Symptoms

  • Starting AD FS 2.0 Windows Service fails

 

From the Services console:

"Windows could not start the AD FS 2.0 Windows Service service on Local Computer.

Error 1064: An exception occurred in the service when handling the control request."

 

From the command line:

"The AD FS 2.0 Windows Service service could not be started.

A system error has occurred.

An exception occurred in the service when handling the control request."

 

During execution of FsConfig.exe:

"Failed: An error occurred while trying to perform the configuration task: Unable to start the AD FS 2.0 Windows Service. Check Event Viewer for details."

 

The following 2 events are logged in AD FS 2.0 Eventing:

Log Name:      AD FS 2.0 Eventing/Admin
Source:        AD FS 2.0 Eventing
Date:          11/30/2009 11:06:33 AM
Event ID:      102
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      GB2ResourceSTS.treyresearch.net
Description:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data
Exception details:
System.UriFormatException: Invalid URI: The hostname could not be parsed.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
   at System.ServiceModel.ServiceHost.AddServiceEndpoint(Type implementedContract, Binding binding, String address, Uri listenUri)
   at System.ServiceModel.ServiceHost.AddServiceEndpoint(Type implementedContract, Binding binding, String address)
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.PolicyServiceHost.ConfigureWCF()
   at Microsoft.IdentityServer.Service.SecurityTokenService.MSISConfigurableServiceHost.Configure()
   at Microsoft.IdentityServer.Service.Policy.PolicyServer.Service.PolicyServiceHost.Create()
   at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.CreateAdministrationService(ServiceHostManager serviceHostManager)
   at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.StartAdministrationService()
   at Microsoft.IdentityServer.Service.SecurityTokenService.STSService.OnStartInternal(Boolean requestAdditionalTime)

-------------------------------------------------------------------------------------

Log Name:      AD FS 2.0 Eventing/Admin
Source:        AD FS 2.0 Eventing
Date:          11/30/2009 11:06:33 AM
Event ID:      220
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      GB2ResourceSTS.treyresearch.net
Description:
The Federation Service configuration could not be loaded correctly from the AD FS configuration database.

Additional Data
Error: 
Invalid URI: The hostname could not be parsed.

-------------------------------------------------------------------------------------

 

  • You will also find that if you try to execute FsConfigWizard.exe, you will get stuck on the "Specify the Federation Service Name" step without the ability to click Next or specify another SSL certificate.

 

Cause

  • The Federation Service parses the Federation Service name (hostname) from the SSL certificate configured for the default website. The service fails to start if the certificate you have bound to the website contains a subject and/or SAN which is not a valid Federation Service name.

Resolution

  • Bind an SSL certificate to the default website which has a valid Federation Service name and then run the initial configuration again.

More Information

  • The FsConfig.exe utility has a /federationservicename parameter which you would think might get around this problem, but it will still fail if you try to use the parameter while using an SSL certificate with an invalid subject and/or SAN. It performs a check to see that the federationservicename you specified matches the subject name of the SSL certificate. It fails with the following error:

"The following error occurred: The Federation Service name specified with the parameter federationservicename and the Subject name in the SSL certificate do not match."