I have created an ADFS server according to the guide on technet. However, when attempting to add a secondary ADFS server using the latter part of this guide on technet, the process fails.
PS > Import-Module ADFS
PS > $serviceAccountCredential = Get-Credential -Message "Enter the credential for the Federation Service Account."
PS > Add-AdfsFarmNode `
>> -CertificateThumbprint:"REDACTED" `
>> -OverwriteConfiguration:$true `
>> -PrimaryComputerName:"awsfed01.ad.redacted.com" `
>> -ServiceAccountCredential:$serviceAccountCredential
>>
Add-AdfsFarmNode : MSIS7711: PolicyOperationFault
At line:1 char:1
+ Add-AdfsFarmNode `
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AdfsFarmNode], FaultException
+ FullyQualifiedErrorId : DeploymentTask,Microsoft.IdentityServer.Deployment.Commands.JoinFarmCommand
Message Context Status
------- ------- ------
Unable to synchronize local database... DeploymentTask Error
The following errors now appear in the event log on the server I am attempting to configure every five minutes:
Source: AD FS, Event ID 344:
There was an error doing synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.
Source: AD FS, Event ID 345:
There was a communication error during AD FS configuration database synchronization. Synchronization of data from the primary federation server to a secondary federation server did not occur.
Additional Data
Master Name : awsfed01.ad.redacted.com
Endpoint Uri : http://awsfed01.ad.redacted.com/adfs/services/policystoretransfer
Exception details:
System.ServiceModel.Security.SecurityNegotiationException: The caller was not authenticated by the service. ---> System.ServiceModel.FaultException: The request for security token could not be satisfied because authentication failed.
at System.ServiceModel.Security.SecurityUtils.ThrowIfNegotiationFault(Message message, EndpointAddress target)
at System.ServiceModel.Security.SspiNegotiationTokenProvider.GetNextOutgoingMessageBody(Message incomingMessage, SspiNegotiationTokenProviderState sspiState)
The primary ADFS server's Security Audit Log contains an audit failures every time the secondary attempts to connect with the following details:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: msa-adfs$
Account Domain: RDC
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0x80090302
Sub Status: 0xC0000418
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: AWSFED20
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Environment details
- I am using Windows Server 2012 R2 with ADFS 3.0
- My domain is ad.redacted.com (or RDC\). Additionally, I have redacted.com and redacted.co.uk as UPNs.
- I am using the WID database, not an external SQL server.
- I used a manually created a gMSA service account for my primary ADFS installation named RDC\msa-adfs$ - and am using this same account when trying to configure the secondary ADFS server. I configured its SPN - in accordance with various sources around the internet - to the following:
- host/adfs.ad.redacted.com
- http/adfs
- host/adfs.ad.redacted.com
- http/adfs
- The primary ADFS server's name is awsfed01.ad.redacted.com
- The secondary ADFS server - that I'm trying to configure - name is awsfed02.ad.redacted.com
- There is a DNS CNAME record for adfs.ad.redacted.com pointing at awsfed01.ad.redacted.com
- I used a SSL certificate signed by an external CA, with adfs.ad.redacted.com as the primary domain, and the following Subject Alternative Names:
- adfs.ad.redacted.com
- enterpriseregistration.ad.redacted.com
- enterpriseregistration.redacted.com
- enterpriseregistration.redacted.co.uk
- Both ADFS servers are configured with the Windows firewall enabled, but the network is configured to permit all traffic between them
I have tried configuring this multiple times from a blank server. Each time, the secondary ADFS server fails in the same way with the same error message.
Update: Reproduce with PowerShell
To try and reproduce this as reliably as possible, I have recreated what I'm doing with PowerShell.
Prerequisites: * Domain controller awsdc01 for domain ad.redacted.com aka RDC\ * Two federation servers: awsfed10, awsfed20 in a group named ADFS Servers
On awsdc01:
New-ADServiceAccount -Name msa-adfs `
-DNSHostName adfs.ad.redacted.com `
-PrincipalsAllowedToRetrieveManagedPassword "ADFS Servers"
-ServicePrincipalNames "http/adfs.ad.redacted.com"
Executed successfully.
On awsfed10:
Install-WindowsFeature adfs-federation –IncludeManagementTools
Add-WindowsFeature RSAT-AD-PowerShell
$password = ConvertTo-SecureString -String "Redacted" -Force -AsPlainText
Import-PfxCertificate -FilePath C:\files\cert.pfx cert:\localMachine\my -Password $password
Import-Module ActiveDirectory
Import-Module ADFS
Install-ADServiceAccount msa-adfs
Install-AdfsFarm -CertificateThumbprint:"XXX" -FederationServiceName:"adfs.ad.redacted.com" -GroupServiceAccountIdentifier RDC\msa-adfs$
Initialize-ADDeviceRegistration -ServiceAccountName RDC\msa-adfs$
Enable-AdfsDeviceRegistration
All executed successfully.
On awsfed20:
Install-WindowsFeature adfs-federation –IncludeManagementTools
Add-WindowsFeature RSAT-AD-PowerShell
$password = ConvertTo-SecureString -String "Redacted" -Force -AsPlainText
Import-PfxCertificate -FilePath C:\files\cert.pfx cert:\localMachine\my -Password $password
Import-Module ActiveDirectory
Import-Module ADFS
Install-ADServiceAccount msa-adfs
Install-AdfsFarm -CertificateThumbprint:"XXX" -PrimaryComputerName:"awsfed10.ad.redacted.com" -GroupServiceAccountIdentifier RDC\msa-adfs$
Failed with the same errors as above.
The GMSA must be created with a host SPN (not http) based on the FederationServiceName parameter. So if you use adfs.ad.redacted.com then the SPN will be host/adfs.ad.redacted.com.
You should not be using CNAME entries to point adfs.ad.redacted.com to individual servers. That's going to cause Kerberos authentication issues as explained in https://blogs.technet.microsoft.com/askds/2009/06/22/internet-explorer-behaviors-with-kerberos-authentication/ scenario 2.
I assume you have some load balancing in use. Therefore the adfs.ad.redacted.com should resolve to the virtual IP of the load balancer that sits in front of the AD FS farm nodes.
Is NTLM blocking in use? Because it appears so. https://blogs.technet.microsoft.com/askds/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7/ has more details of NTLM blocking.
Just use NTLM auditing for now (don't block) and retry adding the 2nd node after correcting the configuration as suggested earlier.
If you are still having issues, I suggest raising a support case with Microsoft.
If someone suffers in my case it was local firewall disabled for sync and also by MS specific email we disabled NTLM proxy so we enabled it for sync and then disabled again.