ADFS certificate error enabling endpoints of Federation Service

All replies

• 

  

  0

  Sign in to vote

  Hi,

  please check to see if the account that is running the "ADFSAppPool" application pool in the IIS of the ADFS has enough privileges to be able to read the certificate.

  You can check this by opening the certificate store in mmc, then navigating to the certificate, right-click on the certificate->All Tasks->Manage private key. Then check to see if the account is listed there and if not add it.

  Greetings,

  Pavlos

  ---

  Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
  View my latest gallery contribution here.
  Visit my blog here.

  Tuesday, November 13, 2012 8:32 PM
• 

  

  0

  Sign in to vote

  Hi Pavlos,
  
  Thank you for the quick reply.
  
  ADFSAppPool is running as NetworkService.  The user "Network Service" currently has read access to the wildcard SSL certificate.
  
  Thanks,
  
  David

  Tuesday, November 13, 2012 10:21 PM
• 

  

  0

  Sign in to vote

  Hi,

  another place to look would be to check if the certificate is expired. Take a look at this for instance.

  Greetings,

  Pavlos

  ---

  Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
  View my latest gallery contribution here.
  Visit my blog here.

  • Proposed as answer by Chirag Agarwal Friday, March 21, 2014 10:58 AM

  Wednesday, November 14, 2012 9:40 AM
• 

  

  0

  Sign in to vote

  Hi Pavlos,

  The certificates seem to be in date.  I have copied the output of get-adfscertificate below:

  PS C:\Users\Administrator>  get-adfscertificate
  
  Certificate     : [Subject]
                      CN=*.site.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated
  
                    [Issuer]
                      CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
  
                    [Serial Number]
                      1A37C7...
  
                    [Not Before]
                      13/11/2012 00:00:00
  
                    [Not After]
                      13/11/2013 23:59:59
  
                    [Thumbprint]
                      CD769...
  
  CertificateType : Service-Communications
  IsPrimary       : True
  StoreLocation   : LocalMachine
  StoreName       : My
  Thumbprint      : CD769...
  
  Certificate     : [Subject]
                      CN=ADFS Encryption - sts.site.com
  
                    [Issuer]
                      CN=ADFS Encryption - sts.site.com
  
                    [Serial Number]
                      1F667A...
  
                    [Not Before]
                      13/11/2012 16:45:09
  
                    [Not After]
                      13/11/2013 16:45:09
  
                    [Thumbprint]
                      B6FBC3...
  
  CertificateType : Token-Decrypting
  IsPrimary       : True
  StoreLocation   : CurrentUser
  StoreName       : My
  Thumbprint      : B6FBC3...
  
  Certificate     : [Subject]
                      CN=ADFS Signing - sts.site.com
  
                    [Issuer]
                      CN=ADFS Signing - sts.site.com
  
                    [Serial Number]
                      1B901D...
  
                    [Not Before]
                      13/11/2012 16:45:08
  
                    [Not After]
                      13/11/2013 16:45:08
  
                    [Thumbprint]
                      563C65...
  
  CertificateType : Token-Signing
  IsPrimary       : True
  StoreLocation   : CurrentUser
  StoreName       : My
  Thumbprint      : 563C65...

  Wednesday, November 14, 2012 11:16 AM
• 

  

  0

  Sign in to vote

  Hi,

  you can also check if the ADFS ports are not being used by another application as described here. You can also find a few more info here.

  Greetings,

  Pavlos

  ---

  Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
  View my latest gallery contribution here.
  Visit my blog here.

  
  

  • Edited by Pavlos Panagiotidis Wednesday, November 14, 2012 11:24 AM

  Wednesday, November 14, 2012 11:24 AM
• 

  

  0

  Sign in to vote

  Hi Pavlos,

  I checked with netstat - when ADFSwas not running nothing was listening on port 1500 or 1501 on any interface.
  
  I ran the commands anyway and changed the ports to 1600 and 1601.  When I restarted ADFS 2.0 it gave the same 201 error message.
  
  I have set the ports back to the original values.

  Is there anything else that I can do to debug the situation?

  Thanks,

  David

  Wednesday, November 14, 2012 1:17 PM
• 

  

  0

  Sign in to vote

  Hi David,

  Please check the below threads,

  http://social.microsoft.com/Forums/en-US/crmdeployment/thread/bf0875b7-c45a-42a2-ba7e-a3058b57e2ba

  https://community.dynamics.com/product/crm/crmtechnical/b/cognettacloud/archive/2012/09/27/crm-2011-adfs-503-error-and-how-to-fix-it.aspx

  Regards,

  ---

  Khaja Mohiddin
  http://www.dynamicsexchange.com
  http://about.me/KhajaMohiddin

  Wednesday, November 14, 2012 1:23 PM
• 

  

  0

  Sign in to vote

  Hi Khaja,

  Thank you for the links.  The problem proved to be unrelated to reserved URLs but was caused by ADFS failing to load the certificates despite appearing to have the correct permissions.

  The fix was to change the ADFS application to run as the Local System user - as soon as we made this change, the page redirect worked fine and we could load the metadata.

  Kind regards,

  David

  • Marked as answer by DavidBlundell Thursday, November 22, 2012 1:14 PM

  Wednesday, November 21, 2012 3:32 PM