ADFS refuses to start, error 1297

Here is the scenario, your ADFS farm is happy, up and running. Because of update management sometimes you server has to restart. And when the server is restarting all hosted services will also restart with it.

Then, maybe you'll be running into this error message when you start your ADFS Server service:

It is weird especially that you haven't done any changes in a while... Let's check what the permission of the service account in the local policy:

We can see two things:

  1. The AD\srv_adfs account as well as the NT SERVICE\adfssrv have the privilege to Log on as a service (in red in the screenshot).
  2. There is a group policy that control the privilege Generate security audits (in blue in the screenshot). As you might know, ADFS can generate audit if you configure the service properties adequately. The service requires this privilege.

You can see this requirement in the registry key for the service (value RequiredPrivileges):

Let's use GPRESULT /H to see what is the policy forcing this:

It looks like a group policy called Corp - Security settings is taking out the privilege from our ADFS service. At this point you have several options, remove the setting from the GPO, exclude the ADFS server from the scope of the GPO, create another GPO for ADFS server that guarantee that the service will have the privilege... It's your call. In my case, the setting has been remove from the GPO. So let's check if the privilege and add them back for our ADFS service. Once you are not under the authority of that setting, open GPEDIT.MSC and add the service's privilege back:

Notice that the From the location section should be the local server, add NT SERVICE\adfssrv as well as NT SERVICE\drs (this is the device registrations service, whether you are using it or not, just put it back). This is what the setting looks like at the end:

Now your ADFS service should start. If you have several servers make sure they all got the right privilege to enable your load balancing.

My root cause story...

In this case it was a surprise that the service kind of "suddenly" stop working. What actually happened was:

  1. The service is happy... The service got the right privilege when you configured the role (a long time ago).
  2. The security team is changing the GPO to harden the servers under a specific OU (the ADFS server was under that one).
  3. The new GPO applies on the server but because the service is already started, it is not impacted.
  4. The server finally restart and this time when the service is starting the privilege is missing is the start is aborted.

Hope this helped...

Comments

  • Anonymous
    September 04, 2015
    thanks
  • Anonymous
    February 03, 2016
    Saved my bacon, thanks dude!
  • Anonymous
    April 22, 2016
    Thanx, this helpt me a lot!
  • Anonymous
    August 24, 2016
    Thanks!
  • Anonymous
    April 04, 2017
    GREAT job. this was very well written and helped out a lot. 2 thumbs up. BTW loved how you laid out the logic, similarly there were no apparent changes on my side but ... S#$%& happens.
  • Anonymous
    June 07, 2017
    Thx, timesaver :)
  • Anonymous
    August 24, 2017
    Awesome, absolutely awesome that you documented and indexed this so it was easy to find. Saved my bacon, eggs, toast, juice, and most important, coffee. Kudos, mad props, and BRAVO ZULU!
  • Anonymous
    October 11, 2017
    Thanks Pierre!It helped me yesterday. Running Windows Server 2016 VM at Azure with ADFS installed on a domain controller. I had some issues to replicate my FRS SYSVOL share and caused GPO issues where this right was not included. I am glad I found this as I was looking into another direction.
  • Anonymous
    November 10, 2017
    Thank You Pierre! My root cause was nearly identical as yours. I was able to restore my ADFS service in <30 minutes thanks to your thorough instructions.
  • Anonymous
    November 15, 2017
    Thanks alot! Helped me to solve this issue quick!
  • Anonymous
    December 11, 2017
    Thank you
  • Anonymous
    February 07, 2018
    Great find
  • Anonymous
    October 29, 2018
    Awesome post!
  • Anonymous
    May 06, 2019
    Thank you from 2019! Saved a couple of hours reinstalling ADFS for me and customers.To refresh group policies after change rungpupdate /force