Share via

Unable to add adfs 2022 to windows 2012 R2 farm

Tilicho 6 Reputation points
2023-09-05T22:25:55.6966667+00:00

Domain Structure --> root contoso, child domains : domain1.contoso.com & domain2.contoso.com

Current 2012 r2 adfs servers located in contoso.com but use service account from domain1.contoso.com.

Current production deployment uses SQL backend.

The service account has spn https://sso.contoso.com and http://sso.contoso.com

ADFS rapid restore tool was used to back up the current ADFS farm on windows 2012 R2. Then on a new 2012 R2 server (server3) created in contoso.com top domain, it was restored using WID option. Verified that the ADFS SSO worked in the new server by pointing the local host file for sso.contoso.com to the new server after the restore.

However, when joining 2022 server to this new 2012 server it fails the pre-requisite checks. Error cited are

SOAP security negotiation with 'http://server3.contoso.com/adfs/services/policystoretransfer' for target 'http://server3.contoso.com/adfs/services/policystoretransfer' failed.

Unable to determine the current Farm Behavior Level. SOAP security negotiation with 'http://server3.contoso.com/adfs/services/policystoretransfer' for target 'http://server3.contoso.com/adfs/services/policystoretransfer' failed.

Server3 (new restored 2012 r2) has the same msDS-SupportedEncryptionTypes as the 2012 r2 server in production and also the 2022 server that is unable to join to it. Adding RC4_HMAC_MD5 and other AES related options through security settings --> security options --> Network security: Configure encryption types allowed for kerberos, both in newly restored 2012 r2 and windows 2022 server didn't work .

Windows firewall is turned off on all the machines.

Any help is appreciated.

@Pierre Audonnet - MSFT

Microsoft Security | Active Directory Federation Services

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Tilicho 6 Reputation points
    2023-09-20T17:15:59.5233333+00:00

    @Pierre Audonnet - MSFT

    Pierre,

    It was a case of SPN as hinted by you. But the errors from the pre-requisite checks didn't have any information pertaining to that. MS and other articles mentioned that the kerberos error that was seen in the logs could be ignored.

    The issue was due to a duplicate spn assigned to the adfs server object in top level domain.

    The error received during the pre-requisites check was misleading. Running the diagnostics as outlined in the link below pointed to a possible SPN issue.

    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-diagnostics-analyzer

    There are three domains in the environment - contoso.com is the top level, domainA.contoso.com and domainB.contoso.com are the child domains. The adfs servers are located in the top level domain whereas the service account is located in the domainA.contoso.com.

    When duplicate SPNs were checked through the generic command "setspn -X" it was run from the domainA.contoso.com and didn't find any duplicates. That misled us to believe no duplicates existed.

    After the diagnostics pointed to a possible duplicate, ran the following command for every domain

    setspn -T * -T contoso.com -X

    setspn -T * -T domainA.contoso.com -X

    setspn -T * -T domainB.contoso.com -X

    Sure enough, one of the adfs servers had host/sso.contoso.com SPN assigned to it. Once that was removed 2022 server was able to join the 2012 r2 farm.

  2. Tilicho 6 Reputation points
    2023-09-20T17:15:21.4+00:00

    ..........

    0 comments
  3. Amit Singh 5,321 Reputation points
    2023-09-08T04:26:23.97+00:00

    Did you try to enable the two Kerberos options on the account tab of the account being used for our ADFS service?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.