Adding Servers to ADFS 2.0 Farms – Subject Alternative Name Issues

When you add additional servers to an ADFS 2.0 farm and you have used a subject alternative name from your certificate to create the first server in the farm the additional servers will not be able to join the farm. If you have used the subject name on the certificate all works fine.
You get the following error message:

The Subject name of the SSL certificate for the Default Web Site on this computer should match the name of the Federation Service to which you are trying to join this computer.

You also get the following error:

No certificates matching the Federation Service name were found in the Local Computer certificate store. Install the certificate that represents your Federation Service name in the Local Computer certificate store, and then try again.

The help file for ADFS 2.0 says “the actual name text is determined by either the Subject field or, if necessary, the Subject Alternative Name field of the certificate”, but the addition of additional servers does not work if you have used a Subject Alternative Name.
So how do you get around this. With thanks to Tim Heeney and Roberto Martinez Lima from Microsoft and the rest of the class on the inagural Office 365 Microsoft Certified Master class (a subset of the Exchange 2010 MCM program) we worked out the answer. You need to install the additional servers from the command line – the problem is a user interface bug in the ADFS 2.0 setup program.

FsConfig.exe JoinFarm /PrimaryComputerName ADFS-SRV-1 /ServiceAccount fabrikam\adfsservice /ServiceAccountPassword password /CertThumbprint “ef 72 a6 78 c0 ab 4a bf 07 10 7e e4 86 f5 5e ba 2a 3c 99 6b”

The thumbprint needs to be the thumbprint of the certificate used on the first ADFS server and imported into the computer certificate store on the additional ADFS servers.
On running the FsConfig command above you should get a series of green Passed statements. Existing databases can be removed with /CleanConfig switch. A yellow warning about an existing website can be ignored unless you have broken the website previously!

Comments & Responses

15 Responses so far.

  1. Thank you for the post!
    I have got the certificate for an external CA (Network Solutions). I have installed on my first FS server and got the error you mentioned when trying to add the second server to the farm. I tried what you suggested and got the following error:
    “The certificate that is represented by thumbprint XX XX … XX does not have a private key. Specify a certificate with a private key.
    Any ideas? Do SSL certificate providers provide the private key?
    Thank you for your help!

  2. Brian Reid says:

    So you need to export the certificate from the first ADFS server as a PFX file (that is, you need to export and include the private key).

    If you cannot export the private key then you need to go to another location where you have the private key – typically the machine on which you created the certificate in the first place.

    Somewhere you need to have the private key stored in a PFX file or on a server you can export it from.

  3. Thank you Brian!
    I exported the certificate as PFX with the private key and was able able to import it on the second FS server. I followed the instructions in your post and everything worked like a charm. Thank you again!

  4. Brian Reid says:

    @anon. You need to make sure that you have exported the certificate with the private key from a server on which it is located and then import it and the private key to the new server you are adding to the farm. The certificate needs to be added to the Local Computer certificate store – when importing certificate do it in an MMC that you have added the local computer certificate store to.

    Brian

  5. Anonymous says:

    @Brian – I did the export of the certificate with the private key and have confirmed it has been imported onto the second server with the private key but still having the same issue. The strange thing is the thumbprint in the error does NOT match the thumbprint of my certificate! There are no other certificates on this server so I do not know where that thumbprint is from.

  6. Anonymous says:

    @Brian, I have exported and re-imported the certificate from my first server onto my second server that I am trying to add but I am still facing the same issue. I have confirmed the certificate imported does have the private key. The one baffling fact is that the thumbprint in the error does not match the actual thumbprint of my certificate!

  7. Brian Reid says:

    @Anon – check all the certificate stores on each of the two servers for the cert with the thumbprint starting D4FB. Im guessing based on the error that it might be in the local user certificate store (it says My certificate store) and not in the Local computer certificate store where you are placing the ADFS certs.

    I’d look for any cert with a missing public key. Also I’d wonder if this server or ADFS database has had a cert with the thumbprint D4FB… used at some time in the past and needs cleaning up from the database.

  8. Anonymous says:

    @Brian,

    I just checked all the certificate stores on both servers and cannot find any certificate with that thumbprint!

    How would I check if the database has a certificate with that thumbprint previously used (it is possible as I was brought in to continue the deployment from someone else)?

  9. Anonymous says:

    @Brian – RESOLVED!

    I opened the ADFS Management console on the primary server to find that a “certificate not found in store” message under the service communication certificate section. I assigned the certificate and was able to add the second server successfully!

    What I think happened was the original certificate was removed and re-added to the primary server at some point and it was never re-assigned as the service communication certificate.

    Thank you for all the assistance on this issue.

  10. Brian Reid says:

    @Anon- you’re welcome

  11. Thanks for the post. I have one ADFS 2.0 server working for my Office 365 authentication. Can I add a second to create a farm? Do I have to start over? Also. Can you tell me if I can have the servers located in two seperate sites using two seperate ISP’s to help with single point of ISP service failure? thanks for your help..

    Andrew

  12. Brian Reid says:

    @Andrew – you can add a second ADFS server to create a farm quite easily. See the product docs or search online for the steps.

    The URL that the ADFS server is listening on is the same for both servers, so you need a hardware load balancer to spread the load, or GeoDNS if suitable for your network. If your ISP’s are load balanced and so share the same IP address, so that the IP for the FQDN only goes to a working site, then that would work, but if you had a site outage and were not using DNS that was aware of the change of availability then you could do manual updates to DNS so that connections where made to your alternate site.

  13. Ali Kharouf says:

    Thank you for the article, really works.

    Just a heads up, you need to browse to “C:\Program Files\Active Directory Federation Services 2.0″ in CMD before running fsconfig.exe

    Good luck!

  14. suslik says:

    I’m trying to install ad fs 2 and the webserver and I get the following error: No certificates matching the Federation Service name were found in the Local Computer certificate store. Install the certificate that represents your Federation Service name in the Local Computer certificate store, and then try again. I don’t know how to fix it. the solution above does not work. Please help

    • Brian Reid says:

      Without wanting to state the obvious, have you checked that you have a certificate in the “local computer” certificate store that matches the name you want to use? Do not confuse the “local computer” store with the “local user” store. To get to the “local computer” store start MMC and load in the certificates snap-in. It will prompt for a store – choose the local computer. Place the certificate in that store that matches your AD FS service name (i.e. sts.domain.com) and run the installation again.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>