Unable to ADD a Second AD FS Server to the AD FS Farm – Certificate Error

Because I am often creating my posts in a lab environment, I often bend the rules on advice that I give. For AD FS 2.0, in production, I always recommend to use a dedicated single name SSL certificate. For my lab environment, I have a 5 name certificate from GoDaddy that covers all my certificate requirements. In creating my Get to know the NEW Office 365 BLOG series I ran into an issue when trying to add AD FS server into the AD FS farm. This is because the primary name on the certificate that I used, does not match the AD FS farm name.

I am getting this error: No certificates matching the Federation Service name were found in the Local Computer certificate store. Install the certificate that represents your Federation Service name in the Local Computer certificate store, and then try again.

You may also see this error: The Subject name of the SSL certificate for the Default Web Site on this computer should match the name of the Federation Service to which you are trying to join this computer.

 

If you are in a production environment, you really need to re-think the certificate that you are using. Microsoft recommends that you use a single name SSL certificate where the common name matches the AD FS Farm name.

If you are in a lab environment, like me, and need to get past this error; use the Command Prompt to add the second server.

  1. Login to the problem server with an administrative account
  2. et the Thumbprint from the certificate that you imported from the first AD FS server. This is located on the certificate.

  3. Open a Command Window as an Administrator
  4. Change the directory to the path where AD FS 2.0 was installed.
    1. Windows Server 2008 C:\Program Files\Active Directory Federation Services 2.0
    2. Windows Server 2012 C:\Windows\ADFS
  5. Add the server with FsConfig.exe
    1. Syntax fsconfig.exe {StandAlone|CreateFarm|CreateSQLFarm|JoinFarm|JoinSQLFarm} [deployment specific parameters]

 

My syntax with options

FsConfig.exe JoinFarm /PrimaryComputerName PRIMARY AD FS SERVER /ServiceAccount DOMAIN\SERVICE ACCOUNT /ServiceAccountPassword PASSWORD /CertThumbprint “ff eb 43 bb 8b f9 34 56 4b 45 ec 6f 53 bb 99 7f bf 48 7e”

I hope this helps people get past the hurdle of adding a second AD FS server, when using a certificate (whose name does not match the AD FS farm name)

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

 

 

 

 

5 thoughts on “Unable to ADD a Second AD FS Server to the AD FS Farm – Certificate Error

  1. Pingback: Unable to ADD a Second AD FS Server to the AD FS Farm – Certificate Error -

    1. Kelsey EppsKelsey Epps Post author

      And you can, it’s just that the GUI will not allow it. You have to use command line to add if the Federation Farm Name is a SAN and not the SN.

      Reply
  2. Pingback: Unable to ADD a Second AD FS Server to the AD FS Farm – Certificate Error - Office 365 MVPs

  3. Pingback: Fix Fs Error Windows XP, Vista, 7, 8 [Solved]

Leave a Reply