0

I'm running Windows Server 2016 Active Passive ADFS server, the below issue is happening on the passive node.

AD domain is single AD domain: domain.com The same Wildcard SSL certificate has been imported successfully to the other ADFS 2016 servers with no issue.

When I upload the ADFS Server 2016 logs into https://adfshelp.microsoft.com/DiagnosticsAnalyzer/Analyze enter image description here

I got the below error like in the screenshot.

The description of the error is:

    The diagnostic threw an unhandled exception.
    
    System.ArgumentOutOfRangeException: Index was out of range. Must be non-negative and less than the size of the collection.
       at System.ThrowHelper.ThrowArgumentOutOfRangeException(ExceptionArgument argument, ExceptionResource resource)
       at System.Collections.Generic.List`1.get_Item(Int32 index)
       at Microsoft.Identity.Federation.AdfsToolbox.Core.Framework.PowerShell.PowerShellProvider.GetAdfsSslCertificate()
       at Microsoft.Identity.Federation.AdfsToolbox.Core.Framework.PowerShell.PowerShellProvider.GetFederationCertificate(FederationCertificateType type)
   at Microsoft.Identity.Federation.AdfsToolbox.Core.Diagnostics.Modules.CertificateValidity.SslValidity.GetCertificate()
   at Microsoft.Identity.Federation.AdfsToolbox.Core.Diagnostics.Modules.CertificateValidity.ValidityBase.RunDiagnostic()
   at Microsoft.Identity.Federation.AdfsToolbox.Core.Diagnostics.Modules.DiagnosticModuleBase.Execute()

The result from Active ADFS server node: Get-AdfsSslCertificate

HostName          PortNumber  CertificateHash            
--------          ----------  ---------------            
ADFS.domain.com      443      CFHH542125AE8C06F4968AF2468E62699124AF52    
localhost            443      CFHH542125AE8C06F4968AF2468E62699124AF52    
ADFS.domain.com    49443      CFHH542125AE8C06F4968AF2468E62699124AF52

This is the Private key permission from the passive /secondary server that failed:

enter image description here

After remote desktop into PRDADFS2-VM (secondary server)

I have already manually imported the *.domain.com SSL certificate.PFX file.

 Add-AdfsFarmNode -ServiceAccountCredential (Get-Credential) -PrimaryComputerName PRDADFS1-VM.domain.com -CertificateThumbprint CFHH542125AE8C06F4968AF2468E62699124AF53 -OverwriteConfiguration

The result is:

WARNING: The SSL certificate subject alternative names do not support hostname 'certauth.ADFS.domain.com'. Configuring certificate authentication binding on port '49443' and hostname ' ADFS.domain.com'.

WARNING: Failed to register SSL bindings for Device Registration Service: An item with the same key has already been added.

Senior Systems Engineer
  • 1,275
  • 2
  • 33
  • 62
  • 1
    so, how did you import the cert for this one? did you do it while you installed the role? or did you run `Set-AdfsSslCertificate`? Is it actually in the Machine store? On the ADFS server, can you download the CRL from the location published in the certificate? (e.g. via a browser or `Get-webrequest`). When you open the cert in Certlm.msc, does it show any errors in the Certification Path tab? – LeeM Sep 24 '20 at 09:58
  • 1
    Basically, that error looks like the cert hasn't been found. I'd just go back to basics and check it's actually installed - like what does `Get-AdfsSslCertificate ` show? Check the AD FS Event Log - it'll show errors like Event 134 - "BadConfigurationCertificateNotFound" which are pretty self-explanatory – LeeM Sep 24 '20 at 10:05
  • @TrixM, yes, the certificate is shown correctly but there are multiple? like in the updated thread. – Senior Systems Engineer Sep 24 '20 at 12:19
  • 1
    that's fine. You should probably read up on how the certs are supposed to look if you're not familiar with them. Now you need to go through the steps of seeing that the server thinks they're valid, whether the CRL can be reached, what the ADFS event log says. etc etc etc., everything I previously outlined – LeeM Sep 25 '20 at 06:21
  • @TrixM, does the Certificate Private Key Permissions looks OK? The issue still persists. There is no error on the Certification Path tab. – Senior Systems Engineer Sep 29 '20 at 01:39
  • 1
    I'm starting to think we're wasting our time over an issue with the diagnostic tool and there's not actually any issue at all. Other than that very unhelpful report, what is *wrong* with the server? If you notice, the report is saying all the way through that 2/3 items are "OK". What two things are OK when you expand the items? Does your primary server think it has 3 items to check? I've now asked three times what's in your ADFS event log, assuming there IS actually an error, and it's not worth wasting time with some diagnostic when you aren't checking the basics. – LeeM Sep 29 '20 at 07:11
  • @TrixM, looks like after executing the simple Powershell script, the Certificate is not showing in the secondary server :-) – Senior Systems Engineer Sep 29 '20 at 07:34

0 Answers0