Troubleshooting

General AD FS service issues

  1. Open a PowerShell window and execute the following command(s):

    Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -force
Install-Module -Name ADFSToolbox -force
Import-Module ADFSToolbox -force
Export-AdfsDiagnosticsFile -ServerNames @("adfs.domain.com")

  2. Navigate to https://adfshelp.microsoft.com/diagnosticsanalyzer/Analyze.

  3. Upload the resulting JSON from the Export-AdfsDiagnosticsFile command and analyze the results.

Issues with AD FS service startup

  • If you are using preload to start AD FS, the NFAST_NFKM_TOKENSFILE system environment variable must have been previously configured or AD FS will not start/work properly.

  • If you receive the following error when performing any HSM operation (including AD FS service start), then the NFAST_NFKM_TOKENSFILE (c:\nfast_nfkm_tokensfile) has gone stale from not cleaning up properly:

    HH:MM:SS WARNING: NFastApp_Connect failed: ClientUnknown
error setting application: ClientUnknown

    Make sure any services that were using preload have been stopped, delete the file referenced in NFAST_NFKM_TOKENSFILE and try running the HSM command again.

    To avoid seeing this error, make sure you run preload exit after stopping the service using the preloaded HSM keys.

Permissions for the AD FS TLS key

  1. Stop the AD FS service.

  2. Run the preload command from the previous section for your particular HSM configuration but use preload with pause instead of net start adfssrv.

  3. Navigate to Start > Run, enter certlm.msc, then select OK.

  4. Expand Certificates - Local Computer > Personal > Certificates.

  5. Right-click on the AD FS TLS key generated on the HSM and navigate to All Tasks > Manage Private Keys.

  6. In the Permissions for screen, select Add.

  7. Select Object Types and then check the boxes for Service Accounts and Computers from the listed objects.

  8. Select OK.

  9. For Enter the object names to select, type in full/partial names for (separated by semicolons). That is, the Group Managed Service Account you created on your domain controller, and the AD FS server computer account(s).

  10. Select Check Names to auto-complete (you may need to select Advanced to narrow down your search in large domains).

  11. Select OK.

  12. Back in the Permissions for window, for each added account/computer ensure that Full control and Read are both checked in the Allow column.

  13. Select OK to close the Permissions for window.

  14. Close the Certificates - Local Computer window.

  15. Cancel the preload window with [CTRL]+[C].

  16. Delete the c:\nfast_nfkm_tokensfile.

  17. Resume whatever you were doing before.