It seems like I’m focussed a lot on certificates recently, but I found a corker today…Here’s the scenario – ADFS 2.0 on Windows Server 2012 configured with an external certificate where the name you wish to use for federation is NOT the common name.As I already had my certificate downloaded from my CA with a SAN entry for ‘federation.domain.co.uk” I installed it into the Personal store on the server and then bound it to the default website in IIS. All was working fine, and so I set about configuring the second server indentically to the first.When I finally went into the ADFS console to add the server to a farm I recevied this error:-
However, both servers were set up identically and I confirmed that the certificate had been imported and bound correctly.After a lot of searching and reading through various posts on the topic I found this fantastic post by Brian Reid MCM (http://goo.gl/MFgwE).It turns out that there’s a bug in the interface and that if you use a SAN entry to set up your initial Primary Federation Server, then others that are attempted to add to the farm fail.The solution is to use the command line to get this to work properly. The command for which can be found below:-
FsConfig.exe JoinFarm /PrimaryComputerName PRIMARYSERVERNAME /ServiceAccount DOMAIN\USER /ServiceAccountPassword PASSWORD /CertThumbprint "THUMBPRINT"
The thumbprint value will need to obtained from the properties of your certificate. See my previous Exchange post in order to see how to do this – hereIf all done successfully, you should get the following output:-
Enjoy! Neil
Browse latest info tech news and developments
Our blog publishes bite-sized IT focused articles that offer an easy-to-read insight into ways you can improve your business, communication and operation.
Showcasing developments in the IT industry, practical advice, and time and money saving tips, it’s worth subscribing to stay up to date with the news that matters.