Using MS scripts, I attempted a migration of an ADFS 2.0 configuration (on Windows 2008R2) to a new ADFS server (Windows 2016) server. I have warnings in my event log that seem to be linked, via the thumbprint in the error, to the token-decrypting and token-signing certificates.
The EventID was: 329. The error was: "The certificate that is identified by thumbprint 'xxxxxx' could not be decrypted using the keys for X.509 certificate private key sharing. MSIS7708: The group for X.509 certificate private key sharing with the distinguished name 'yyyyyy' does not exist."
How do I resolve these warnings?
Are you the person on reddit I noticed following my instructions, who reported that their service account had been changed? If that's you - or if your service account has changed anyway between the old ADFS server and the new one - you may be having permissions issues in AD - the new ADFS service account might not be able to access AD objects created by the old service account.
If that's the case, use
get-AdfsPropertieson your ADFS server and look for CertificateSharingContainer. You should see something like this:Find that container in AD, using ADUC. Verify the correct service account has permissions. If not, add them, bounce the ADFS service and see if that helps.