Answered by:
ADFS certificate error enabling endpoints of Federation Service

Question
-
Hi All,
I am adding ADFS to an existing CRM installation. I have installed a wildcard SSL certificate, bound it in IIS and installed ADFS.
When I test the metadata by connecting to https://site/federationmetadata/2007-06/federationmetadata.xml I get a 503 error.
The AD FS 2.0 Admin log contains the following message every time I try to restart the service:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Event ID 102:
Additional Data
Exception details:
System.ArgumentNullException: Value cannot be null.
Parameter name: certificate
at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate, String id, Boolean clone, Boolean disposable)
at System.IdentityModel.Tokens.X509SecurityToken..ctor(X509Certificate2 certificate)
at Microsoft.IdentityServer.Service.Configuration.MSISSecurityTokenServiceConfiguration.Create(Boolean forSaml)
at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.ConfigureWIF()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISConfigurableServiceHost.Configure()
at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.ProxyPolicyServiceHost.Create()
at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.StartProxyPolicyStoreService(ServiceHostManager serviceHostManager)
at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.OnStartInternal(Boolean requestAdditionalTime)Any suggestions on how to fix the problem?
Thanks,
David
Tuesday, November 13, 2012 6:18 PM
Answers
-
Hi Khaja,
Thank you for the links. The problem proved to be unrelated to reserved URLs but was caused by ADFS failing to load the certificates despite appearing to have the correct permissions.
The fix was to change the ADFS application to run as the Local System user - as soon as we made this change, the page redirect worked fine and we could load the metadata.
Kind regards,
David
- Marked as answer by DavidBlundell Thursday, November 22, 2012 1:14 PM
Wednesday, November 21, 2012 3:32 PM
All replies
-
Hi,
please check to see if the account that is running the "ADFSAppPool" application pool in the IIS of the ADFS has enough privileges to be able to read the certificate.
You can check this by opening the certificate store in mmc, then navigating to the certificate, right-click on the certificate->All Tasks->Manage private key. Then check to see if the account is listed there and if not add it.
Greetings,
Pavlos
Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
View my latest gallery contribution here.
Visit my blog here.Tuesday, November 13, 2012 8:32 PM -
Hi Pavlos,
Thank you for the quick reply.
ADFSAppPool is running as NetworkService. The user "Network Service" currently has read access to the wildcard SSL certificate.
Thanks,
DavidTuesday, November 13, 2012 10:21 PM -
- Proposed as answer by Chirag Agarwal Friday, March 21, 2014 10:58 AM
Wednesday, November 14, 2012 9:40 AM -
Hi Pavlos,
The certificates seem to be in date. I have copied the output of get-adfscertificate below:
PS C:\Users\Administrator> get-adfscertificate
Certificate : [Subject]
CN=*.site.com, OU=PositiveSSL Wildcard, OU=Domain Control Validated
[Issuer]
CN=PositiveSSL CA 2, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
[Serial Number]
1A37C7...
[Not Before]
13/11/2012 00:00:00
[Not After]
13/11/2013 23:59:59
[Thumbprint]
CD769...
CertificateType : Service-Communications
IsPrimary : True
StoreLocation : LocalMachine
StoreName : My
Thumbprint : CD769...
Certificate : [Subject]
CN=ADFS Encryption - sts.site.com
[Issuer]
CN=ADFS Encryption - sts.site.com
[Serial Number]
1F667A...
[Not Before]
13/11/2012 16:45:09
[Not After]
13/11/2013 16:45:09
[Thumbprint]
B6FBC3...
CertificateType : Token-Decrypting
IsPrimary : True
StoreLocation : CurrentUser
StoreName : My
Thumbprint : B6FBC3...
Certificate : [Subject]
CN=ADFS Signing - sts.site.com
[Issuer]
CN=ADFS Signing - sts.site.com
[Serial Number]
1B901D...
[Not Before]
13/11/2012 16:45:08
[Not After]
13/11/2013 16:45:08
[Thumbprint]
563C65...
CertificateType : Token-Signing
IsPrimary : True
StoreLocation : CurrentUser
StoreName : My
Thumbprint : 563C65...Wednesday, November 14, 2012 11:16 AM -
Hi,
you can also check if the ADFS ports are not being used by another application as described here. You can also find a few more info here.
Greetings,
Pavlos
Please mark this reply as an answer and vote it as helpful if it helps you find a resolution to your problem.
View my latest gallery contribution here.
Visit my blog here.- Edited by Pavlos Panagiotidis Wednesday, November 14, 2012 11:24 AM
Wednesday, November 14, 2012 11:24 AM -
Hi Pavlos,
I checked with netstat - when ADFSwas not running nothing was listening on port 1500 or 1501 on any interface.
I ran the commands anyway and changed the ports to 1600 and 1601. When I restarted ADFS 2.0 it gave the same 201 error message.
I have set the ports back to the original values.Is there anything else that I can do to debug the situation?
Thanks,
David
Wednesday, November 14, 2012 1:17 PM -
Hi David,
Please check the below threads,
http://social.microsoft.com/Forums/en-US/crmdeployment/thread/bf0875b7-c45a-42a2-ba7e-a3058b57e2ba
https://community.dynamics.com/product/crm/crmtechnical/b/cognettacloud/archive/2012/09/27/crm-2011-adfs-503-error-and-how-to-fix-it.aspx
Regards,
Khaja Mohiddin
http://www.dynamicsexchange.com
http://about.me/KhajaMohiddinWednesday, November 14, 2012 1:23 PM -
Hi Khaja,
Thank you for the links. The problem proved to be unrelated to reserved URLs but was caused by ADFS failing to load the certificates despite appearing to have the correct permissions.
The fix was to change the ADFS application to run as the Local System user - as soon as we made this change, the page redirect worked fine and we could load the metadata.
Kind regards,
David
- Marked as answer by DavidBlundell Thursday, November 22, 2012 1:14 PM
Wednesday, November 21, 2012 3:32 PM