Symptoms

  • The AD FS 2.0 Windows service fails to start. This can be observed during Initial Configuration, during a manual restart of the service, or after a system reboot.

 

  • The System event log indicates a timeout failure similar to the following:

Source: Service Control Manager

Event ID: 7000

The AD FS 2.0 Windows Service service failed to start due to the following error:

The service did not respond to the start or control request in a timely fashion.

This is typically experienced on a slow-performing machine.

Cause


Service Control Manager (SCM) is timing out the service start before it is complete. This is usually due to lack of internet connectivity from the AD FS 2.0 Federation Server or AD FS 2.0 Federation Server Proxy. At service start, when generatePublisherEvidence is enabled for .NET 3.5, the server will attempt to connect to crl.microsoft.com over TCP port 80. AD FS 2.0 does not rely on a positive or negative response from generatePublisherEvidence, and the default value can cause Service Control Manager to time out while waiting on the TCP/80 connection to fail to connect to crl.microsoft.com.

 

Resolution

Option 1:

Disable generatePublisherEvidence for .NET 3.5

                Remarks

This element was introduced in the .NET Framework version 3.5 and applies only to that version. It has no effect in later versions of the .NET Framework.

The common language runtime (CLR) tries to verify the Authenticode signature at load time to create Publisher evidence for the assembly. However, by default, most applications do not need Publisher evidence. Standard CAS policy does not rely on the PublisherMembershipCondition. You should avoid the unnecessary startup cost associated with verifying the publisher signature unless your application executes on a computer with custom CAS policy, or is intending to satisfy demands for PublisherIdentityPermission in a partial-trust environment. (Demands for identity permissions always succeed in a full-trust environment.)

<configuration>

    <runtime>

        <generatePublisherEvidence enabled="false"/>

    </runtime>

</configuration>

 

 

 

  • Place the following in C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config

<configuration>

    <runtime>

        <generatePublisherEvidence enabled="false"/>

    </runtime>

</configuration>

 

 

Option 2:

Increase the default timeout value observed by SCM:

 

More Information


After you increase the ServicesPipeTimeout value in the registry, the service control manager waits for the services to use the whole ServicesPipeTimeout value before the system event log reports that the program did not start.

Option 3:

Edit HOSTS file and point crl.microsoft.com to localhost:
127.0.0.1 crl.microsoft.com