AD FS 2012 R2 hangs when installed on a Domain Controller

12 Feb

In out Lab environment we’ve got Active Directory Federation Server installed on our (only) Domain Controller. After rebooting the DC ADFS hangs on startup. maweeras on the technet forums posted the solution.

Short story :
Put the Microsoft Key Distribution Service on automatic en reboot your Domain Controller

Long Story:
If you use a Group Managed Server Account (https://technet.microsoft.com/en-us/library/hh831782.aspx) for your Active Directory Federation Server on 2012R2 Domain Controller, which is the default on a cleanly installed lab server, the service is started before a Microsoft Key Distribution Service is running and ends up in a deadlock. The Microsoft Key Distribution Service is required for Group Managed Service Accounts, see quote

The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service is new to Windows Server 2012 and does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret which is used to create keys for the account. These keys are periodically changed. For a group Managed Service Account the Windows Server 2012 domain controller computes the password on the key provided by the Key Distribution Services in addition to other attributes of the group Managed Service Account. Windows Server 2012 and Windows 8 member hosts can obtain the current and preceding password values by contacting a Windows Server 2012 domain controller.

I assume the problem does not occur when you got more than one 2012(R2) Domain Controller, because a Microsoft key Distribution Service is running the moment AD FS starts.

Tuur

Comments

Leave a Reply