Sysadminsblog.com Anything for sysadmins!

2May/130

Dir Sync: Unable to establish a connection to the authentication service

Users reported that they couldn't access their personal archives. The archives are stored on the Office 365 services and should always be accessible. Of course the first clue was located in the event viewer where I found the following errors.

Log Name:      Application
</p><p>Source:        Directory Synchronization
</p><p>Date:          2-5-2013 8:31:38
</p><p>Event ID:      0
</p><p>Task Category: None
</p><p>Level:         Error
</p><p>Keywords:      Classic
</p><p>User:          N/A
</p><p>Computer:      &lt;servername&gt;
</p><p>Description:
</p><p>Unable to establish a connection to the authentication service. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical Support.  (0x80048862)
</p><p>Event Xml:
</p><p>&lt;Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"&gt;
</p><p>  &lt;System&gt;
</p><p>    &lt;Provider Name="Directory Synchronization" /&gt;
</p><p>    &lt;EventID Qualifiers="0"&gt;0&lt;/EventID&gt;
</p><p>    &lt;Level&gt;2&lt;/Level&gt;
</p><p>    &lt;Task&gt;0&lt;/Task&gt;
</p><p>    &lt;Keywords&gt;0x80000000000000&lt;/Keywords&gt;
</p><p>    &lt;TimeCreated SystemTime="2013-05-02T06:31:38.000000000Z" /&gt;
</p><p>    &lt;EventRecordID&gt;27537&lt;/EventRecordID&gt;
</p><p>    &lt;Channel&gt;Application&lt;/Channel&gt;
</p><p>    &lt;Computer&gt;&lt;servername&gt;&lt;/Computer&gt;
</p><p>    &lt;Security /&gt;
</p><p>  &lt;/System&gt;
</p><p>  &lt;EventData&gt;
</p><p>    &lt;Data&gt;Unable to establish a connection to the authentication service. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical Support.  (0x80048862)&lt;/Data&gt;
</p><p>  &lt;/EventData&gt;
</p><p>&lt;/Event&gt;

Log Name:      Application
</p><p>Source:        FIMSynchronizationService
</p><p>Date:          2-5-2013 8:31:50
</p><p>Event ID:      6803
</p><p>Task Category: Management Agent Run Profile
</p><p>Level:         Error
</p><p>Keywords:      Classic
</p><p>User:          N/A
</p><p>Computer:      &lt;servername&gt;
</p><p>Description:
</p><p>The management agent "TargetWebService" failed on run profile "Full Confirming Import" because the server encountered errors.
</p><p>Event Xml:
</p><p>&lt;Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"&gt;
</p><p>  &lt;System&gt;
</p><p>    &lt;Provider Name="FIMSynchronizationService" /&gt;
</p><p>    &lt;EventID Qualifiers="49152"&gt;6803&lt;/EventID&gt;
</p><p>    &lt;Level&gt;2&lt;/Level&gt;
</p><p>    &lt;Task&gt;1&lt;/Task&gt;
</p><p>    &lt;Keywords&gt;0x80000000000000&lt;/Keywords&gt;
</p><p>    &lt;TimeCreated SystemTime="2013-05-02T06:31:50.000000000Z" /&gt;
</p><p>    &lt;EventRecordID&gt;27539&lt;/EventRecordID&gt;
</p><p>    &lt;Channel&gt;Application&lt;/Channel&gt;
</p><p>    &lt;Computer&gt;&lt;servername&gt;&lt;/Computer&gt;
</p><p>    &lt;Security /&gt;
</p><p>  &lt;/System&gt;
</p><p>  &lt;EventData&gt;
</p><p>    &lt;Data&gt;TargetWebService&lt;/Data&gt;
</p><p>    &lt;Data&gt;Full Confirming Import&lt;/Data&gt;
</p><p>  &lt;/EventData&gt;
</p><p>&lt;/Event&gt;

