locked
ADFS certificate error enabling endpoints of Federation Service RRS feed

  • Question

  • Hi All,

    I am adding ADFS to an existing CRM installation.  I have installed a wildcard SSL certificate, bound it in IIS and installed ADFS.

    When I test the metadata by connecting to https://site/federationmetadata/2007-06/federationmetadata.xml I get a 503 error.

    The AD FS 2.0 Admin log contains the following message every time I try to restart the service:

    There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service. 

    Event ID 102:

    Additional Data 
    Exception details: 
    System.ArgumentNullException: Value cannot be null.
    Parameter name: certificate
       at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate, String id, Boolean clone, Boolean disposable)
       at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate)
       at Microsoft.IdentityServer.Service.Configuration.MSISSecurityTokenServiceConfiguration.Create(Boolean forSaml)
       at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.ConfigureWIF()
       at Microsoft.IdentityServer.Service.SecurityTokenService.MSISConfigurableServiceHost.Configure()
       at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.Create()
       at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.StartProxyPolicyStoreService(ServiceHostManager serviceHostManager)
       at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.OnStartInternal(Boolean requestAdditionalTime)

    Any suggestions on how to fix the problem?

    Thanks,

    David

    Tuesday, November 13, 2012 6:18 PM

Answers

  • Hi Khaja,

    Thank you for the links.  The problem proved to be unrelated to reserved URLs but was caused by ADFS failing to load the certificates despite appearing to have the correct permissions.

    The fix was to change the ADFS application to run as the Local System user - as soon as we made this change, the page redirect worked fine and we could load the metadata.

    Kind regards,

    David

    • Marked as answer by DavidBlundell Thursday, November 22, 2012 1:14 PM
    Wednesday, November 21, 2012 3:32 PM

All replies

  • Hi,

    please check to see if the account that is running the "ADFSAppPool" application pool in the IIS of the ADFS has enough privileges to be able to read the certificate.

    You can check this by opening the certificate store in mmc, then navigating to the certificate, right-click on the certificate->All Tasks->Manage private key. Then check to see if the account is listed there and if not add it.

    Greetings,

    Pavlos


    Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
    View my latest gallery contribution here.
    Visit my blog here.

    Tuesday, November 13, 2012 8:32 PM
  • Hi Pavlos,

    Thank you for the quick reply.

    ADFSAppPool is running as NetworkService.  The user "Network Service" currently has read access to the wildcard SSL certificate.

    Thanks,

    David
    Tuesday, November 13, 2012 10:21 PM
  • Hi,

    another place to look would be to check if the certificate is expired. Take a look at this for instance.

    Greetings,

    Pavlos


    Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
    View my latest gallery contribution here.
    Visit my blog here.

    • Proposed as answer by Chirag Agarwal Friday, March 21, 2014 10:58 AM
    Wednesday, November 14, 2012 9:40 AM
  • Hi Pavlos,

    The certificates seem to be in date.  I have copied the output of get-adfscertificate below:

    PS C:\Users\Administrator>  get-adfscertificate

    Certificate     : [Subject]
                        CN=*.site.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated

                      [Issuer]
                        CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB

                      [Serial Number]
                        1A37C7...

                      [Not Before]
                        13/11/2012 00:00:00

                      [Not After]
                        13/11/2013 23:59:59

                      [Thumbprint]
                        CD769...

    CertificateType : Service-Communications
    IsPrimary       : True
    StoreLocation   : LocalMachine
    StoreName       : My
    Thumbprint      : CD769...

    Certificate     : [Subject]
                        CN=ADFS Encryption - sts.site.com

                      [Issuer]
                        CN=ADFS Encryption - sts.site.com

                      [Serial Number]
                        1F667A...

                      [Not Before]
                        13/11/2012 16:45:09

                      [Not After]
                        13/11/2013 16:45:09

                      [Thumbprint]
                        B6FBC3...

    CertificateType : Token-Decrypting
    IsPrimary       : True
    StoreLocation   : CurrentUser
    StoreName       : My
    Thumbprint      : B6FBC3...

    Certificate     : [Subject]
                        CN=ADFS Signing - sts.site.com

                      [Issuer]
                        CN=ADFS Signing - sts.site.com

                      [Serial Number]
                        1B901D...

                      [Not Before]
                        13/11/2012 16:45:08

                      [Not After]
                        13/11/2013 16:45:08

                      [Thumbprint]
                        563C65...

    CertificateType : Token-Signing
    IsPrimary       : True
    StoreLocation   : CurrentUser
    StoreName       : My
    Thumbprint      : 563C65...

    Wednesday, November 14, 2012 11:16 AM
  • Hi,

    you can also check if the ADFS ports are not being used by another application as described here. You can also find a few more info here.

    Greetings,

    Pavlos


    Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
    View my latest gallery contribution here.
    Visit my blog here.


    Wednesday, November 14, 2012 11:24 AM
  • Hi Pavlos,

    I checked with netstat - when ADFSwas not running nothing was listening on port 1500 or 1501 on any interface.

    I ran the commands anyway and changed the ports to 1600 and 1601.  When I restarted ADFS 2.0 it gave the same 201 error message.

    I have set the ports back to the original values.

    Is there anything else that I can do to debug the situation?

    Thanks,

    David

    Wednesday, November 14, 2012 1:17 PM
  • Hi David,

    Please check the below threads,

    http://social.microsoft.com/Forums/en-US/crmdeployment/thread/bf0875b7-c45a-42a2-ba7e-a3058b57e2ba

    https://community.dynamics.com/product/crm/crmtechnical/b/cognettacloud/archive/2012/09/27/crm-2011-adfs-503-error-and-how-to-fix-it.aspx

    Regards,


    Khaja Mohiddin
    http://www.dynamicsexchange.com
    http://about.me/KhajaMohiddin

    Wednesday, November 14, 2012 1:23 PM
  • Hi Khaja,

    Thank you for the links.  The problem proved to be unrelated to reserved URLs but was caused by ADFS failing to load the certificates despite appearing to have the correct permissions.

    The fix was to change the ADFS application to run as the Local System user - as soon as we made this change, the page redirect worked fine and we could load the metadata.

    Kind regards,

    David

    • Marked as answer by DavidBlundell Thursday, November 22, 2012 1:14 PM
    Wednesday, November 21, 2012 3:32 PM