Resolving “Windows could not start Active Directory Federation Services service”

After installing and configuring the ADFS role on the primary federation server, the ADFS role is installed on the secondary federation server.

clip_image001

The ADFS Configuration Wizard resulted in and error, which made me go back to the primary server to verify that everything was working – it was not …

clip_image002

As the GMSA account was added to both ADFS servers, the service should start.

Trying to start the service resulted in this error:

clip_image003

After further investigation, I found that the User Rights Assignment settings was altered from default on the server, and the ADFS service account lacked the following priviledges:

Policy Security Settings
Log on as a service ADATUM\ADFS-gMSA-Svc$
NT SERVICE\adfssrv
NT SERVICE\ALL SERVICES
NT SERVICE\drs
Generate security audits ADATUM\ADFS-gMSA-Svc$
LOCAL SERVICE
NETWORK SERVICE
NT SERVICE\adfssrv
NT SERVICE\drs

After adding NT SERVICE\ALL SERVICES to Log on as a service and LOCAL SERVICE; NETWORK SERVICE to Genereate security audits, and rebooting the server, the ADFS service was able to start.

In addition, the standard domain service account or the Group Managed Service Account (GMSA) used for the ADFS service, must be member of the local Administrators group on all the ADFS servers.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.