Log Name:      Application
</p><p>Source:        FIMSynchronizationService
</p><p>Date:          2-5-2013 8:31:50
</p><p>Event ID:      6110
</p><p>Task Category: Management Agent Run Profile
</p><p>Level:         Warning
</p><p>Keywords:      Classic
</p><p>User:          N/A
</p><p>Computer:      &lt;servername&gt;
</p><p>Description:
</p><p>The management agent "TargetWebService" step execution completed on run profile "Full Confirming Import" but the watermark was not saved.
</p><p> 
 </p><p> Additional Information
</p><p> Discovery Errors       : "0"
</p><p> Synchronization Errors : "0"
</p><p> Metaverse Retry Errors : "0"
</p><p> Export Errors          : "0"
</p><p> Warnings               : "0"
</p><p> 
 </p><p> User Action
</p><p> View the management agent run history for details.
</p><p>Event Xml:
</p><p>&lt;Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"&gt;
</p><p>  &lt;System&gt;
</p><p>    &lt;Provider Name="FIMSynchronizationService" /&gt;
</p><p>    &lt;EventID Qualifiers="32768"&gt;6110&lt;/EventID&gt;
</p><p>    &lt;Level&gt;3&lt;/Level&gt;
</p><p>    &lt;Task&gt;1&lt;/Task&gt;
</p><p>    &lt;Keywords&gt;0x80000000000000&lt;/Keywords&gt;
</p><p>    &lt;TimeCreated SystemTime="2013-05-02T06:31:50.000000000Z" /&gt;
</p><p>    &lt;EventRecordID&gt;27540&lt;/EventRecordID&gt;
</p><p>    &lt;Channel&gt;Application&lt;/Channel&gt;
</p><p>    &lt;Computer&gt;&lt;servername&gt;&lt;/Computer&gt;
</p><p>    &lt;Security /&gt;
</p><p>  &lt;/System&gt;
</p><p>  &lt;EventData&gt;
</p><p>    &lt;Data&gt;TargetWebService&lt;/Data&gt;
</p><p>    &lt;Data&gt;Full Confirming Import&lt;/Data&gt;
</p><p>    &lt;Data&gt;0&lt;/Data&gt;
</p><p>    &lt;Data&gt;0&lt;/Data&gt;
</p><p>    &lt;Data&gt;0&lt;/Data&gt;
</p><p>    &lt;Data&gt;0&lt;/Data&gt;
</p><p>    &lt;Data&gt;0&lt;/Data&gt;
</p><p>  &lt;/EventData&gt;
</p><p>&lt;/Event&gt;

When I started the Synchronization Service Manager at

C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe

, it showed the error stopped-server-down.

Seeing that it couldn't connect to some server I had to find out what server it was trying to connect to. In the Synchronization Service Manager I checked the Management Agents where in the properties of the TargetWebService I found the server that it was trying to connect to; https://adminwebservice.microsoftonline.com/ProvisioningService.svc.

After clearing the cache of the DNS services and flushing the DNS locally on the server I forced another full import which ran without problems.

Hope this helps you with solving your problem!

4Jul/118

Installing and Configuring ADFS 2.0

As we're setting up collaboration sites on our SharePoint 2010 farm, we wanted to provide the ability to have external logins using Facebook or Google accounts. Everything soon pointed into the direction of Active Directory Federation Services. As the version 1.0 that comes with Windows Server 2008 R2 is already outdated I needed to download the 2.0 version. Make sure that you download the proper version as you might run into some very strange errors otherwise. Since I'm running Windows 2008 R2 x64 I selected the RTW\W2K8R2\amd64\AdfsSetup.exe.

When the installation started the IIS part took quite some time. When I figured it was stuck and the TrustedInstaller.exe was using around 750MB of memory I decided to kill the process as it might crash the entire server. As this seemed the right thing to do, the consequences where somewhat strange. When I restarted the installation it ran into an error right away stating that the install of KB981002.msu could not complete. I tried installing this update manually, but it indicated that the system doesn't need the update. I rebooted the system and retried the installation, which then proceeded without a hitch.

SSL

Make sure that you have a Certificate Authority installed in your domain. You can use these certificates for Exchange servers, SharePoint Servers and also need it for the ADFS server.

If you don't have a proper certificate installed you might get an error like this, which might put you on the wrong track. Just create a new certificate, or use one that is already installed.

To create a SSL certificate request in IIS you have to open IIS Manager, select the host and double-click the Server Certificates icon. You have your certificate options on the right.

         

When you installed the SSL certificate in IIS, you can set it by right clicking the website in IIS and select Edit Bindings. Then edit or add a https port and select the SSL certificate you want to use.

        

Configure ADFS 2.0

As I didn't have a Federation Server running anywhere I needed to create a new Federation Service. Here are the steps:

  1. After the install the ADFS configuration was started.

    

  1. Click the AD FS 2.0 Federation Server Configuration Wizard to start the configuration.
  2. Select Create a new Federation Service
        
  3. Select New Federation server farm
        
  4. The certificate should be automatically selected. You get the option to select the Federation Service name
        
  5. Create a service account for the ADFS services The following permissions are needed for this account:
        Service Logon right. This right is required for an account to logon using the service logon type.
        Audit Privilege right. This right is required to generate audit log entries.
    See this post for setting the permissions. You can use the same guide for the service logon.

        

  6. A summary of the settings will be presented. ADFS will be installed with a Windows Internal Database service. However you can change this later on.
        
        

If the name of the federation service is already in use you might be presented with an error: "The SPN required for this Federation Service is already set on another Active Directory account. Choose a different Federation Service name and try again." You'll have to use setspn.exe to set the proper SPN.

