The ADFS standard login page shows 503 service unavailable

ducmre 6 Reputation points
2021-05-20T11:11:26.473+00:00

ADFS running on Windows 2019 in a cluster containing two hosts.

After changing the certificate for SSL and Service-Communications using the following commands:

Set-AdfsSslCertificate –Thumbprint XXX
Set-AdfsCertificate -CertificateType "Service-Communications" –Thumbprint XXX

Restarted the adfs service

The login page shows now:

98247-login-page.png

In the event log of ADFS I can see the following:

There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data
Exception details:
Failed to start endpoint:
https://+:49443/adfs/portal/
https://+:443/adfs/portal/
System.Net.HttpListenerException (0x80004005): Access is denied
at System.Net.HttpListener.AddAllPrefixes()
at System.Net.HttpListener.Start()
at Microsoft.IdentityServer.WebHost.HttpListenerBase.Start(UInt32 contextPoolSize)
at Microsoft.IdentityServer.ServiceHost.STSService.StartListener(Type listener, Int32 port, Int32 clientPort, Boolean passiveEnabled, Boolean oAuthEnabled, Boolean enablePasswordUpdate, String path)

The adfssrv service is running with a gmsa account and was not changed.

Any idea why "Access is denied" is happening after a certificate change?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,168 questions
{count} vote

2 answers

Sort by: Most helpful
  1. ducmre 6 Reputation points
    2021-05-26T09:51:26.43+00:00

    Thanks for you reply :-)

    I was checking the permission of the certificate and everything was correctly set.

    For me the event log entry with: System.Net.HttpListenerException (0x80004005): Access is denied was not really true.
    In another tutorial (for exchange of certificate) I found the hint with Set-AdfsAlternateTlsClientBinding and after setting the same certificate everything was fine.

    0 comments No comments

  2. Shekar-1755 5 Reputation points
    2023-02-09T04:47:35.7333333+00:00

    I updated the certificate, followed all steps, ensured the adfs service account has Read permissions set correctly on the certificate.
    I am still getting the below error:
    Service Unavailable


    HTTP Error 503. The service is unavailable.
    Any help would be appreciated,
    TIA

    0 comments No comments