ADFS Event 329 - Certificate Could Not Be Decrypted

Question

Using MS scripts, I attempted a migration of an ADFS 2.0 configuration (on Windows 2008R2) to a new ADFS server (Windows 2016) server. I have warnings in my event log that seem to be linked, via the thumbprint in the error, to the token-decrypting and token-signing certificates.

The EventID was: 329. The error was: "The certificate that is identified by thumbprint 'xxxxxx' could not be decrypted using the keys for X.509 certificate private key sharing. MSIS7708: The group for X.509 certificate private key sharing with the distinguished name 'yyyyyy' does not exist."

How do I resolve these warnings?

Answer 1

Are you the person on reddit I noticed following my instructions, who reported that their service account had been changed? If that's you - or if your service account has changed anyway between the old ADFS server and the new one - you may be having permissions issues in AD - the new ADFS service account might not be able to access AD objects created by the old service account.

If that's the case, use get-AdfsProperties on your ADFS server and look for CertificateSharingContainer. You should see something like this:

CertificateSharingContainer : CN=yourguid-goes-here-6b78-9deadbeef000,CN=ADFS,CN=Microsoft,CN=Program Data,DC=your,DC=domain,DC=name,DC=here

Find that container in AD, using ADUC. Verify the correct service account has permissions. If not, add them, bounce the ADFS service and see if that helps.