Event ID 180 and and AD FS Tracing event 37 after migration from 2012 R2 to 2022

Question

Hello

We had made our ADFS migration 6 month ago from our 2012 R2 server to 2022 server.

Our environnement is : two ADFS proxy on DMZ and 2 ADFS Server with WID database (one master and one slave) all these 4 server are now on Windows 2022.
Before, we've got the same thing but with Windows 2012 R2

The migration was ok we add the new servers, remove the old, then upgrade.
The Get-AdfsFarmInformation say that our FBL is 4 with the corrects server on the FarmNodes list.

All our previous applications using ADFS are working fine

Hower we've got on the Event viewer every 5 minutes since 6 month, the famous event ID 180 :

An error occurred while upgrading FarmBehaviorLevel 'Max' from Minor Version '0' to Minor Version '4'.

Additional Data
Exception details:
MSIS7628: Scope names should be a valid Scope Description name in AD FS configuration.

When I activate the ADFS Tracing log I've got :

ERROR 37
An error occurred while trying to add an object:
Message: The INSERT statement conflicted with the FOREIGN KEY constraint "FK_OAuthScopes_OAuthScopeId". The conflict occurred in database "AdfsConfigurationV4", table "IdentityServerPolicy.OAuthScopeDescriptions", column 'OAuthScopeId'.
The statement has been terminated.

I open the WID database with sql management studio and find these 2 tables :

OAuthCopeDescriptions contains 1 line for allatclaims ScopeName with an ID on OAuthScopeId.

OauthScopes is empty
This table seems to get two Foreign Key OAuthScopeId (certainly from the other table) and PermissionId (certainly from the table OAuthPermission.
OAuthPermission is empty too.

We are able to add others Reliyng Party Trust and they are working. However if we want to use Application Groups for example, we've got errors. On Devis Registration, we have a message : Device registration is not configured. You must upgrade your AD FS Farm before you can configure device registration.

I have to upgrade the farm again however, system say that we already are on last Version.

I don't want to roolback from the old database because we've made a lot modification from the last 6 months.
If someone is able to help us about this problem.

Thanks in advance

Answer 1

Another information, I haven't got any "Client Permissions" (logon_cert, openid, profil, user_imperso, vpn_cert, winhello_cert)
The powershell command get-adfsapplicationPermission give me nothing
The ADFS console crashed when I'm on the "Configure Application Permissions"

May be there is a link between the table OAuthPermission who is empty and the ADFS console crashing when I try to Configure application Permissions

Someone is able to give me the powershell commands or the sql command to add these permissions ?

May be it will solved my problem ^^

Thanks

Answer 2

Hi, were you able to find solution to this - I'm having the same issue.

Answer 3

Hello,

Yes after some tries, I was able to solve problem.

On powershell :

add-AdfsScopeDescription -Name profile -Description "Request profile related claims for the signed in user"
add-AdfsScopeDescription -Name user_impersonation -Description "Request permission for the application to access the ressource."

3 others add-AdfsScopeDescription for the 3 others missing (sorry don't remember exactly the 3 others) but these commands solve our problem, the ADFS database was ok after this fix