AD FS (3.0) for Windows Server 2012 R2 - Configuration fails with 'Logon Failure'
Issue
After successfully passing the pre-requisite check when running the AD FS configuration wizard, the installer fails during the Installation phase with the following error:
Logon Failure: the user has not been granted the requested logon type at this computer
Event log errors
AD FS Installations using Windows Internal Database Log Name: Application​Source: MSSQL$MICROSOFT##WID
Event ID: 18456
Login failed for user 'WIDTEST\svc-adfsgmsa$'. Reason: Could not find a login matching the name provided. [CLIENT: <named pipe>]
|
AD FS Installations using SQL ServerLog Name: Application
Source: MSSQLSERVER
Event ID: 18456
Login failed for user 'WIDTEST\svc-adfsgmsa$'. Reason: Could not find a login matching the name provided. [CLIENT: 10.6.0.6]
|
Cause
One might see the associated events and attempt to track down issues with WID or SQL access for the service account (I did). The error thrown by the installer is a better lead, indicating one of the accounts used for the installation does not have proper logon rights. The pre-requisite check generally does a good job at ensuring the installation will go smoothly, but does not check for log on as a service permissions for the Domain Admin account specified during the install.
Resolution
Verify the Domain Admin account specified during the installation has the ability to log on as a service on the AD FS server. Do this by launching secpol.msc by checking Local Policies --> User Rights Assignment --> Deny log on as a service.
Note: The Domain Admin account needs Logon as a Service permission, but does not need Logon as a Batch Job or Logon Locally.