AD FS 2.0: The Service Fails to Start and Error Events 352, 102, and 220 Describing an OperationalFault Are Logged

AD FS 2.0: The Service Fails to Start and Error Events 352, 102, and 220 Describing an OperationalFault Are Logged

Symptoms

  • After a system reboot, the AD FS 2.0 Windows service fails to start
  • The following events are logged in the AD FS 2.0/Admin event log:

Log Name:      AD FS 2.0/Admin


Source:        AD FS 2.0


Date:         


%Date / Time%


Event ID:      352


Task Category: None


Level:        


Error


Keywords:      AD FS


User:          %AD FS Service


Account%


Computer:      %ComputerName%


Description:


A SQL operation in the AD FS configuration database with connection string Data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True failed. 

Additional Data

Exception details:


Access to module IdentityServerPolicy.GetServiceSettings is blocked because the signature is not valid.

Log Name:      AD FS 2.0/Admin


Source:        AD FS 2.0


Date:          %Date / Time%


Event ID:      102


Task Category: None


Level:         Error


Keywords:      AD FS


User:          %AD FS Service Account%


Computer:      %ComputerName%


Description:


There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.

Additional Data


Exception details:


System.ServiceModel.FaultException`1[Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault]: ADMIN0012: OperationFault (Fault Detail is equal to Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault).


Log Name:      AD FS 2.0/Admin


Source:        AD FS 2.0


Date:          %Date / Time%


Event ID:      220


Task Category: None


Level:        


Error


Keywords:      AD FS


User:          %AD FS Service Account%


Computer:      %ComputerName%


Description:


The Federation Service configuration could not be loaded correctly from the AD FS configuration database.

Additional Data


Error: 


ADMIN0012: OperationFault

 

Cause


The code-signing certificate verification check for the AD FS 2.0 service executable is failing. AD FS 2.0 is a .Net application that is code-signed using Microsoft digital certificates.  When the service attempts to start, the code signing certificate that is embedded within the service executable is validated to verify that the certificate was valid at the time of signing. Code signing verification is accomplished via Authenticode methods, and is controlled through the Advanced tab of Internet Explorer, and can also be managed within the registry.


In Internet Explorer, the Advanced Internet Options contains checkboxes within the Security section which will affect the settings for certificate validation. Examples: "Check for signatures on downloaded programs" and "Check for publisher's certificate revocation".





The registry location effected by these settings is:

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing


Type:REG_DWORD


Value Name:  State


Default Value:  0x23c00

Notice that the example registry location specifies the S-1-5-20 user. This is Network Service. When the service is starting, Service Control Manager (SCM) is using the Network Service account to attempt to validate the code-signing certificate that was used to sign the executable. This will be true even if your AD FS 2.0 service identity is a domain service account.  If the WinTrust "State" registry key is configured incorrectly, it can cause the service to fail startup.

Resolution


You will likely see this issue in a closed network where the AD FS 2.0 server does not have access to the internet directly, or access to the internet through a proxy server.

It is unlikely that the Network Service WinTrust "State" value was changed via IE settings, and the correct approach is to look for scripts, security templates, registry files, and Group Policies to see where the registry change comes from. You could audit the registry location or use a tool like Process Monitor to monitor for changes to the registry value.

Validate the existence and value of the following registry key:

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing


Type:REG_DWORD


Value Name:  State


Default Value:  0x23c00

This value can be configured for different settings depending on your validation needs.  To determine the correct "State" value for your environment, see the More Information section.

More Information


WTPF_TRUSTTEST -Trust any test certificate.


0x00000020

WTPF_TESTCANBEVALID - Check any test certificate for validity.


0x00000080

WTPF_IGNOREEXPIRATION  - Use expiration date.                                                                                        


0x00000100

WTPF_IGNOREREVOKATION - Do revocation check.                                                                                      


0x00000200

WTPF_OFFLINEOK_IND - If the source is offline, trust any individual certificates.


0x00000400

WTPF_OFFLINEOK_COM - If the source is offline, trust any commercial certificates.


0x00000800

WTPF_OFFLINEOKNBU_IND - If the source is offline, trust any individual certificates. Do not use the user interface (UI).


0x00001000

WTPF_OFFLINEOKNBU_COM - If the source is offline, trust any commercial certificates. Do not use the checking UI.


0x00002000

WTPF_VERIFY_V1_OFF - Turn off verification of version 1.0 certificates.


0x00010000

WTPF_IGNOREREVOCATIONONTS - Ignore time stamp revocation checks.


0x00020000

WTPF_ALLOWONLYPERTRUST - Allow only items in personal trust database.



0x00040000

When it has the 0x00040000   flag set – it will only allow items in the trusted publisher store.

If you are using software restricion policies (SAFER) and have configured Trusted Publisher settings via Group Policy or Group Policy Preferences, these values will be manipulated.


WintrustSetRegPolicyFlags Function -


http://msdn.microsoft.com/en-us/library/Aa388201

Leave a Comment
  • Please add 1 and 1 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Ed Price MSFT edited Revision 3. Comment: Updated title case and some edits.

Page 1 of 1 (1 items)
Wikis - Comment List
Sort by: Published Date | Most Recent | Most Useful
Posting comments is temporarily disabled until 10:00am PST on Saturday, December 14th. Thank you for your patience.
Comments
  • Ed Price MSFT edited Revision 3. Comment: Updated title case and some edits.

  • Add the following to host file

    • 127.0.0.1 crl.microsoft.com

    • 127.0.0.1 ctldl.windowsupdate.com

Page 1 of 1 (2 items)