ADFS 2.0 installed on server 2008 R2. I configured ADFS with a wildcard certificate and if I remember correctly I was able to test the url in a browser and got an XML response. Now I wanted to continue to work on this project and noticed that ADFS was not working. The eventlog shows event id 133:
- During processing of the Federation Service configuration, the element 'serviceIdentityToken' was found to have invalid data. The private key for the certificate that was configured could not be accessed. The following are the values of the certificate:
- Element: serviceIdentityToken
Subject: CN=*.org.nl, OU=Comodo PremiumSSL Legacy Wildcard, OU=org, O=org, STREET=Org 7, L=Org, S=Org, PostalCode=Org, C=NL
Thumbprint: EE55C0AE7AF33A1FA6C3CA78DEFAEDB4C12AFAE3
storeName: My
storeLocation: 0
Federation Service identity: ORG\svc_adfs - The Federation Service will not be able to start until this configuration element is corrected.
- This condition can occur when the certificate is found in the specified store but there is a problem accessing the certificate's private key. Common causes for this condition include the following:
(1) The certificate was installed from a source that did not include the private key, such as a .cer or .p7b file.
(2) The certificate's private key was imported (for example, from a .pfx file) into a store that is different from the store specified above.
(3) The certificate was generated as part of a certificate request that did not specify the "Machine Key" option.
(4) The Federation Service identity 'org\svc_adfs' has not been granted read access to the certificate's private key. - User Action
If the certificate was imported from a source with no private key, choose a certificate that does have a private key, or import the certificate again from a source that includes the private key (for example, a .pfx file).
If the certificate was imported in a user context, verify that the store specified above matches the store the certificate was imported into.
If the certificate was generated by a certificate request that did not specify the "Machine Key" option and the key is marked as exportable, export the certificate with a private key from the user store to a .pfx file and import it again directly into the store specified in the configuration file. If the key is not marked as exportable, request a new certificate using the "Machine Key" option.
If the Federation Service identity has not been granted read access to the certificate's private key, correct this condition using the Certificates snap-in.
I checked the certificate with the Digicert certificate tool and everything seems allright. Checked access of the service accounts to the private keys of the certificate, the account has read access. I tried to reimport from the PFX file and even exported and importer the certificate and private key.
Any ideas how to troubleshoot next?
With kind regards / Met vriendelijke groet, Jetze Mellema | http://jetzemellema.blogspot.com/
