AD FS 2.0: The Service Fails to Start: "The service did not respond to the start or control request in a timely fashion."

Symptoms

The AD FS 2.0 Windows service fails to start. This can be observed during Initial Configuration, during a manual restart of the service, or after a system reboot.

The System event log indicates a timeout failure similar to the following:

Source: Service Control Manager

Event ID: 7000

The AD FS 2.0 Windows Service service failed to start due to the following error:

The service did not respond to the start or control request in a timely fashion.

This is typically experienced on a slow-performing machine.

Cause

Service Control Manager (SCM) is timing out the service start before it is complete. This is usually due to lack of internet connectivity from the AD FS 2.0 Federation Server or AD FS 2.0 Federation Server Proxy. At service start, when generatePublisherEvidence is enabled for .NET 3.5, the server will attempt to connect to crl.microsoft.com over TCP port 80. AD FS 2.0 does not rely on a positive or negative response from generatePublisherEvidence, and the default value can cause Service Control Manager to time out while waiting on the TCP/80 connection to fail to connect to crl.microsoft.com.

Resolution

Option 1:
Disable generatePublisherEvidence for .NET 3.5

Reference doc: http://msdn.microsoft.com/en-us/library/bb629393(v=VS.90).aspx

                Remarks

This element was introduced in the .NET Framework version 3.5 and applies only to that version. It has no effect in later versions of the .NET Framework.

The common language runtime (CLR) tries to verify the Authenticode signature at load time to create Publisher evidence for the assembly. However, by default, most applications do not need Publisher evidence. Standard CAS policy does not rely on the PublisherMembershipCondition. You should avoid the unnecessary startup cost associated with verifying the publisher signature unless your application executes on a computer with custom CAS policy, or is intending to satisfy demands for PublisherIdentityPermission in a partial-trust environment. (Demands for identity permissions always succeed in a full-trust environment.)

Place the following in C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config

<configuration>

    <runtime>

        <generatePublisherEvidence enabled="false"/>

    </runtime>

</configuration>

Place the following in C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config

<configuration>

    <runtime>

        <generatePublisherEvidence enabled="false"/>

    </runtime>

</configuration>

Option 2:

Increase the default timeout value observed by SCM:

Start Registry Editor (Regedit.exe).
To change the value data for the ServicesPipeTimeout DWORD value to 60000 in the Control key, follow these steps:
1. Locate and then click the following registry key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
2. Click the Control subkey
3. Right-click the ServicesPipeTimeout DWORD value, and then click Modify.
4. Click Decimal.
5. Type 60000, and then click OK.
If the ServicesPipeTimeout value is not available, add the new DWORD value, and then set its value data to 60000 in the Control key. To do so, follow these steps:
1. Locate and then click the following registry key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
2. Click the Control subkey.
3. On the Edit menu, point to New, and then click DWORD Value.
4. Type ServicesPipeTimeout, and then press ENTER.
5. Right-click the ServicesPipeTimeout DWORD value, and then click Modify.
6. Click Decimal.
7. Type a value of 60000, and then click OK.
  
  The value is 60000 milliseconds and is equivalent to 60 seconds or to one minute.
Note This change does not take effect until the computer is restarted.

More Information

After you increase the ServicesPipeTimeout value in the registry, the service control manager waits for the services to use the whole ServicesPipeTimeout value before the system event log reports that the program did not start.