Moving from the Office365 forums:
Greetings - just beginning a new ADFS build out. The customer has an empty root and all servers users and service accounts are in child domains and I have a couple of questions:
We see the exact scenario described here, and I was only able to find 1-2 other mentions: http://blogs.perficient.com/microsoft/2011/08/insufficient-privileges-error-configuring-ad-fs-2-0-for-single-sign-on-with-office-365/
where the resolution is to manually create the containers in the child domain.
Understanding that the Program Data container is created by default once in the domain naming context and therefore the root - is this anything that would be considered a program bug and is being addressed by Microsoft in any way? Is the trigger that we are using service accounts from the child domain, or is it that the ADFS computer objects are in the child domain?
With installation failing, is ADFS supported when installed in a child domain? Have I missed a configuration step?
additional info:
The account resides in the child domain, and is a member of domain admins and domain users. I get the same result using an account with EA permissions but again, homed in the child domain.
The error is “You do not have sufficient privileges to create a container in Active Directory at location CN=<long UUID string>,CN=ADFS,CN=Microsoft,CN=Program Data,DC=xxx,DC=yyy for use with sharing certificates. Verify that you are logged on as a Domain Admin or have sufficient privileges to create this container, and try again.”
The error calls out the child domain, where there is no Program Data or Microsoft container. Those do exist in the root directory.
It really looks like the ADFS wizard is trying to create the ADFS container in a hard coded path that doesn't exist because we are trying to install in a child domain.
thank you,
jp