After installing and configuring the ADFS role on the primary federation server, the ADFS role is installed on the secondary federation server.
The ADFS Configuration Wizard resulted in and error, which made me go back to the primary server to verify that everything was working – it was not …
As the GMSA account was added to both ADFS servers, the service should start.
Trying to start the service resulted in this error:
After further investigation, I found that the User Rights Assignment settings was altered from default on the server, and the ADFS service account lacked the following priviledges:
Policy | Security Settings |
Log on as a service | ADATUM\ADFS-gMSA-Svc$ NT SERVICE\adfssrv NT SERVICE\ALL SERVICES NT SERVICE\drs |
Generate security audits | ADATUM\ADFS-gMSA-Svc$ LOCAL SERVICE NETWORK SERVICE NT SERVICE\adfssrv NT SERVICE\drs |
After adding NT SERVICE\ALL SERVICES to Log on as a service and LOCAL SERVICE; NETWORK SERVICE to Genereate security audits, and rebooting the server, the ADFS service was able to start.
In addition, the standard domain service account or the Group Managed Service Account (GMSA) used for the ADFS service, must be member of the local Administrators group on all the ADFS servers.