on network traces it appears that the Install-AfdsFarm PoweShell commandlet attempts to create the certificate sharing container on the PDC role holder, while using the site assigned DC for the rest. To rule out any replication related issues (despite having change notification enabled on the site link between the ADFS servers AD site and the AD site in which the PDC role holder resides), we have retried the installation while assigning the ADFS server subnet to the AD site in which the PDC role holder and 2 other DCs resides, with no success. We receive the same error message (DN does not exist). In our last attempt we even blocked outbound communication between the ADFS server and the other 2 DCs in which are in that site using Windows Firewall, which should have forced the ADFS server to use the PDC. This was also not successful and resulted in the same error message.
Sadly the Install-AdfsFarm commandlet does not appear to have a Server parameter which allows specifying a specific DC.
Searching around the internet, eventID 44 seems not to exist, so does anybody has a clue whats going on here ?