Filed under: ADFS, Microsoft 8 Comments
28Jun/110

Migrating the ADFS 2.0 Configuration Database to MS SQL

By default when you configure ADFS 2.0 it will create a Windows Internal Database for its configuration database. However if you have a MS SQL server running already this is kind of unnecessary. Thankfully it's possible to migrate the ADFS 2.0 databases to MS SQL.

Preparations

It's smart to start with a backup of the Federation Server.

If your federation server is running in a farm and it's behind a load balancer, temporarily remove it from the load balancing configuration.

On the Primary federation service

  1. Download the SQL Server 2008 Management Studio Express software and install it (you'll need sqlcmd)
  2. Stop the ADFS 2.0 service. Start an elevated command prompt and type:
    net stop adfssrv
  3. Connect to the Windows Internal Database and detach the databases by running the following commands:
    sqlcmd -S \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\query<br/>use master<br/>go<br/>sp_detach_db 'adfsconfiguration'<br/>go<br/>sp_detach_db 'adfsartifactstore'<br/>go
  4. Connect to the MS SQL server and attach the databases by running the following commands (note that the paths are local paths on the SQL server so make sure that the files are on the local server):
     sqlcmd -S &lt;SQLServer\SQLInstance&gt;<br/>use master<br/>go<br/>sp_attach_db 'adfsconfiguration', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration.mdf', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration_log.ldf'<br/>go<br/>sp_attach_db 'adfsartifactstore', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore.mdf', 'c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore_log.ldf'<br/>go<br/>alter database AdfsConfiguration set enable_broker with rollback immediate<br/>go
  5. Change the configuration database connection string to point to the new MS SQL server by running the following PowerShell commands:
    $SecTokenServ = Get-WmiObject -NameSpace root/ADFS -Class SecurityTokenService<br/>$SecTokenServ.ConfigurationdatabaseConnectionstring="data source=&lt;SQLServer\SQLInstance&gt;; initial catalog=adfsconfiguration;integrated security=true"<br/>$SecTokenServ.Put()
  6. Start the ADFS 2.0 service. Start an elevated command prompt and type:
    net start adfssrv
  7. Change the configuration database connection string to point to the new MS SQL server by running the following PowerShell commands:
     Add-PSSnapin Microsoft.ADFS.PowerShell<br/>Set-ADFSProperties -ArtifactDBConnection "data source=&lt;SQLServer\SQLInstance&gt;; initial catalog=adfsartifactstore;integrated security=true"
  8. Stop and start the ADFS 2.0 service:
    net stop adfssrv
    net start adfssrv

Don't forget to add the primary federation server to the load balancing configuration.

To migrate other ADFS 2.0 servers in the farm start by removing the server from the load balancing configuration and stopping the service (net stop adfssrv) on that server. Then start at step 5 of steps above.

Afterwards add the servers back into the load balancing configuration to have it accept requests.

Filed under: ADFS, Microsoft No Comments
28Jun/118

Token Signing Certificate: The Root Certificate is invalid

When you try to add a trust relationship in SharePoint 2010 using the Central Administration you might get an error.

The root certificate that was just selected is invalid. This may be because the selected certificate requires a password and we do not support certificates that require a password. Please select another certificate.

I was certain that the certificate was correct and should be accepted. I managed to import the certificate through PowerShell.

  1. Import the certificate into the Windows Certificate Store. Specifically the Personal store
            
  2. Start a SharePoint 2010 Management Shell session
  3. Locate the certificate in the Personal folder of the Windows Certificate Store and copy the Thumbprint
    dir cert:\CurrentUser\My

        

  4. Run the following commands:
     $Cert = Get-Item("cert:\CurrentUser\My\" + "&lt;thumbprint&gt;".Replace(" ", "").ToUpper())
    New-SPTrustedRootAuthority -Name "Token Signing Certificate" -Certificate $Cert

The certificate should now be imported and the trust should be visible in the Central Administration.

27Jun/110

ADFS Error: The AD FS auditing subsystem could not register itself with the system. The auditing privilege is not held.

This error might occur when the ADFS service account doesn't have the audit permissions to log audit events.

To fix this error you have to grant the ADFS service account the permission in the local security policy of the server running ADFS, or when the server is a Domain Controller in the Default Domain Controller Policy.

Local Security Policy

  1. Start the Local Security Policy console
  2. Locate the User Rights Assignment container and select it (Security Settings\Local Policies\User Rights Assignment)
        
  3. Double-click the Generate security audits node
        
  4. Add the service account of ADFS to the list

Default Domain Controller Policy

  1. Start the Group Policy Management Console
  2. Edit the Default Domain Controllers Policy (<Forest>\Domains\<Domain>\Group Policy Objects\Default Domain Controllers Policy)
        
  3. Locate the User Rights Assignment container and select it (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment)
        
  4. Double-click the Generate security audits node
        
  5. Add the service account of ADFS to the list
        

You might have to run gpupdate and restart the service to have the changes take effect.

Filed under: ADFS, Microsoft No Comments