AD FS 2.0 Troubleshooting: The Service Fails to Start with Error Events 352, 102, and 220
Symptoms
After a system reboot, the AD FS 2.0 Windows service fails to start
The following events are logged in the AD FS 2.0/Admin event log.
Event ID 352
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date:
%Date / Time%
Event ID: 352
Task Category: None
Level:
Error
Keywords: AD FS
User: %AD FS Service
Account%
Computer: %ComputerName%
Description:
A SQL operation in the AD FS configuration database with connection string Data Source=\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True failed.
Additional Data
Exception details:
Access to module IdentityServerPolicy.GetServiceSettings is blocked because the signature is not valid.
Event ID 102
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: %Date / Time%
Event ID: 102
Task Category: None
Level: Error
Keywords: AD FS
User: %AD FS Service Account%
Computer: %ComputerName%
Description:
There was an error in enabling endpoints of Federation Service. Fix configuration errors using PowerShell cmdlets and restart the Federation Service.
Additional Data
Exception details:
System.ServiceModel.FaultException`1[Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault]: ADMIN0012: OperationFault (Fault Detail is equal to Microsoft.IdentityServer.Protocols.PolicyStore.OperationFault).
Event ID 220
Log Name: AD FS 2.0/Admin
Source: AD FS 2.0
Date: %Date / Time%
Event ID: 220
Task Category: None
Level:
Error
Keywords: AD FS
User: %AD FS Service Account%
Computer: %ComputerName%
Description:
The Federation Service configuration could not be loaded correctly from the AD FS configuration database.
Additional Data
Error:
ADMIN0012: OperationFault
Cause
The code-signing certificate verification check for the AD FS 2.0 service executable is failing. AD FS 2.0 is a .Net application that is code-signed using Microsoft digital certificates. When the service attempts to start, the code signing certificate that is embedded within the service executable is validated to verify that the certificate was valid at the time of signing. Code signing verification is accomplished via Authenticode methods, and is controlled through the Advanced tab of Internet Explorer, and can also be managed within the registry.
In Internet Explorer, the Advanced Internet Options contains checkboxes within the Security section which will affect the settings for certificate validation. Examples: "Check for signatures on downloaded programs" and "Check for publisher's certificate revocation".
The registry location affected by these settings is:
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
Type:REG_DWORD
Value Name: State
Default Value: 0x23c00
Notice that the example registry location specifies the S-1-5-20 user. This is Network Service. When the service is starting, Service Control Manager (SCM) is using the Network Service account to attempt to validate the code-signing certificate that was used to sign the executable. This will be true even if your AD FS 2.0 service identity is a domain service account. If the WinTrust "State" registry key is configured incorrectly, it can cause the service to fail startup.
Resolution
You will likely see this issue in a closed network where the AD FS 2.0 server does not have access to the internet directly or access to the internet through a proxy server.
It is unlikely that the Network Service WinTrust "State" value was changed via IE settings, and the correct approach is to look for scripts, security templates, registry files, and Group Policies to see where the registry change comes from. You could audit the registry location or use a tool like Process Monitor to monitor for changes to the registry value.
Validate the existence and value of the following registry key:
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
Type:REG_DWORD
Value Name: State
Default Value: 0x23c00
This value can be configured for different settings depending on your validation needs. To determine the correct "State" value for your environment, see the More Information section.
More Information
WTPF_TRUSTTEST -Trust any test certificate.
0x00000020
WTPF_TESTCANBEVALID - Check any test certificate for validity.
0x00000080
WTPF_IGNOREEXPIRATION - Use expiration date.
0x00000100
WTPF_IGNOREREVOKATION - Do revocation check.
0x00000200
WTPF_OFFLINEOK_IND - If the source is offline, trust any individual certificates.
0x00000400
WTPF_OFFLINEOK_COM - If the source is offline, trust any commercial certificates.
0x00000800
WTPF_OFFLINEOKNBU_IND - If the source is offline, trust any individual certificates. Do not use the user interface (UI).
0x00001000
WTPF_OFFLINEOKNBU_COM - If the source is offline, trust any commercial certificates. Do not use the checking UI.
0x00002000
WTPF_VERIFY_V1_OFF - Turn off verification of version 1.0 certificates.
0x00010000
WTPF_IGNOREREVOCATIONONTS - Ignore time stamp revocation checks.
0x00020000
WTPF_ALLOWONLYPERTRUST - Allow only items in personal trust database.
0x00040000
When it has the 0x00040000 flag set – it will only allow items in the trusted publisher store.
If you are using software restriction policies (SAFER) and have configured Trusted Publisher settings via Group Policy or Group Policy Preferences, these values will be manipulated.
WintrustSetRegPolicyFlags Function -