ADFS 3.0 on Windows 2012 R2: adfssrv hangs in starting mode and makes you’re domain controller unusable after reboot

8:48 pm in ADFS, ADFS 3.0, Global Managed Service Account, gmsa, intune, MDM, UDM, Windows Server 2012 R2, Windws Intune by Kenny Buntinx [MVP]

 

Background :

With the arrival of ADFS 3.0 in Windows Server 2012 R2 the use of IIS with AD FS in Windows Server 2012 R2 has been eschewed in favour of a move to kernel-mode (HTTP.SYS). The motive is to improve performance, provide greater sign-in customization options and to be able for co-locating ADFS and AD Domain Services on the same server (IIS on domain controllers is from a security perspective a big no-no).

As the use of federation services goes more mainstream in everyday use with Windows 8.1, office 365 , intune , azure and whatever cloud service they come up with , this shift is understandable and an important design consideration.  With the new kernel-mode approach, support for running under server core also appears as an option in the new release.

Problem :

In my lab , I Installed and configured ADFS 3.0 om my domain controller with a global managed service account (gmsa). This is a new feature since ADDS 2012 was introduced. After a server reboot , the ADFS services cannot start anymore and it always stay in "starting" state , making your DC unusable.

This issue appears to be gMSA related, when you install ADFS 3.0 on a 2012R2 running AD DS, than after the reboot (not always) gMSA fails to authenticate on behalf of the ADFS Service under which the service is configured to run.

Solution:

After investigation, I found an unacceptable workaround, which is to :

1. Reboot the ADDS/ADFS3.0 server, logon and immediately set the ADFS Service from Automatic (Delayed) to Manual.

2. Change the Microsoft Key Distribution Service (kdssvc) service to auto (instead of manual trigger) and restart the DC.

3. Logon and start the ADFS service (starts successfully)

4. Set the ADFS Service from Manual to Automatic (Delayed) .

5. Done.

Keep it coming. We’re all learning ADFS 3.0 for Windows Intune  :-)

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management