You get the following error message:
The Subject name of the SSL certificate for the Default Web Site on this computer should match the name of the Federation Service to which you are trying to join this computer.You also get the following error:
No certificates matching the Federation Service name were found in the Local Computer certificate store. Install the certificate that represents your Federation Service name in the Local Computer certificate store, and then try again.The help file for ADFS 2.0 says "the actual name text is determined by either the Subject field or, if necessary, the Subject Alternative Name field of the certificate", but the addition of additional servers does not work if you have used a Subject Alternative Name.
So how do you get around this. With thanks to Tim Heeney and Roberto Martinez Lima from Microsoft and the rest of the class on the inagural Office 365 Microsoft Certified Master class (a subset of the Exchange 2010 MCM program) we worked out the answer. You need to install the additional servers from the command line - the problem is a user interface bug in the ADFS 2.0 setup program.
FsConfig.exe JoinFarm /PrimaryComputerName ADFS-SRV-1 /ServiceAccount fabrikam\adfsservice /ServiceAccountPassword password /CertThumbprint "ef 72 a6 78 c0 ab 4a bf 07 10 7e e4 86 f5 5e ba 2a 3c 99 6b"The thumbprint needs to be the thumbprint of the certificate used on the first ADFS server and imported into the computer certificate store on the additional ADFS servers.
On running the FsConfig command above you should get a series of green Passed statements. Existing databases can be removed with /CleanConfig switch. A yellow warning about an existing website can be ignored unless you have broken the website previously!
3 comments:
Thank you for the post!
I have got the certificate for an external CA (Network Solutions). I have installed on my first FS server and got the error you mentioned when trying to add the second server to the farm. I tried what you suggested and got the following error:
"The certificate that is represented by thumbprint XX XX ... XX does not have a private key. Specify a certificate with a private key.
Any ideas? Do SSL certificate providers provide the private key?
Thank you for your help!
So you need to export the certificate from the first ADFS server as a PFX file (that is, you need to export and include the private key).
If you cannot export the private key then you need to go to another location where you have the private key - typically the machine on which you created the certificate in the first place.
Somewhere you need to have the private key stored in a PFX file or on a server you can export it from.
Thank you Brian!
I exported the certificate as PFX with the private key and was able able to import it on the second FS server. I followed the instructions in your post and everything worked like a charm. Thank you again!
Post a Comment