Scenario:

New physical DC running Server 2012 R2 (AD DS and DNS) with no other roles. Installed and configured AD FS. First server in a new farm. Service account created in AD for the farm servers. Wildcard certificate used. No problems with this part.

Trying to add a second server to the farm. This is an existing virtual DC running Server 2012 (not R2). Again no other roles other than AD DS and DNS. Installed AD FS. Running the configuration I select 'Add a federation server to an existing Federation Service'. I use the internal FQDN of the first server and select my service account (entering the password). I hit next and get the green progress bar for a few seconds then errors with the following...

"The primary federation server was contacted successfully, but the configuration data was not valid."

There is nothing in the AD FS logs. Tried a search and found nothing related to this specific message. I've tried importing the certificate manually before running the configuration. I've also associated the certificate with the default website.

Any suggestions would be greatly appreciated.

• Changed type Yan Li_Microsoft community contributor, Moderator Monday, December 30, 2013 2:46 AM

This sounds like it could be either related to the SPN not being registered correctly or the certificate not working correctly. 

Is anything being shown in the system logs / application logs?

you could try and enable ADFS debug / trace logs but I'm not sure they would show anything at this stage. 

http://social.technet.microsoft.com/wiki/contents/articles/1407.how-to-enable-debug-logging-for-active-directory-federation-services-2-0-ad-fs-2-0.aspx

OK. There may be a problem with the service account.

I had to restart the primary federation server and now the AD FS service won't start. I'm getting...

"System error 1297 has occurred.

A privilege that the service requires to function properly does not exist in the
 service account configuration.
You may use the Services Microsoft Management Console (MMC) snap-in (services.ms
c) and the Local Security Settings MMC snap-in (secpol.msc) to view the service
configuration and the account configuration."

I've checked the local security policy on the DC to see which user rights assignments my service account holds. It only has the following:

• Log on as a service

I temporarily added the service account to the local administrators group and tried to start the service and received the same error.

When running the initial AD FS configuration the automatic creation of the GMSA failed because there was no 'Managed Service Accounts' OU. I created an OU called 'General Managed Service Accounts' and created my service account manually and used that account in the AD FS configuration.

Just one problem after another at the moment.

I removed AD FS completely, including WID (removed the databases using SQL Management Studio).

I removed all accounts and groups that I created and started again.

Re-installing AD FS went through but during the final step of configuration I get the following error...

"The system cannot find the file specified"

Configuration fails.

Hi,

For AD FS related issue, please post in the following forum:

http://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=Geneva

Hope you get an answer there soon.

Regards,

Yan Li

You also need "Generate Security Audit Log" for the service account - else the ADFS service will never start. 

Hope this helps.. 

Hi All,

We are unable to start ADFS Services in ADFS 3.0 after Reboot because Group policies applied on it.

So, We asked our AD team to append GPO Object for us.

Finally they added  adfs service account in following 2 group policies then we were able to start the adfs service:

Path

Local Policies -> User Rights Assignment -> Log on as a Service ->Add User or Group--> ADD ADFS Service Account

Local Policies -> User Rights Assignment -> Generate Security Audits ->Add User or Group--> ADD ADFS Service Account

1. Generate security audits

2. Log on as a service

Helpful Articles are

http://nokitel.im/index.php/2015/03/01/adfs-3-0-error-1297/